Support protocol-specific domain filtering (http/https)

.github/workflows/smoke-codex-firewall.md

@@ -18,6 +18,7 @@ network:
   allowed:
     - defaults
     - github
+    - "https://api.github.com"  # Test HTTPS-only protocol filtering
 safe-outputs:
     add-comment:
       hide-older-comments: true
@@ -51,6 +52,7 @@ This workflow validates that the Codex engine works correctly with AWF (Applicat
 3. **File Writing Testing**: Create a test file `/tmp/gh-aw/agent/smoke-test-codex-firewall-${{ github.run_id }}.txt` with content "Firewall smoke test passed for Codex at $(date)"
 4. **Bash Tool Testing**: Execute bash commands to verify file creation was successful (use `cat` to read the file back)
 5. **Blocked Domain Testing**: Attempt to access a domain NOT in the allowed list (e.g., example.com) using curl - this should fail or be blocked
+6. **Protocol Filtering Testing**: Verify that the AWF command includes the protocol-specific domain `https://api.github.com` in the --allow-domains flag. Check logs to confirm HTTPS prefix is preserved
 
 ## Output
 

.github/workflows/smoke-copilot.md

@@ -18,6 +18,8 @@ network:
     - defaults
     - node
     - github
+    - "https://api.github.com"  # Test HTTPS-only protocol filtering
+    - "http://httpbin.org"       # Test HTTP-only protocol filtering
 sandbox:
   agent: awf  # Firewall enabled
 tools:
@@ -55,7 +57,8 @@ strict: true
 4. **GitHub MCP Default Toolset Testing**: Verify that the `get_me` tool is NOT available with default toolsets. Try to use it and confirm it fails with a tool not found error.
 5. **Cache Memory Testing**: Write a test file to `/tmp/gh-aw/cache-memory/smoke-test-${{ github.run_id }}.txt` with content "Cache memory test for run ${{ github.run_id }}" and verify it was created successfully
 6. **Web Fetch Testing**: Use the web_fetch tool to fetch content from https://api.github.com/repos/githubnext/gh-aw (verify the tool is available and returns valid JSON)
-7. **Available Tools Display**: List all available tools that you have access to in this workflow execution.
+7. **Protocol Filtering Testing**: Verify that the AWF command includes protocol-specific domains in the --allow-domains flag. Check `/tmp/gh-aw/agent-stdio.log` for entries like `https://api.github.com` and `http://httpbin.org` to confirm protocol prefixes are preserved
+8. **Available Tools Display**: List all available tools that you have access to in this workflow execution.
 
 ## Output
 

docs/src/content/docs/guides/network-configuration.md

@@ -79,6 +79,31 @@ network:
     - "*.cdn.example.com"  # Wildcard for subdomains
 ```
 
+## Protocol-Specific Filtering
+
+Restrict domains to specific protocols for enhanced security (Copilot engine with AWF firewall):
+
+```yaml
+engine: copilot
+network:
+  allowed:
+    - defaults
+    - "https://secure.api.example.com"   # HTTPS-only
+    - "http://legacy.internal.com"       # HTTP-only (legacy systems)
+    - "example.org"                      # Both protocols (default)
+sandbox:
+  agent: awf  # Firewall enabled
+```
+
+**Use Cases:**
+- **HTTPS-only**: External APIs, production services
+- **HTTP-only**: Legacy internal systems, development endpoints
+- **Mixed**: Gradual HTTP → HTTPS migration
+
+**Validation:** Invalid protocols (e.g., `ftp://`) are rejected at compile time.
+
+See [Network Permissions - Protocol-Specific Filtering](/gh-aw/reference/network/#protocol-specific-domain-filtering) for complete details.
+
 ## Security Best Practices
 
 1. **Start minimal** - Only add ecosystems you actually use