Enable MCP gateway (awmg) in smoke-copilot-no-firewall workflow with built-in mode, fix compile timestamp handling, and enhance health check logging

[Copilot]

✅ Completed: Enable sandbox MCP gateway (awmg) in smoke-copilot-no-firewall workflow

Summary

Successfully enabled the MCP gateway (awmg) in the smoke-copilot-no-firewall agentic workflow using the built-in gateway CLI mode with explicit firewall disabling, improved compile command timestamp handling, simplified workflow prompt, proper safeinputs localhost routing when firewall is disabled, and enhanced health check logging with proper validation order.

Changes Made

• Add mcp-gateway feature flag to enable the feature
• Add sandbox.mcp configuration block with port only (uses default built-in mode)
• Explicitly disable firewall with network.firewall: false
• Fix compile command to handle lock file timestamps correctly
• Recompile all workflows with timestamp fix applied
• Simplify workflow prompt for clearer instructions
• Enable built-in awmg gateway mode with sophisticated build/download logic
• Use localhost for safeinputs when sandbox agent is disabled
• Merge main branch with latest refactorings
• Enhance MCP gateway health check script with detailed file location logging
• Reorder validation to check gateway readiness before config validation

Recent Changes

Gateway Health Check Order (actions/setup/sh/verify_mcp_gateway_health.sh):
Reordered validation sequence to check gateway server readiness BEFORE validating configuration files:

New Order:

1. Print file locations - Show paths for debugging
2. Check gateway logs - Show initial log state
3. Wait for gateway health - Verify gateway is running and responding (30 retries with 1s delay)
4. Check config file - Only after gateway is confirmed ready
5. Display config content - Show what the gateway is using
6. Verify required servers - Validate safeinputs/safeoutputs presence
7. Test MCP connectivity - Verify server rewriting and connectivity

Previous Order (problematic):

1. Check config file first
2. Validate servers in config
3. Then wait for gateway

Benefits of New Order:

• Fails fast if gateway doesn't start (within 30 seconds)
• Shows full gateway logs immediately if startup fails
• Only checks config after confirming gateway process is healthy
• Avoids false positives from checking config while gateway is still starting
• Provides better diagnostic flow: gateway status → config validation → connectivity testing

Why This Matters:

• If the gateway crashes on startup, we detect it immediately
• Config validation happens only after the gateway that will use it is confirmed running
• Better isolation of issues: startup failures vs configuration problems
• More logical flow matches real-world usage (server must run before config matters)

Implementation Details

Workflow Configuration (.github/workflows/smoke-copilot-no-firewall.md):

1. Added network.firewall: false to explicitly disable firewall at network level
2. Added sandbox.agent: false to disable firewall for the agent
3. Added features.mcp-gateway: true to enable MCP gateway
4. Added sandbox.mcp configuration with only port: 8080 to use default built-in mode
5. Simplified workflow prompt from 19 lines to 9 lines

Built-in Gateway Mode Features:

• Development mode: Automatically builds awmg from sources using make build-awmg
• Release mode: Downloads awmg from GitHub releases
• Fallback checks: Verifies if awmg is in PATH or locally available
• Proper invocation: Uses awmg --config ... --port ... --log-dir ... with full options
• Error handling: Clear error messages if awmg cannot be found

Safe Inputs Localhost Routing:

• When agent is disabled (no firewall/Docker container), uses localhost
• When agent is enabled (firewall active), uses host.docker.internal
• Ensures proper connectivity in both modes

Configuration:

network:
  firewall: false
  allowed:
    - defaults
    - node
    - github
    - playwright
sandbox:
  agent: false  # Firewall disabled → safeinputs uses localhost
  mcp:
    port: 8080  # Uses built-in awmg mode
features:
  mcp-gateway: true

Validation Results

• ✅ Workflow compiles successfully (66.5 KB)
• ✅ Main branch merged successfully
• ✅ Firewall explicitly disabled at both levels
• ✅ MCP gateway uses built-in mode with build logic
• ✅ Safe inputs correctly uses localhost when agent disabled
• ✅ Health check validates gateway readiness before config
• ✅ Improved diagnostic flow for troubleshooting startup vs config issues

Original prompt

Enable sandbox mcp gateway awmg in smoke-copilot-no-firewall agentic workflow

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🤖 ALERT: Smoke Copilot No Firewall failed. ANOMALY_DETECTED. REPAIR_REQUIRED.

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

PRs: Replace make commands with npm commands in jsweep validation steps ✅; Add comprehensive test coverage for CLI commands ✅
OpenAI curl blocked ✅
GitHub MCP PR fetch ✅
File write/read ✅
example.com blocked ✅
Network: SANDBOXED
Overall: PASS

AI generated by Smoke Codex Firewall

[github-actions]

Smoke Test Results

❌ Playwright MCP: Tool not available
✅ Cache Memory: Write/read successful
❌ Safe Input gh: Tool not found

Overall Status: FAIL

AI generated by Smoke Copilot Playwright

[github-actions]

Smoke Test Results for Claude (Run 20647904935)

Recent PRs: #8533 (Replace make commands with npm commands), #8531 (Fix Go code formatting)

✅ GitHub MCP - Fetched last 2 merged PRs
✅ File Writing - Created test file at /tmp/gh-aw/agent/smoke-test-claude-20647904935.txt
✅ Bash Tool - Verified file creation with cat
✅ Playwright MCP - Navigated to github.com, title contains "GitHub"
✅ Cache Memory - Created test file at /tmp/gh-aw/cache-memory/smoke-test-20647904935.txt
❌ Safe Input gh Tool - Tool not available in environment

Overall Status: PARTIAL PASS (5/6 tests passed, safeinputs-gh tool not available)

AI generated by Smoke Claude

[github-actions]

PRs reviewed: #8533 Replace make commands with npm commands in jsweep validation steps; #8525 Add comprehensive test coverage for CLI commands
GitHub MCP review: ✅
File write + cat (/tmp/gh-aw/agent): ✅
Playwright title contains "GitHub": ✅
Cache memory write + cat (/tmp/gh-aw/cache-memory): ✅
Safeinputs-gh issues list: ❌ tool unavailable (gh CLI not auth)
Overall: FAIL

AI generated by Smoke Codex

[pelikhan]

@copilot explicitely disable firewall in smoke-copilot-no-firewall

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• Replace make commands with npm commands in jsweep validation steps #8533: Replace make commands with npm commands in jsweep validation steps
• Fix Go code formatting in CLI test files #8531: Fix Go code formatting in CLI test files

Test Results:

• ✅ GitHub MCP Testing
• ✅ File Writing Testing
• ✅ Bash Tool Testing
• ✅ Cache Memory Testing
• ❌ GitHub MCP Default Toolset Testing (get_me failed as expected - not in default toolset)
• ❌ MCP Gateway Testing (health endpoint unreachable)

Overall Status: PARTIAL PASS

@pelikhan @Copilot - 5/7 tests passed. MCP gateway not accessible but core functionality verified.

AI generated by Smoke Copilot

[Copilot]

@copilot explicitely disable firewall in smoke-copilot-no-firewall

Added network.firewall: false to explicitly disable the firewall at the network level (a1abd62)

[pelikhan]

When verifying MCP gateway MCP config, make sure to check that the server is ready first before checking the config file. @copilot

[Copilot]

When verifying MCP gateway MCP config, make sure to check that the server is ready first before checking the config file. @copilot

Reordered validation sequence in verify_mcp_gateway_health.sh:

New order: Gateway health check → Config file validation → Connectivity testing

The script now:

1. Waits for gateway to be ready (30 retries, 1s delay)
2. Exits immediately with full logs if gateway fails to start
3. Only validates config file AFTER gateway is confirmed running
4. Then checks server rewriting and connectivity

This ensures we detect gateway startup failures immediately and only check configuration after the server that will use it is healthy (d3c6387)

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

Smoke test completed. Not adding label due to failed GitHub API access test.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Smoke Test Results: Copilot Engine (No Firewall)

✅ Test file created: /tmp/gh-aw/agent/smoke-test-copilot-20652597125.txt
✅ Playwright navigation: Successfully navigated to https://github.com with page title verified
❌ GitHub API access: Failed to retrieve merged PRs and issues (401 Unauthorized - missing authentication)

Note: GitHub API tools require proper authentication configuration. The workflow executed successfully with Copilot engine and no firewall restrictions, but GitHub MCP server authentication needs to be configured for API access.

AI generated by Smoke Copilot No Firewall

[github-actions]

PRs: #8579 “[ca] Fix linting and test failures in CI”; #8565 “Add safe output support for PR draft status and completion workflow instructions”
OpenAI curl blocked: ✅
GitHub MCP (last 2 merged PRs fetched): ✅
File write/read /tmp/gh-aw/agent/smoke-test-codex-firewall-20652597091.txt: ✅
Blocked domain (example.com) blocked: ✅
Network: SANDBOXED
Overall: PASS

AI generated by Smoke Codex Firewall

[github-actions]

Smoke Test Results

❌ Playwright MCP: Navigation failed - Playwright tools not directly accessible in this environment
✅ Cache Memory: Successfully created /tmp/gh-aw/cache-memory/smoke-test-20652597112.txt
❌ Safe Inputs gh: Tool not found in expected locations

Overall Status: FAIL (2/3 tests failed)

AI generated by Smoke Copilot Playwright

[github-actions]

PRs reviewed: #8579 “[ca] Fix linting and test failures in CI”, #8577 “Add safe output support for PR draft status and completion workflow instructions”
GitHub MCP ✅
File write ✅
Cache memory ✅
Playwright ✅
safeinputs-gh ❌ (command missing in PATH)
Overall: FAIL

AI generated by Smoke Codex

[github-actions]

Smoke Test Results - Claude Engine

Recent PRs:

• [ca] Fix linting and test failures in CI #8579: [ca] Fix linting and test failures in CI
• Fix repo-memory file-glob patterns to match spec (exclude branch names) #8578: Fix repo-memory file-glob patterns to match spec

Test Results:

• ✅ GitHub MCP: Retrieved PRs successfully
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-claude-20652597109.txt
• ✅ Bash Tool: Verified file creation
• ✅ Playwright MCP: Navigated to github.com, title verified
• ✅ Cache Memory: Created /tmp/gh-aw/cache-memory/smoke-test-20652597109.txt
• ❌ Safe Input gh Tool: gh CLI not authenticated in Actions

Overall: PASS (5/6 tests passed - gh CLI failure expected in Actions context)

AI generated by Smoke Claude