fix(integrity-filtering-audit): allow Azure Blob Storage, surface DIFC counts in summary, classify rate-limit failures (#4696)

The `integrity-filtering-audit` workflow was blocked from downloading
GitHub Actions artifacts (stored on Azure Blob Storage), preventing DIFC
event inspection. Additionally, the audit lacked explicit guidance for
classifying activation-phase rate-limit failures, and DIFC event counts
required artifact downloads to verify.

## Changes

**Network allowlist (`integrity-filtering-audit.md`)**
- Add `*.blob.core.windows.net` to `network.allowed` — enables `gh run
download` to fetch artifact ZIPs from Azure Blob Storage, unblocking
DIFC event inspection

**DIFC event count surfacing**
- After artifact analysis, emit a per-run labelled/filtered DIFC event
count table to `$GITHUB_STEP_SUMMARY`, making future audits verifiable
without downloading artifacts:
  ```bash
  for dir in "$ARTIFACT_DIR"/*/; do
labelled=$(grep -c '"difc_integrity"'
"$dir/mcp-logs/rpc-messages.jsonl")
filtered=$(grep -c '"filtered":true\|DIFC_FILTERED'
"$dir/mcp-logs/rpc-messages.jsonl")
    echo "| $(basename $dir) | $labelled | $filtered |"
  done >> "$GITHUB_STEP_SUMMARY"
  ```

**Activation rate-limit failure classification**
- Explicitly classify `403 API rate limit exceeded for installation`
failures in the `activation` job as 🟢 Info — these are
infrastructure/quota issues where the agent was never invoked and no MCP
traffic was generated (as confirmed by investigation of run
§25023060040)
- Add recommendation to stagger cron schedules for workflows that
repeatedly hit rate limits

**Lock file**
- Recompiled `integrity-filtering-audit.lock.yml` via `gh aw compile`

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build1723333841/b513/launcher.test
/tmp/go-build1723333841/b513/launcher.test
-test.testlogfile=/tmp/go-build1723333841/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1723333841/b437/vet.cfg v0.12.19/builtin.go
v0.12.19/code.go x_amd64/vet --gdwarf-5 ternal/engine/wa-atomic -o
x_amd64/vet --de�� g_.a --debug-prefix-m-ifaceassert x_amd64/compile -I
/opt/hostedtoolc-atomic -I x_amd64/compile` (dns block)
> - `https://api.github.com/repos/actions/github-script/git/ref/tags/v9`
> - Triggering command: `/usr/bin/gh gh api
/repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha,
.object.type] | @tsv` (http block)
> - Triggering command: `/usr/bin/gh gh api
/repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha,
.object.type] | @TSV
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.05.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.06.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.07.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.08.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.09.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.10.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.11.rcgu.o
bug/��
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.13.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.14.rcgu.o
-guard/target/debug/build/quote-e2b702800175437e/build_script_build-e2b702800175437e.f3itfh70g07HEAD
/run/containerd/git 16e7e8f9a8141575add lib/rustlib/x86_.
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libpanic_unwind-e462f106b2b26a06.rlib`
(http block)
> -
`https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.71.1`
> - Triggering command: `/usr/bin/gh gh api
/repos/github/gh-aw-actions/git/ref/tags/v0.71.1 --jq [.object.sha,
.object.type] | @tsv` (http block)
> - Triggering command: `/usr/bin/gh gh api
/repos/github/gh-aw-actions/git/ref/tags/v0.71.1 --jq [.object.sha,
.object.type] | @TSV
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.05.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.06.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.07.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.08.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.09.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.10.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.11.rcgu.o
bug/��
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.13.rcgu.o
bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.14.rcgu.o
-guard/target/de-m /run/containerd/git 16e7e8f9a8141575add
lib/rustlib/x86_. lib/rustlib/x86_-dynamic-linker` (http block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1723333841/b495/config.test
/tmp/go-build1723333841/b495/config.test
-test.testlogfile=/tmp/go-build1723333841/b495/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1723333841/b393/vet.cfg 0/unicode/bidi/bidi.go
0/unicode/bidi/bracket.go x_amd64/vet --gdwarf-5 5152938/b270/ -o
x_amd64/vet -p ify@v1.11.1/asse-errorsas -trimpath x_amd64/vet -I
binarylog -I x_amd64/vet` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build1723333841/b513/launcher.test
/tmp/go-build1723333841/b513/launcher.test
-test.testlogfile=/tmp/go-build1723333841/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1723333841/b437/vet.cfg v0.12.19/builtin.go
v0.12.19/code.go x_amd64/vet --gdwarf-5 ternal/engine/wa-atomic -o
x_amd64/vet --de�� g_.a --debug-prefix-m-ifaceassert x_amd64/compile -I
/opt/hostedtoolc-atomic -I x_amd64/compile` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build1723333841/b513/launcher.test
/tmp/go-build1723333841/b513/launcher.test
-test.testlogfile=/tmp/go-build1723333841/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1723333841/b437/vet.cfg v0.12.19/builtin.go
v0.12.19/code.go x_amd64/vet --gdwarf-5 ternal/engine/wa-atomic -o
x_amd64/vet --de�� g_.a --debug-prefix-m-ifaceassert x_amd64/compile -I
/opt/hostedtoolc-atomic -I x_amd64/compile` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1723333841/b522/mcp.test
/tmp/go-build1723333841/b522/mcp.test
-test.testlogfile=/tmp/go-build1723333841/b522/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -I /a.out -I x_amd64/vet
--gdwarf-5 8jnyftQAbGh_IZZj-atomic =0 x_amd64/vet swit�� .cfg
olang.org/grpc@v-ifaceassert x_amd64/vet 5152938/b151/_x0bash
5152938/b151/_x0/usr/bin/runc 5152938/b151/_x0--version x_amd64/vet`
(dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

.github/aw/actions-lock.json

@@ -180,16 +180,6 @@
       "version": "v4.35.2",
       "sha": "95e58e9a2cdfd71adc6e0353d5c52f41a045d225"
     },
-    "github/gh-aw-actions/setup-cli@v0.71.0": {
-      "repo": "github/gh-aw-actions/setup-cli",
-      "version": "v0.71.0",
-      "sha": "49157453228f9641824955e35cbeccbca74ee0fd"
-    },
-    "github/gh-aw-actions/setup@v0.71.0": {
-      "repo": "github/gh-aw-actions/setup",
-      "version": "v0.71.0",
-      "sha": "49157453228f9641824955e35cbeccbca74ee0fd"
-    },
     "github/gh-aw/actions/setup@v0.71.0": {
       "repo": "github/gh-aw/actions/setup",
       "version": "v0.71.0",