[Code Quality] Add validation: allow-urls requires ssl-bump: true #14487
Description
Description
The allow-urls network configuration option requires ssl-bump: true to function, but this dependency is not enforced by validation. The schema documents this requirement in the description field but doesn't validate it at compile time.
Current behavior:
- Users can specify
allow-urlswithoutssl-bump - No validation error is raised
- Configuration may silently fail or behave unexpectedly
Expected behavior:
- Validation error if
allow-urlsis specified withoutssl-bump: true - Clear error message explaining the dependency
Suggested Changes
Add validation in pkg/workflow/firewall.go or pkg/workflow/frontmatter_extraction_security.go:
// Validate allow-urls requires ssl-bump
if len(networkConfig.AllowURLs) > 0 && !networkConfig.SSLBump {
return fmt.Errorf("network.allow-urls requires network.ssl-bump: true to function")
}Files Affected
pkg/workflow/firewall.go(network configuration processing)pkg/workflow/frontmatter_extraction_security.go(network validation)- Schema:
pkg/parser/schemas/main_workflow_schema.json:2180(already documents requirement)
Success Criteria
- Validation error raised when
allow-urlsis specified withoutssl-bump: true - Error message is clear and actionable
- Existing tests pass
- Add test case for this validation
Source
Extracted from Schema Consistency Checker discussion #14471
Finding excerpt:
"URL patterns to allow for HTTPS traffic (requires ssl-bump: true) but there's no validation enforcing this dependency... Users could specify
allow-urlswithoutssl-bump, leading to silent failure or confusion."
Priority
High - Prevents user confusion and silent failures. Aligns with release mode focus on quality and stability.
AI generated by Discussion Task Miner - Code Quality Improvement Agent
- expires on Feb 9, 2026, 9:06 AM UTC