docs(references): daily intelligence update 2026-04-19

- production-gotchas.md: add MCP gateway port 8080 AWF firewall gotcha
  (gateway moved 80→8080; AWF blocks 8080 by default; fix: gh aw upgrade
  to v0.25.25+ which adds --allow-host-ports)
- gh-aw-architecture.md: bump AWF v0.25.25, MCP Gateway v0.2.25; note
  port change and --allow-host-ports fix
- knowledge-base.md: append 2026-04-19 entry with version bumps and
  port 8080 critical bug fix
- outputs/gh-aw-reports/2026-04-19.md: today's intelligence report

Sources: github/gh-aw commits ca1d545, a77850e, 1378d27, c842421

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.claude/skills/gh-aw-report/knowledge-base.md

@@ -156,5 +156,29 @@ Workflow reruns capped at 50 (2026-04-10). OIDC for Dependabot/code scanning. Co
 - **Copilot cloud agent per-org control** (April 15, 2026): Can now be enabled for selected organizations via AI Controls page → "Agent" → "Copilot Cloud Agent"
 - **REST API version 2026-03-10**: Available with breaking changes to the REST API
 
+---
+
+## [2026-04-19] Daily Intelligence — AWF v0.25.25 / MCP Gateway v0.2.25 / Port 8080 Fix
+
+### gh-aw Version Bumps (2026-04-19)
+- **AWF (Actions Workflow Framework)**: v0.25.24 → **v0.25.25** (routine bump, PR #27102)
+- **MCP Gateway**: v0.2.24 → **v0.2.25** (routine bump, PR #27102)
+
+### Critical Bug Fix — MCP Gateway Port 8080 (2026-04-19)
+- **Symptom**: Silent MCP tool-call failures and safe-output timeouts
+- **Root cause**: PR #27058 moved MCP gateway from port 80 to port **8080** (non-privileged). AWF `--enable-host-access` only whitelists ports 80 and 443 by default, blocking gateway traffic on 8080.
+- **Fix**: Added `--allow-host-ports 80,443,<gateway-port>` to compiled AWF command, gated by minimum AWF version; respects custom `sandbox.mcp.port` config. Merged 2026-04-19 in PR #27080.
+- **Resolution**: Update to gh-aw v0.25.25+ (`gh aw upgrade`).
+- Source: https://github.com/github/gh-aw/commit/a77850ea08d6b59e87b5ba41e78a1b5ee60b755d
+
+### New copilot-opt Workflow (2026-04-19)
+- gh-aw internal workflow that analyzes 14-day session history and generates 3 evidence-backed Copilot optimization issues
+- Uses Haiku model + lean toolset + prompt compaction for token efficiency
+- Source: https://github.com/github/gh-aw/commit/1378d27a7efc20f30e8fedd484fab57beea7db26
+
+### Exported Constants (2026-04-19)
+- New constants exported from pkg: `guard-policy`, `BYOK`, AWF version string
+- Source: https://github.com/github/gh-aw/commit/c842421a058e688346db5491ce80e44179df6d01
+
 ---
 <!-- Append new entries above this line, newest first -->

.claude/skills/gh-aw-report/references/gh-aw-architecture.md

@@ -9,7 +9,7 @@ Stable architectural facts about the GitHub Agentic Workflows ecosystem. Used by
 - **Install**: `gh extension install github/gh-aw`
 - **Purpose**: Compile markdown workflow definitions into GitHub Actions `.lock.yml` files
 - **Key commands**: `gh aw compile`, `gh aw validate`, `gh aw upgrade`, `gh aw mcp inspect`, `gh aw mcp list`
-- **AWF (Actions Workflow Framework)**: Default version **v0.25.24** (as of 2026-04-18)
+- **AWF (Actions Workflow Framework)**: Default version **v0.25.25** (as of 2026-04-19; v0.25.24 [SUPERSEDED])
 
 ### Workflow File Structure
 - **Source**: `.github/workflows/<name>.md` — markdown with YAML frontmatter
@@ -81,7 +81,9 @@ Stable architectural facts about the GitHub Agentic Workflows ecosystem. Used by
 - **`base_ref` parameter:** On Copilot PR tools for stacked PR / feature branch workflows
 - **Insiders mode:** Opt-in experimental features via `/insiders` URL or config header
 - **HTTP mode:** Enterprise deployment with per-request OAuth token forwarding
-- **MCP Gateway:** Centralized access management for MCP servers (**v0.2.24** as of 2026-04-18; runs as runner user with uid/gid Docker mapping since v0.2.x)
+- **MCP Gateway:** Centralized access management for MCP servers (**v0.2.25** as of 2026-04-19; v0.2.24 [SUPERSEDED])
+  - Runs as runner user with uid/gid Docker mapping since v0.2.x (fixes "Redact secrets in logs" warnings)
+  - **Port changed** from 80 → **8080** (non-privileged) in a prior PR; AWF `--allow-host-ports` added to whitelist port 8080
 
 ## Claude Code (Anthropic)
 

outputs/gh-aw-reports/2026-04-19.md

@@ -0,0 +1,119 @@
+# gh-aw Intelligence Report — 2026-04-19
+
+**Period:** 2026-04-18 → 2026-04-19  
+**Sources:** GitHub API (gh-aw, github-mcp-server, agentics, zircote/github-agentic-workflows)  
+**Web search:** Blocked by network firewall — GitHub API data only
+
+---
+
+## 1. gh-aw CLI Updates
+
+### AWF v0.25.25 + MCP Gateway v0.2.25 (2026-04-19)
+
+Routine version bump merged today (PR #27102):
+- **AWF (Actions Workflow Framework):** v0.25.24 → **v0.25.25**
+- **MCP Gateway:** v0.2.24 → **v0.2.25**
+
+Source: https://github.com/github/gh-aw/commit/ca1d545a9b9f1a4623f30cfa1aae322fbf12db77
+
+---
+
+## 2. Critical Bug Fix — MCP Gateway Port 8080
+
+**Severity: High** — Silent production failures
+
+A previous gh-aw change (PR #27058) moved the MCP gateway from **port 80 to port 8080** (non-privileged). However, AWF's `--enable-host-access` flag only whitelists ports 80 and 443 by default. This caused the agent inside AWF to be unable to reach the MCP gateway, resulting in:
+
+- **Silent MCP tool-call failures** (agent receives no tools)
+- **Safe-output timeouts** (safe-outputs communicate via MCP gateway)
+
+**Fix (merged 2026-04-19):** Added `--allow-host-ports 80,443,<gateway-port>` to the compiled AWF command, gated by minimum AWF version. Also respects custom `sandbox.mcp.port` configuration.
+
+Source: https://github.com/github/gh-aw/commit/a77850ea08d6b59e87b5ba41e78a1b5ee60b755d
+
+**Impact:** Any gh-aw version between the port change and v0.25.25 would silently fail MCP calls. Updating to the latest gh-aw (`gh aw upgrade`) resolves this.
+
+---
+
+## 3. New Workflow — copilot-opt
+
+A new gh-aw internal workflow `copilot-opt` has been added (commit 1378d27) that:
+- Analyzes 14-day session history
+- Generates 3 evidence-backed Copilot optimization issue recommendations
+- Uses lean toolset + Haiku model + pre-aggregation for token efficiency
+
+Token optimizer was also improved with cli-proxy path, lean toolset, and prompt compaction.
+
+Source: https://github.com/github/gh-aw/commit/1378d27a7efc20f30e8fedd484fab57beea7db26
+
+---
+
+## 4. Exported Constants — guard-policy, BYOK, AWF Version
+
+New constants exported from `pkg/constants`:
+- `guard-policy` — AWF network guard policy identifiers
+- `BYOK` (Bring Your Own Key) — token configuration constants  
+- AWF version string constants
+
+Source: https://github.com/github/gh-aw/commit/c842421a058e688346db5491ce80e44179df6d01
+
+---
+
+## 5. API Rename — ResolveLatestActionPin
+
+`GetCachedActionPin` renamed to `ResolveLatestActionPin` in `pkg/actionpins`. This is an internal API change; no impact on workflow authors.
+
+Source: https://github.com/github/gh-aw/commit/7533280119bfffdd4f020ca893dcc818935e4600
+
+---
+
+## 6. GitHub MCP Server — v1.0.0 Still Current
+
+No new releases since v1.0.0 (2026-04-16). The stable 1.0 release with:
+- `set_issue_fields` tool (issues_granular toolset)
+- MCP Apps migrated from insiders to `remote_mcp_ui_apps` feature flag
+- granular toolsets: `issues_granular`, `pull_request_granular`
+- `resolve_review_thread` tool (v0.33.0)
+- `list_commits`: `path`, `since`, `until` parameters (v0.33.0)
+
+---
+
+## 7. githubnext/agentics
+
+Minor formatting fixes (2026-04-17, don Syme). No new workflows or patterns.
+
+---
+
+## 8. Community
+
+No significant community findings today (web search blocked by network firewall).
+
+---
+
+## Gap Analysis
+
+### GAP-1 (missing, priority 1): production-gotchas.md — MCP gateway port 8080
+
+**File:** `skills/aw-author/references/production-gotchas.md`  
+**Section:** MCP Server Constraints  
+**Issue:** The critical MCP gateway port change (80 → 8080) and AWF firewall blocking issue is not documented. This is a high-impact production failure causing silent MCP tool-call failures and safe-output timeouts.  
+**Action:** Add new gotcha entry — implemented in this PR.
+
+### GAP-2 (outdated, priority 2): gh-aw-architecture.md — AWF/MCP Gateway versions
+
+**File:** `.claude/skills/gh-aw-report/references/gh-aw-architecture.md`  
+**Section:** MCP Gateway version  
+**Issue:** Architecture file still references v0.1.9 (open issue #39). Now bumped to v0.2.25. AWF should be noted as v0.25.25.  
+**Action:** Update version references — implemented in this PR.
+
+*Note: Gaps #39–#43 from 2026-04-18 remain open for Copilot implementation.*
+
+---
+
+## Summary
+
+- **Queries run:** 5 GitHub API (gh-aw, github-mcp-server, agentics, zircote, releases)
+- **Web searches:** 0 (network firewall blocked all outbound requests)
+- **Key findings:** AWF/Gateway bumped to v0.25.25/v0.2.25; critical MCP port 8080 bug fixed; new copilot-opt workflow
+- **Gaps identified:** 2 new (port 8080 gotcha, architecture version)
+- **Files changed:** production-gotchas.md, gh-aw-architecture.md, knowledge-base.md (×2)

skills/aw-author/references/production-gotchas.md

@@ -305,7 +305,29 @@ entrypointArgs:
   - "apk add --no-cache curl >/dev/null 2>&1 && exec my-server"
 ```
 
-### `gh aw mcp inspect/list` Limitation
+### MCP Gateway Port 8080 — AWF Firewall Blocks Traffic
+
+A gh-aw change moved the MCP gateway from port **80** to port **8080** (non-privileged). AWF's `--enable-host-access` only whitelists ports 80 and 443 by default. This leaves port 8080 blocked, causing silent failures.
+
+**Symptom:** MCP tools are completely unavailable to the agent AND safe-output calls silently time out — the agent appears to run but no tools work and writes never happen. Check `agent-artifacts/mcp-logs/` for connection refused errors on port 8080.
+
+**Affected versions:** gh-aw versions between the gateway port change (around AWF v0.25.20) and **v0.25.25** (which includes the `--allow-host-ports` fix).
+
+**Fix:** Update gh-aw to the latest version:
+
+```bash
+gh aw upgrade
+```
+
+This compiles `--allow-host-ports 80,443,8080` into the AWF command, allowing the agent to reach the MCP gateway.
+
+**Custom port:** If you use a custom `sandbox.mcp.port` configuration, the fix respects that value.
+
+**Root cause commit:** https://github.com/github/gh-aw/commit/a77850ea08d6b59e87b5ba41e78a1b5ee60b755d
+
+---
+
+
 
 The `gh aw mcp inspect` and `gh aw mcp list` commands do **NOT** follow `imports:` directives. They only see MCP servers declared in the direct frontmatter of the workflow file being inspected.