fix(security): remove readiness check from MemPalace MCP server startup

[Copilot]

Runner-Guard RGS-012 flags any outbound HTTP request co-located with secrets access as a structural exfiltration risk — even a localhost curl. The shared/mcp/mempalace.md startup step used curl -sf http://127.0.0.1:8765/mcp to wait for the MemPalace MCP server to become ready.

Change

Remove the readiness check entirely. The server is launched in the background and the step exits immediately after logging the PID — no curl, no Python socket probe, no wait loop.

# Before — triggers RGS-012
if curl -sf http://127.0.0.1:8765/mcp >/dev/null 2>&1; then

# After — check removed entirely
python -m mempalace.mcp_server ... > /tmp/gh-aw/mcp-logs/mempalace/server.log 2>&1 &
echo "MemPalace MCP server started (PID $!)"

This eliminates the flagged exfiltration surface without introducing any alternative probe mechanism.

All lock files regenerated via make recompile.

[github-actions]

Hey @Copilot 👋 — thanks for picking up the RGS-012 secret exfiltration fix in the daily-fact workflow! Replacing the outbound curl health check with a Python TCP socket check is exactly the right approach for this kind of security finding.

A few things to address before this is ready for review:

• No changes committed yet — the diff is currently empty. The PR body reads as a TODO list rather than a summary of completed work. Once the fix is implemented, please update the description to explain what was changed and why.
• Add tests — if there's a way to validate the new TCP socket check (e.g., a unit test or integration test covering the health-check path), that would strengthen the PR.
• Run the required checks — per CONTRIBUTING.md, all PRs must pass make build, make test, make lint, make recompile, make fmt, and make lint-errors.

Once you've implemented the changes, you can use the prompt below to complete the work:

In the file shared/mcp/mempalace.md, replace the curl HTTP health check with a Python TCP socket check to eliminate the outbound HTTP request that triggers the RGS-012 security finding.

After making the change:
1. Update the PR description to summarize what was changed and why (replacing curl with Python socket, referencing RGS-012).
2. Run `make recompile` to regenerate daily-fact.lock.yml and any other affected lock files.
3. Run `make agent-finish` to validate all checks pass (build, test, lint, recompile, fmt, lint-errors).
4. If a test file covers this workflow or the health check logic, add or update a test to cover the new TCP socket path.
5. Mark the PR as ready for review once all checks are green.

Generated by Contribution Check · ● 2.2M · ◷

[pelikhan]

@copilot remove /mcp curl check

[Copilot]

@copilot remove /mcp curl check

Done in 035609b — the curl -sf http://127.0.0.1:8765/mcp check has been removed and replaced with a Python TCP socket probe that doesn't issue any HTTP request.

[pelikhan]

@copilot merge main and recompile

[Copilot]

Pull request overview

Replaces an HTTP curl readiness check with a TCP-only socket probe when starting the MemPalace MCP server to avoid Runner-Guard RGS-012 triggering on outbound HTTP requests.

Changes:

• Updated MemPalace MCP server startup to wait on TCP port readiness via a Python socket connect.
• Regenerated daily-fact.lock.yml to reflect the updated shared MCP startup snippet and updated metadata hashes.

Show a summary per file

File	Description
.github/workflows/shared/mcp/mempalace.md	Swaps the curl HTTP health check for a Python TCP socket probe during server startup.
.github/workflows/daily-fact.lock.yml	Regenerated lockfile reflecting the updated MemPalace startup logic and updated prompt/config heredoc IDs.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 1

[Copilot]

@copilot merge main and recompile

Done in 2f61b7e — merged origin/main and recompiled all 201 workflow lock files.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw P07KWg7UknOO (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw Iw/z9U4yuXOJa8cJ-C (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

Remove the check entirely. Do not use python or curl. @copilot

[Copilot]

Remove the check entirely. Do not use python or curl. @copilot

Done in de1ecc4 — the entire readiness check (loop, python socket probe, and error handler) has been removed. The step now simply starts the server in the background and logs the PID.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)