[daily regulatory] Regulatory Report - 2026-02-21

[github-actions[bot]]

Regulatory analysis covering 29 daily report discussions created in the last 24 hours (2026-02-20 20:00 UTC → 2026-02-21 20:02 UTC). Overall repository health is good, with strong security posture (100% redaction/permissions coverage), excellent test coverage (2.33x ratio), and healthy PR velocity (86% merge rate). Two critical observability gaps require attention: a gateway.jsonl artifact naming mismatch (100% miss rate on MCP logging) and a data integrity error in today's Secrets Analysis report where the headline total metric (3,475) contradicts the per-secret table values (sum > 5,394).

The Safe Output system is functioning at 88.9% success rate after a resolved push_to_pull_request_branch bug. The 0% discussion answer rate and 4× Auto-Triage duplicate runs are persistent process issues that warrant follow-up.

🚨 Critical Findings

1. [DATA INTEGRITY] Secrets Analysis Feb 21 total metric is wrong — The headline Total secrets.* References: 3,475 contradicts the per-secret table (top-10 alone sum to 5,394). Feb 20 report was internally consistent (claimed 5,259, top-10 = 5,223). Likely a computation bug introduced in today's secrets report generation.

2. [OBSERVABILITY] MCP gateway.jsonl artifact naming violation — All 20 MCP-enabled runs (100%) are missing gateway.jsonl. The file rpc-messages.jsonl is present in 100% of runs, indicating a packaging/naming mismatch rather than missing telemetry. The required artifact contract is not being met.

📋 Full Regulatory Report

📊 Reports Reviewed

#	Report	Discussion	Created	Status
1	Daily Secrets Analysis	#17552	20:01 UTC	⚠️ Data issue
2	Daily Performance Summary	#17550	19:41 UTC	✅ Valid
3	Auto-Triage Report (×4)	#17546 / #17477 / #17411 / #17351	Multiple	⚠️ Duplicate runs
4	Lockfile Statistics Analysis	#17531	16:49 UTC	✅ Valid
5	Daily Team Evolution Insights	#17520	16:04 UTC	✅ Valid
6	Copilot Agent Prompt Clustering	#17485	12:43 UTC	✅ Valid
7	Daily Code Metrics Report	#17451	11:44 UTC	✅ Valid
8	UX Analysis Report	#17445	11:32 UTC	✅ Valid
9	Safe-Outputs Schema Consistency	#17442	10:03 UTC	✅ Valid
10	Documentation Noob Test Report	#17420	08:06 UTC	✅ Valid
11	Observability Coverage Report	#17416	07:49 UTC	🔴 Critical issues
12	Static Analysis Report	#17412	06:31 UTC	✅ Valid
13	Agentic Workflow Audit Report	#17410	05:52 UTC	✅ Valid
14	Copilot PR Prompt Analysis	#17395	04:58 UTC	✅ Valid
15	Safe Output Health Report	#17389	04:24 UTC	⚠️ 2 failures (resolved)
16	Agent Persona Exploration	#17371	01:56 UTC	✅ Valid
17	Daily Firewall Report	#17355	01:03 UTC	✅ Valid
18	Daily Compiler Code Quality	#17333	00:23 UTC	✅ Valid
19	Daily Copilot Agent Analysis	#17281	20:43 UTC (Feb 20)	✅ Valid
20	Daily Secrets Analysis (Feb 20)	#17268	20:04 UTC (Feb 20)	✅ Baseline ref

---

🔍 Data Consistency Analysis

Cross-Report Metrics Comparison

Metric	Source	Value	Scope	Status
Workflow lock files	Lockfile Stats	157	All .lock.yml	✅
Workflow lock files	Secrets Analysis Feb 21	157	All .lock.yml	✅ Match
Workflow lock files	Secrets Analysis Feb 20	153	All .lock.yml	✅ +4 growth
Secrets total references	Secrets Analysis Feb 21	3,475	All .lock.yml	❌ Wrong (top-10 alone = 5,394)
Secrets total references	Secrets Analysis Feb 20	5,259	All .lock.yml	✅ Consistent
Unique secret types	Both secrets reports	24	All .lock.yml	✅ Stable
Redaction coverage	Secrets Analysis Feb 21	157/157 (100%)	All workflows	✅
Permission block coverage	Secrets Analysis Feb 21	157/157 (100%)	All workflows	✅
Firewall runs analyzed	Firewall Report	31	Last 7 days	⚠️ Minor diff
Firewall runs analyzed	Observability Report	32 total, 28 firewall	Last 7 days	⚠️ Minor diff
access.log coverage	Observability Report	71.4% (20/28)	Firewall runs	⚠️ 8 missing
gateway.jsonl coverage	Observability Report	0% (0/20)	MCP runs	🔴 Naming mismatch
Test-to-source ratio	Code Metrics	2.33×	Go source	✅ Excellent
Code quality score	Code Metrics	76/100	Go codebase	✅
PR merge rate	Performance Summary	86% (86/100)	Last 90 days sample	✅
Discussion answer rate	Performance Summary	0% (0/100)	Last 90 days sample	⚠️ Persistent issue
Safe output success rate	Safe Output Health	88.9%	Last 24h	⚠️ 2 failures resolved
Copilot agent success rate	Agent Analysis (Feb 20)	65.6%	Last 24h Feb 20	⚠️ Declined 25%

Consistency Score

• Overall Consistency: 78% (14 of 18 comparable metrics are consistent)
• Critical Discrepancies: 1 (secrets total count bug)
• Minor Discrepancies: 4 (firewall run count diff, MCP naming, discussion answer rate, agent success rate decline)

---

⚠️ Issues and Anomalies

🔴 Critical Issues

1. Secrets Analysis Report: Headline Total Contradicts Per-Secret Table (Feb 21)

• Affected Report: #17552 Daily Secrets Analysis - 2026-02-21
• Metric: total_secrets_references (see glossary)
• Expected: ~5,400+ (sum of 24 individual secret counts)
• Actual (claimed): 3,475
• Evidence: Top-10 secrets alone sum to 1,827+1,781+903+516+190+75+75+15+6+6 = 5,394. The claim of 3,475 is mathematically impossible.
• Feb 20 baseline was correct: 5,259 claimed, top-10 = 5,223 (consistent within ~0.7%)
• Scope Analysis: Same scope (all .lock.yml files) — this is a true data error, not a scope difference
• Severity: High — the headline metric is misleading
• Recommended Action: Investigate the secrets counting script for a regression introduced since Feb 20. May be a deduplication bug or incorrect aggregation.

2. MCP Gateway Artifact Naming Mismatch (Observability)

• Affected Report: #17416 Observability Coverage Report
• Metric: mcp_enabled_workflows with gateway.jsonl coverage
• Expected: 20/20 runs have gateway.jsonl artifact
• Actual: 0/20 runs (0% coverage). rpc-messages.jsonl present in 100% of runs.
• Severity: Critical — violates the artifact contract, breaks observability tooling that expects gateway.jsonl
• Recommended Action: Rename the artifact from rpc-messages.jsonl → gateway.jsonl, or update the observability contract to use rpc-messages.jsonl.

⚠️ Warnings

3. Auto-Triage Running 4× Per Day

• 4 separate Auto-Triage runs today: 00:51, 06:28, 12:24, 18:24 UTC
• Each creates a new discussion, generating noise and potentially conflicting classifications
• Impact: Duplicated discussions, unnecessary workflow cost
• Recommended Action: Review the Auto-Triage trigger configuration — consider limiting to 1–2 runs per day or consolidating into a single daily report

4. Copilot Agent Success Rate Decline

• Feb 19: 87.0% → Feb 20: 65.6% (−25.4 percentage points)
• Average duration increased: 44 min → 79 min (+80%)
• 3 open PRs at time of analysis
• Impact: Reduced throughput; may indicate more complex tasks or environment issues
• Recommended Action: Monitor Feb 21 rate when today's agent analysis publishes

5. Firewall Run Count Minor Discrepancy

• Firewall Report: 31 "firewall-enabled runs" with 22 producing data
• Observability Report: 32 total runs with 28 firewall-enabled
• Same 7-day period (2026-02-14 → 2026-02-21), different counts
• Likely cause: Different query methodologies or run status filters
• Severity: Low — within tolerance, does not indicate data corruption

6. access.log Missing from 8 Firewall Runs

• Observability coverage: 71.4% (20/28 runs)
• Affected workflows: Issue Monster (7 runs), PR Triage Agent (1 run)
• These runs cannot be audited for firewall egress behavior
• Recommended Action: Investigate why these workflows consistently fail to produce access.log artifacts

---

📈 Trend Analysis

Metric	Feb 20	Feb 21	Change
Workflow lock files	153	157	+4 (+2.6%)
Unique secret types	24	24	Stable
Token cascade instances	578	594	+16 (+2.8%)
Redaction coverage	100%	100%	Stable ✅
Agent PR success rate	87.0%	65.6% (Feb 20)	−25.4% ⚠️
Go LOC	~429K est.	433,306	+0.72% daily
Test-to-source ratio	N/A (baseline)	2.33×	Strong ✅

Notable Trends

• Codebase growth: +0.72% daily Go LOC, +4.1% week-over-week — steady, healthy growth
• Security posture stable: 100% redaction and permissions maintained as repository grows
• Test coverage exceptional: 2.33× test-to-source ratio sustained since Feb 17 jump

---

📝 Per-Report Highlights

Daily Secrets Analysis #17552

Quality: ⚠️ Data integrity issue
Top finding: 24 unique secret types, 100% redaction and permissions. Critical bug: headline total (3,475) contradicts per-secret table (5,394+ from top-10 alone). Investigation required.

Daily Performance Summary #17550

Quality: ✅ Valid
86 of 100 PRs merged (86%), avg 1.1h merge time. Issues: 950/1000 closed (95%). Persistent issue: 0% discussion answer rate. Note: these are samples (90-day window capped at 100 items), not full-repository counts.

Observability Coverage #17416

Quality: 🔴 Critical issues
gateway.jsonl 0% coverage (naming mismatch), access.log 71.4% coverage (8 runs missing). Both require remediation.

Safe Output Health #17389

Quality: ⚠️ Issues (resolved)
88.9% success rate. 2 failures from push_to_pull_request_branch bug (invalid branch ref 17284/merge). Resolved in Run #4. Monitoring recommended.

Daily Firewall Report #17355

Quality: ✅ Valid
1,415 requests, 741 allowed (52.4%). 674 blocked — 667 are internal TCP/CONNECT noise. Only 2 real external domains blocked: github.com:443 and proxy.golang.org:443. Both are legitimate dev services that need allowlisting.

Daily Code Metrics #17451

Quality: ✅ Valid
433,306 Go LOC, quality score 76/100 (down 2 from 78). High churn score (3/15) reflects active development rather than instability. Test coverage perfect (30/30).

Lockfile Statistics #17531

Quality: ✅ Valid
157 lock files, ~10.1 MB total. 93% in 50–100 KB range — highly consistent compilation output. Confirms lockfile count across reports.

---

💡 Recommendations

Process Improvements

1. Fix secrets count computation: Audit the secrets-analysis workflow for the regression that caused today's incorrect total (3,475 vs ~5,400 expected). Compare the counting script between the Feb 20 and Feb 21 runs.

2. Standardize MCP artifact name: Align rpc-messages.jsonl → gateway.jsonl (or update the observability contract). This is blocking 100% of MCP observability auditing.

3. Reduce Auto-Triage frequency: 4 runs/day is excessive and creates discussion noise. Consider rate-limiting to 1–2 runs daily or batching by a configurable schedule.

Data Quality Actions

4. Add internal consistency check to secrets report: Before publishing, validate that Total secrets.* References ≥ sum of top-10 entries. Fail the report if not.

5. Investigate Issue Monster firewall logging: 7 consecutive runs missing access.log for this workflow. Likely a structural workflow configuration issue that needs a targeted fix.

6. Monitor agent success rate: Track the Feb 21 daily agent analysis when it publishes. If the 65.6% rate (Feb 20) persists, investigate task complexity trends or environment regressions.

---

📊 Regulatory Metrics

Metric	Value
Reports Reviewed	20 (unique) + 4 Auto-Triage duplicates
Reports Passed	15
Reports with Warnings	4
Reports with Critical Issues	1
Overall Health Score	75%
Cross-Report Consistency	78% (14/18 metrics consistent)
Critical Discrepancies	2
Minor Discrepancies	4

---

References:

• §22263380865 (this run)
• §22263340694 (Secrets Analysis)
• §22262986432 (Performance Summary)

AI generated by Daily Regulatory Report Generator

• expires on Feb 24, 2026, 8:06 PM UTC