You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[aw-failures] GitHub MCP Structural Analysis false-red — github MCP "failed to launch" after run completes; firewall denies awmg
[Content truncated due to length] #41711
Stop marking the run a failure on a post-completion github-MCP relaunch — in §28238231936 the agent ran all 34 turns, created the discussion, and persisted the cache, yet the job is red because ERR_API: MCP server(s) failed to launch: github fires after the work is done. This is a false-red that masks real failures.
Affected workflows & runs
Triage the recurrence — this daily workflow has failed two consecutive days after two green days, and is untracked by any open agentic-workflows issue.
Unblock the managed-gateway connection — audit-diff (base=28238231936 failed vs compare=28098801795 success) shows the only firewall delta that matters: awmg-mcpg:8080 was denied (blocked:1, status:denied) in the failed run and absent in the green run.
The agent used the github MCP successfully throughout the run (it sampled 9 toolsets via the HTTP MCP endpoint), so github MCP was healthy during execution.
The terminal failed to launch: github therefore comes from a late relaunch/health-probe of the github MCP through the managed gateway (awmg-mcpg:8080), which the firewall denied once — producing a non-zero exit and a red run despite all work succeeding.
audit-diff removed_domains:
{ "domain": "awmg-mcpg:8080", "run1_blocked": 1, "run1_status": "denied", "run2_blocked": 0 }
summary: has_anomalies=false (firewall counters do not flag the single deny as an anomaly)
Proposed remediation
Treat a post-completion MCP relaunch/health-probe failure as non-fatal — once the engine reports the run completed and safe-outputs succeeded, do not overwrite the conclusion with ERR_API: MCP server(s) failed to launch.
Flag a single managed-gateway deny that occurs after work completion in the audit summary (currently has_anomalies=false), so this false-red is detectable.
Success criteria
A run where the agent completes all turns and safe-outputs succeed concludes success even if a late github-MCP relaunch is denied.
GitHub MCP Structural Analysis returns to green on its next scheduled cycle, or fails with a real, distinct signature.
audit surfaces the awmg-mcpg:8080 deny as an anomaly rather than swallowing it.
Relationship to existing issues
Linked as a sub-issue of #41455 (same managed-gateway firewall family). Distinct because: (a) here the agent runs to completion and the run is a false-red, vs #41455 where the agent is never invoked (100% lost); (b) different host/mode — firewall deny of awmg-mcpg:8080 vs DNS EAI_AGAIN on awmg-cli-proxy:18443.
Related to #41455
Fix
Stop marking the run a failure on a post-completion github-MCP relaunch — in §28238231936 the agent ran all 34 turns, created the discussion, and persisted the cache, yet the job is red because
ERR_API: MCP server(s) failed to launch: githubfires after the work is done. This is a false-red that masks real failures.Affected workflows & runs
Triage the recurrence — this daily workflow has failed two consecutive days after two green days, and is untracked by any open
agentic-workflowsissue.Probable root cause
Unblock the managed-gateway connection —
audit-diff(base=28238231936 failed vs compare=28098801795 success) shows the only firewall delta that matters:awmg-mcpg:8080was denied (blocked:1, status:denied) in the failed run and absent in the green run.failed to launch: githubtherefore comes from a late relaunch/health-probe of the github MCP through the managed gateway (awmg-mcpg:8080), which the firewall denied once — producing a non-zero exit and a red run despite all work succeeding.Evidence — error tail (§28238231936) + audit-diff firewall delta
Proposed remediation
ERR_API: MCP server(s) failed to launch.awmg-mcpg:8080the same way [aw-failures] AWF firewall startup fails — getaddrinfo EAI_AGAIN awmg-cli-proxy, managed-gateway DNS not resolvable, agent never [Content truncated due to length] #41455 proposes absorbing theawmg-cli-proxyDNS race — retry/backoff the managed-gateway connection instead of failing the run on a single deny.has_anomalies=false), so this false-red is detectable.Success criteria
successeven if a late github-MCP relaunch is denied.GitHub MCP Structural Analysisreturns to green on its next scheduled cycle, or fails with a real, distinct signature.awmg-mcpg:8080deny as an anomaly rather than swallowing it.Relationship to existing issues
Linked as a sub-issue of #41455 (same managed-gateway firewall family). Distinct because: (a) here the agent runs to completion and the run is a false-red, vs #41455 where the agent is never invoked (100% lost); (b) different host/mode — firewall deny of
awmg-mcpg:8080vs DNSEAI_AGAINonawmg-cli-proxy:18443.Related to #41455