Skip to content

Add firewall property to included file schema for network configuration parity #7971

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 3 commits into from
Dec 28, 2025
Merged

Add firewall property to included file schema for network configuration parity #7971

pelikhan merged 3 commits into from
Dec 28, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 28, 2025
edited
Loading

The included_file_schema.json was missing the firewall property in network configuration, preventing included files from configuring AWF (Agent Workflow Firewall) rules while main workflows could.

Changes

  • Schema Update: Added firewall property to network.oneOf[1].properties in pkg/parser/schemas/included_file_schema.json

    • Supports null (default AWF settings), boolean (enable/disable), string ("disable"), and object (custom args/version/log-level)
    • Matches main workflow schema structure exactly
    • Marked deprecated per existing pattern (use sandbox.agent: false instead)

  • Binary Rebuild: Schemas are embedded via //go:embed, requiring make build for changes to take effect

Example

Included files can now configure firewall rules:

---
network:
  allowed:
    - "api.github.com"
  firewall:
    version: "v1.0.0"
    log-level: "debug"
---

This enables defense-in-depth architecture where modular workflow components can specify their own network security policies.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login -json GO111MODULE 0.1-go1.25.0.linGOMODCACHE GOINSECURE GOMOD GOMODCACHE ; \ fi env -json GO111MODULE ux-amd64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ux-amd64/pkg/tooversion (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login -test.paniconexit0 4470383/b374/_testmain.go (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login up-uv.git nk /usr/bin/git -export -f l/linux_amd64/li/tmp/validate-js-2653740916.cjs git -C e-github-app-token.git rev-parse /usr/bin/git -json GO111MODULE 0.1-go1.25.0.lin"mcp-server-playwright" --help git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Add network firewall configuration to included_file_schema.json</issue_title>
<issue_description>## Objective

Add the firewall property to the network configuration in included files to restore security feature parity with main workflows.

Context

Priority: HIGH
Category: Security / Feature Parity

Currently:

  • Main Schema: network field has properties allowed and firewall
  • Included Schema: network field has property allowed only

This prevents included files from configuring advanced network security rules, limiting defense-in-depth architecture for modular workflows.

Approach

  1. Open pkg/parser/schemas/included_file_schema.json
  2. Locate the network field definition (should be in oneOf structure)
  3. Find the object form (oneOf[1]) that has allowed property
  4. Add firewall property alongside allowed with same schema as main_workflow_schema.json
  5. Copy the firewall property definition from main schema (should include patterns, rules, etc.)
  6. Rebuild binary with make build
  7. Test with included file using firewall configuration

Files to Modify

  • Update: pkg/parser/schemas/included_file_schema.json
    • Add firewall property to network.oneOf[1].properties
    • Match firewall schema structure from main_workflow_schema.json

Acceptance Criteria

  • Included schema network field supports firewall property
  • Firewall schema structure matches main workflow schema
  • Test workflows with firewall rules compile successfully
  • Network security features work identically in included files

Testing

Create test included file:

---
network:
  allowed:
    - "api.github.com"
  firewall:
    rules:
      - pattern: "*.example.com"
        action: block
---

Verify compilation and validation.

AI generated by Planning Assistant
Related to #7944

AI generated by Plan Command for discussion #7935

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI self-assigned this Dec 28, 2025
Copilot AI changed the title [WIP] Add network firewall configuration to included file schema Add firewall property to included file schema for network configuration parity Dec 28, 2025
Copilot AI requested a review from mnkiefer December 28, 2025 09:15
@pelikhan pelikhan marked this pull request as ready for review December 28, 2025 15:59
@pelikhan pelikhan merged commit 3f8c930 into main Dec 28, 2025
132 checks passed
@pelikhan pelikhan deleted the copilot/add-firewall-property-included-schema branch December 28, 2025 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnkiefer mnkiefer Awaiting requested review from mnkiefer

Assignees

@mnkiefer mnkiefer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Add network firewall configuration to included_file_schema.json

3 participants

@pelikhan @mnkiefer