fix(scouts): add web_search/web_fetch fallback when MCPs auth-fail

[theagenticguy]

Summary

• Add Kiro's native web_search and web_fetch to the tool whitelist for both scout agents (project-watcher, probe-topic), so they have an always-available fallback when Brave/Exa/Tavily MCP providers return auth or rate-limit errors.
• Update steering prompts to instruct the agents to prefer MCP providers for structured/source-diverse results but fall back to native tools on provider failure — rather than synthesizing from training knowledge or bootstrapping from prior runs.

Motivation

On 2026-04-22 the full six-scout fleet (agent-sdks, ai-eval, ai-security, computer-use, hn-frontpage, inference-infra) completed with status: complete, error: null, and reposAdded: 0 across the board. Root cause was that BRAVE_API_KEY / EXA_API_KEY / TAVILY_API_KEY were unavailable in the cron environment, so every MCP search server received an empty ${VAR} and returned 401 / 422 / "Invalid API key".

Because the scout agents' tool whitelist contained only ["read","write","@brave-search","@tavily","@exa"], they had no fallback tool to reach for. Five scouts silently degraded to prior-run carry-forward or training knowledge; one (inference-infra) returned empty discoveries: []. None surfaced the failure — every scout reported completion with zero errors.

The env-var problem itself is fixed outside this repo (moved exports to ~/.zshenv + SHELL=/bin/zsh in crontab). This PR fixes the fragility that let the failure go silent: giving the scouts access to native web tools means the next time any MCP provider flakes, they can still produce useful output.

Changes

• src/data/project-watcher.json: add web_search, web_fetch to tools
• src/data/probe-topic.json: add web_search, web_fetch to both tools and allowedTools
• src/data/watcher-context.md: add "Fallback — Kiro native web_search / web_fetch" note in the Research Strategy section
• src/data/probe-topic.md: mention native fallback inline in the search step

Newly-initialized scouts will pick these up automatically via ralph scout init --from-example. Existing scout trees under scouts/<name>/.kiro/agents/*.json are user data (gitignored) and can be refreshed by re-running init or by patching in place.

Test plan

• mise exec -- bun run typecheck passes
• mise exec -- bun run lint passes (biome auto-formatted the expanded arrays)
• mise exec -- bun test — 101 tests pass, 0 fail
• Manual: re-run a scout with one of the MCP keys intentionally broken, verify it falls back to web_search and still produces a non-empty discovery.json

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This PR strengthens the scout agents’ ability to complete discovery runs when MCP search providers (Brave/Exa/Tavily) fail authentication or hit rate limits, by whitelisting Kiro’s native web tools and documenting fallback behavior in steering prompts.

Changes:

• Add web_search / web_fetch to the configured tool lists for project-watcher and probe-topic.
• Expand probe-topic’s allowedTools to permit web_search / web_fetch.
• Update steering docs to instruct scouts to prefer MCP providers but fall back to native web tools on provider failures.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
src/data/watcher-context.md	Documents a fallback strategy to native web_search/web_fetch when MCP providers auth/rate-limit fail.
src/data/project-watcher.json	Adds native web tools to the agent tool list to enable fallback behavior.
src/data/probe-topic.md	Updates probe instructions to use native web tools as a fallback on MCP provider failures.
src/data/probe-topic.json	Adds native web tools to both tools and allowedTools for the probe subagent.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.