Recommendation
Grant this workflow a sanctioned write path (or stop it from shelling git checkout -b) — it burns through the 5/5 tool-denial guard every run and has been red for 6+ consecutive days. Secondary: the post-abort missing_tool fallback cannot reach the safe-outputs gateway and crashes with ECONNREFUSED.
Problem statement
The Daily Safe Output Integrator agent does useful analysis, then attempts to commit its fix by shelling git checkout -b ... && git add ... && git commit .... The workflow tool allow-list denies the shell(git checkout -b ...) calls. The SDK driver hits the tool_denials_exceeded guard at 5/5 denials and stops the session early (exitCode=1). The run is marked failure even though the agent reached a correct conclusion.
Affected workflow and run IDs
- Workflow:
Daily Safe Output Integrator (.github/workflows/daily-safe-output-integrator.lock.yml)
- Representative failed run: §27572285541 (2026-06-15, 11 permission denials, denialCount 5/5)
- Comparator (prior failed, identical signature): §27508844367 (2026-06-14, same
git checkout -b fix/... denial at 5/5)
- Chronic: failure every scheduled run 2026-06-10 → 2026-06-15.
Probable root cause
Two defects compound:
- Capability/intent mismatch. The agent is instructed to integrate/fix safe-output fixtures and tries to create a branch and commit via raw
git shell commands, but the workflow grants no such shell permission. It also gets denied on benign read(pkg/workflow/...) and sed calls, inflating the denial count. The agent should use the workflow's sanctioned safe-output mechanism (e.g. push_to_pull_request_branch / create_pull_request) instead of raw git, or the allow-list must permit the reads + git operations it legitimately needs.
- Fallback emission race. After the abort, the harness tries to emit
missing_tool via the safeoutputs MCP bridge, but the gateway at 172.17.0.1:8080 is already torn down → connect ECONNREFUSED → the fallback itself errors. The failure-reporting path is not resilient to gateway teardown ordering during early-abort.
Same denial-threshold failure CLASS as #39343 (Daily Compiler Threat Spec Optimizer); this issue is a distinct workflow plus the novel missing_tool ECONNREFUSED race.
Proposed remediation
- Replace the agent's raw
git checkout -b / commit flow with the workflow's safe-output write tool, OR add the required shell(git ...) and read(pkg/**) entries to the allow-list so legitimate steps are not denied.
- Widen read permissions for the source paths the integrator must inspect (
pkg/workflow, pkg/cli/workflows) to stop benign reads from counting toward the denial threshold.
- Make the post-abort
missing_tool emission tolerant of gateway teardown (emit before gateway shutdown, or retry against a still-live endpoint) so the diagnostic is not lost to ECONNREFUSED.
Success criteria / verification
- A scheduled run completes without hitting the 5/5 denial guard; legitimate reads and the write step are permitted.
- When a denial abort does occur,
missing_tool is emitted successfully (no ECONNREFUSED).
- Workflow returns to green for 3 consecutive scheduled runs.
Analyzed run IDs: 27572285541, 27508844367. Related: #39343. Parent: #29109.
Related to #29109
Generated by 🔍 [aw] Failure Investigator (6h) · 183.4 AIC · ⌖ 12.6 AIC · ⊞ 4.5K · ◷
Recommendation
Grant this workflow a sanctioned write path (or stop it from shelling
git checkout -b) — it burns through the 5/5 tool-denial guard every run and has been red for 6+ consecutive days. Secondary: the post-abortmissing_toolfallback cannot reach the safe-outputs gateway and crashes withECONNREFUSED.Problem statement
The
Daily Safe Output Integratoragent does useful analysis, then attempts to commit its fix by shellinggit checkout -b ... && git add ... && git commit .... The workflow tool allow-list denies theshell(git checkout -b ...)calls. The SDK driver hits thetool_denials_exceededguard at 5/5 denials and stops the session early (exitCode=1). The run is markedfailureeven though the agent reached a correct conclusion.Affected workflow and run IDs
Daily Safe Output Integrator(.github/workflows/daily-safe-output-integrator.lock.yml)git checkout -b fix/...denial at 5/5)Probable root cause
Two defects compound:
gitshell commands, but the workflow grants no such shell permission. It also gets denied on benignread(pkg/workflow/...)andsedcalls, inflating the denial count. The agent should use the workflow's sanctioned safe-output mechanism (e.g.push_to_pull_request_branch/create_pull_request) instead of rawgit, or the allow-list must permit the reads + git operations it legitimately needs.missing_toolvia the safeoutputs MCP bridge, but the gateway at172.17.0.1:8080is already torn down →connect ECONNREFUSED→ the fallback itself errors. The failure-reporting path is not resilient to gateway teardown ordering during early-abort.Same denial-threshold failure CLASS as #39343 (Daily Compiler Threat Spec Optimizer); this issue is a distinct workflow plus the novel
missing_toolECONNREFUSED race.Proposed remediation
git checkout -b / commitflow with the workflow's safe-output write tool, OR add the requiredshell(git ...)andread(pkg/**)entries to the allow-list so legitimate steps are not denied.pkg/workflow,pkg/cli/workflows) to stop benign reads from counting toward the denial threshold.missing_toolemission tolerant of gateway teardown (emit before gateway shutdown, or retry against a still-live endpoint) so the diagnostic is not lost toECONNREFUSED.Success criteria / verification
missing_toolis emitted successfully (noECONNREFUSED).Analyzed run IDs: 27572285541, 27508844367. Related: #39343. Parent: #29109.
Related to #29109