Add network access to agentic-workflows MCP server container

[Copilot]

The agentic-workflows MCP server runs as a stdio server in a Docker container without network access, preventing gh CLI commands (audit, logs, compile) from reaching GitHub's API at api.github.com.

Changes

• mcp_config_builtin.go: Added --network host to Docker args for agentic-workflows container (both JSON and TOML renderers)
• Test updates: Updated assertions in 4 test files to expect new args format
• Workflow recompilation: Regenerated 28 workflow lock files with network configuration

Implementation

// Before
yaml.WriteString(`"args": ["-w", "${{ github.workspace }}"],`)

// After
yaml.WriteString(`"args": ["--network", "host", "-w", "${{ github.workspace }}"],`)

This follows the same pattern used by Playwright and Serena MCP servers. The container now has host network access, allowing the gh CLI to function correctly while maintaining workspace isolation through mounts.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[cli-tools-test] MCP tools not accessible in daily-cli-tools-tester workflow - blocking exploratory testing</issue_title>
<issue_description>## Problem Description

The daily-cli-tools-tester workflow is designed to perform exploratory testing of audit, logs, and compile tools from the agentic-workflows MCP server. However, none of these tools are accessible through any available interface, completely blocking the testing mission.

Tool Configuration

The workflow frontmatter correctly declares the agentic-workflows tool:

tools:
  agentic-workflows:
  bash:

The MCP configuration is generated correctly:

{
  "agenticworkflows": {
    "headers": {
      "Authorization": "I7HCampDYk79ahoUDnxdp4RMIMjXKW6V9jHJtdPxmQKjgJ9jB7AzvZLNnk"
    },
    "type": "http",
    "url": "(host.docker.internal/redacted)
    "tools": ["*"]
  }
}

Steps to Reproduce

1. Run the daily-cli-tools-tester workflow
2. Attempt to call agenticworkflows-status tool
3. Observe "Permission denied and could not request permission from user"
4. Attempt to call agenticworkflows-mcp-inspect tool
5. Observe same permission denied error
6. Attempt to access MCP server via HTTP (curl)
7. Observe network access is blocked

Expected Behavior

The agentic-workflows MCP tools should be accessible to the Copilot CLI agent via:

• Direct tool calls (e.g., agenticworkflows-status)
• HTTP requests to the MCP proxy endpoint

The workflow prompt explicitly states:

You have access to the agentic-workflows MCP tool which provides:

• audit - Audit a workflow run and generate detailed report
• logs - Download workflow logs with filtering and analysis
• compile - Compile workflow markdown files to YAML
• list - List all workflows in the repository
• status - Get status and metadata for workflows

Actual Behavior

• All direct tool calls return "Permission denied and could not request permission from user"
• Network access to MCP proxy is blocked
• No alternative method to access the tools exists
• The entire testing mission is blocked

Environment

• Repository: github/gh-aw
• Run ID: 21759712719
• Workflow: daily-cli-tools-tester
• Engine: copilot (GitHub Copilot CLI v0.0.405)
• Date: 2026-02-06
• Event: workflow_dispatch

Impact

• Severity: Critical
• Frequency: Always (100% failure rate)
• Workaround: None - testing cannot proceed
• Blocked workflows: Daily CLI tools testing is completely non-functional

Diagnostic Information

Available tools in environment:

• bash commands: ✅ Working (echo, ls, cat, grep, etc.)
• File system access: ✅ Working
• Network access: ❌ Blocked (even for MCP proxy)
• agenticworkflows-* tools: ❌ Permission denied
• github-* tools: Unknown (not tested)
• safeoutputs-* tools: ✅ Working (this issue was created)

MCP configuration location: /home/runner/.copilot/mcp-config.json
MCP log directory: /tmp/gh-aw/mcp-logs/

Root Cause Hypothesis

Possible causes:

1. HTTP MCP proxy not routing correctly: The agenticworkflows server may not be responding or the proxy isn't forwarding requests
2. Tool registry mismatch: Copilot CLI may not be discovering tools from HTTP MCP servers correctly
3. Authorization issue: Headers may not be passed through the proxy chain
4. Server not started: The agenticworkflows MCP server may not be running in the Docker container
5. Network isolation: Firewall rules may be blocking communication with host.docker.internal

Suggested Investigation Steps

1. Check if agenticworkflows MCP server is running:

   docker ps | grep agenticworkflows
   curl (host.docker.internal/redacted)

2. Check MCP proxy logs for routing errors:

   ls -la /tmp/gh-aw/mcp-logs/
   cat /tmp/gh-aw/mcp-logs/agenticworkflows/*.log

3. Test tool discovery via Copilot CLI:

   copilot --list-tools | grep agentic

4. Test direct MCP protocol communication:

   curl -X POST (host.docker.internal/redacted) \
     -H "Authorization: ..." \
     -H "Content-Type: application/json" \
     -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

5. Compare with working MCP servers (safeoutputs, github):

   • Check their configuration
   • Check if they're also HTTP-based
   • Verify they don't have the same access issues

Related Files

• Workflow: .github/workflows/daily-cli-tools-tester.md
• MCP Config: /home/runner/.copilot/mcp-config.json (generated)
• Session log: /tmp/gh-aw/agent/testing-log.md (created during this run)

Additional Context

This is a brand new testing workflow designed to provide comprehensive exploratory testing of core CLI functionality. It cannot fulfill its purpose without access to the tools it's meant to test.

The workflow was likely created with the assumption that HTTP MCP s...

• Fixes [cli-tools-test] MCP tools not accessible in daily-cli-tools-tester workflow - blocking exploratory testing #14199

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

❌ Changeset Generator failed. Please review the logs for details.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.52.0
jq	✅	1.7
yq	✅	4.52.2
curl	✅	8.5.0
gh	✅	2.86.0
node	✅	20.20.0
python3	✅	3.12.3
go	✅	1.24.12
java	❌	Missing libjli.so library
dotnet	❌	Error: cannot execute dotnet when renamed to bash

Result: 10/12 tools available ❌

Issues Found

1. Java (❌): Binary exists at /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/21.0.10-7/x64/bin/java but fails with:

   error while loading shared libraries: libjli.so: cannot open shared object file
   ```
   
   

2. .NET (❌): Binary exists at /usr/share/dotnet/dotnet but produces bizarre error:

   Error: cannot execute dotnet when renamed to bash
   

   This suggests the container environment has a configuration issue affecting how .NET binaries execute.

Recommendation

Container environment needs investigation for Java library paths and .NET execution environment.

AI generated by Agent Container Smoke Test

[github-actions]

🤖 Beep boop! The smoke test agent just dropped by to say hello!

Testing all the things, navigating through your discussions like a digital explorer. Everything's looking good from my automated perspective!

Smoke test run §21760895712 was here 👋

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results

PRs Tested:

• Format auto-added "Fixes #N" as bullet point in PR body footer #14191: Format auto-added "Fixes #N" as bullet point in PR body footer
• Rename MCP server identifier from agentic_workflows to agenticworkflows #14173: Rename MCP server identifier from agentic_workflows to agenticworkflows

Results:

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Serena MCP
• ✅ Playwright
• ✅ File Writing
• ✅ Bash Tool
• ✅ Discussion Query
• ✅ Build Test
• ✅ Workflow Dispatch

Overall Status: ✅ PASS

@pelikhan

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[Copilot]

Pull request overview

Enables outbound network connectivity for the built-in agentic-workflows stdio MCP server container so gh aw-backed tools (e.g., audit, logs, compile) can reach GitHub’s API.

Changes:

• Add --network host to the Docker runtime args for the agentic-workflows MCP server config (JSON and TOML render paths).
• Update MCP rendering/config tests to assert the new args sequence.
• Regenerate workflow lock files to reflect the updated MCP server container args.

Reviewed changes

Copilot reviewed 28 out of 28 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/mcp_config_builtin.go	Adds --network host to agentic-workflows container args in both JSON and TOML renderers; updates inline documentation accordingly.
pkg/workflow/mcp_renderer_test.go	Updates renderer assertions to expect --network host + -w ${{ github.workspace }}.
pkg/workflow/mcp_config_refactor_test.go	Updates expected rendered MCP config strings (JSON + TOML) to include --network host.
pkg/workflow/mcp_config_compilation_test.go	Updates lock-content assertions to match the new args list.
pkg/workflow/importable_tools_test.go	Updates imported tool workflow assertion to match the new args list.
.github/workflows/workflow-normalizer.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/static-analysis-report.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/smoke-copilot.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/smoke-claude.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/security-review.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/safe-output-health.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/q.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/python-data-charts.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/prompt-clustering-analysis.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/portfolio-analyst.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/metrics-collector.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/mcp-inspector.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/dev-hawk.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/example-workflow-analyzer.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/deep-report.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/daily-safe-output-optimizer.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/daily-observability-report.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/daily-firewall-report.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/daily-cli-tools-tester.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/cloclo.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/audit-workflows.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/agent-persona-explorer.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.
.github/workflows/agent-performance-analyzer.lock.yml	Regenerated lock content to include --network host in agenticworkflows args.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🛡️ Security Posture Analysis

This PR contains changes that may affect the security posture. Please review the following concerns:

🟠 Network boundary: Host network enabled for agentic-workflows container

Location: pkg/workflow/mcp_config_builtin.go:232-235 and pkg/workflow/mcp_config_builtin.go:341-344

Change Detected:

-                "args": ["-w", "${{ github.workspace }}"],
+                "args": ["--network", "host", "-w", "${{ github.workspace }}"],

Security Impact: Switching the stdio container to --network host removes its network isolation boundary and gives the MCP server direct access to the host network and all services reachable from it (including internal APIs or metadata endpoints). That significantly increases the attack surface for workflows that run inside this container.

Recommendation: Keep the container in bridged mode and route only the required outbound traffic, or enforce a more restrictive network policy (e.g., proxy/allowlist for api.github.com) instead of opening the entire host network.

---

Summary

Category	Severity	Count
Network boundary expansion	🟠	1

Note: This is an automated analysis. Please verify these findings and determine if the changes are intentional and justified.

AI generated by Security Guard Agent 🛡️