[task] Add dedicated Network Permissions section to frontmatter documentation

[github-actions]

Objective

Add a comprehensive "Network Permissions" section to the main frontmatter reference documentation to improve discoverability and clarify the purpose of workflow-level network configuration.

Context

The schema consistency check (discussion #3589) found that while network permissions are documented in the engine-specific documentation (engines.md), there's no dedicated section in the main frontmatter reference. This creates:

• Discoverability issues: users may not find the network permissions feature
• Inconsistent documentation structure compared to other frontmatter fields
• Confusion about whether network is engine-specific or workflow-level

Current State:

• Network configuration IS documented in docs/src/content/docs/reference/engines.md:73-100
• Missing from docs/src/content/docs/reference/frontmatter.md as a dedicated section
• Listed only briefly in the frontmatter elements overview

Approach

1. Add a new ### Network Permissions section to frontmatter.md after the engine section
2. Explain the purpose: workflow-level network access control for AI engines
3. Show basic examples using ecosystem identifiers (python, node, containers, etc.)
4. Clarify relationship to MCP network configuration (different purpose, complementary security boundaries)
5. Link to engines.md for engine-specific details like AWF firewall for Copilot
6. Include a comparison table showing engine network vs MCP network differences

Files to Modify

• docs/src/content/docs/reference/frontmatter.md - Add Network Permissions section

Content to Include

The new section should cover:

1. Purpose: Control what domains AI engines can access via web-fetch and web-search tools
2. Basic syntax: String format ("defaults") and object format with allowed array
3. Ecosystem identifiers: Show examples using python, node, containers, etc.
4. Security model: Explain deny-by-default when custom permissions are specified
5. Relationship to MCP: Clarify that engine network and MCP network are different security boundaries
6. Cross-reference: Link to engines.md for engine-specific features (AWF firewall)

Example Structure

### Network Permissions

Control network access for AI engines' web-fetch and web-search tools.

**Basic Usage:**
[Show examples with ecosystem identifiers]

**Engine vs MCP Network:**
[Clarify the two different network configurations]

**Advanced Features:**
See [Engine-Specific Features](./engines.md#network-permissions) for AWF firewall and other engine-specific options.

Acceptance Criteria

• New "Network Permissions" section added to frontmatter.md
• Section explains purpose clearly for users unfamiliar with the feature
• Basic examples demonstrate ecosystem identifiers usage
• Distinction between engine network and MCP network is clear
• Cross-reference links to engines.md for advanced features
• Documentation follows Diátaxis framework (reference style)

Related Documentation

• Discussion [Schema Consistency] 🔍 Schema Consistency Check - 2025-11-11: Network & MCP Integration Analysis #3589 - Schema Consistency Check findings
• docs/src/content/docs/reference/engines.md:73-100 - Existing network documentation
• docs/src/content/docs/reference/frontmatter.md:25 - Target file for update
  Related to [Schema Consistency] 🔍 Schema Consistency Check - 2025-11-11: Network & MCP Integration Analysis #3589

AI generated by Plan Command for discussion #3589