Add validation: allow-urls requires ssl-bump: true

[Copilot]

The allow-urls network configuration depends on ssl-bump: true for HTTPS content inspection, but this was only documented in the schema description without compile-time enforcement. Users could specify allow-urls without ssl-bump, leading to silent failures.

Changes

• New validation: pkg/workflow/network_firewall_validation.go

  • Validates allow-urls requires ssl-bump: true
  • Returns structured error with configuration example and docs link

• Compiler integration: Added validation call in validateWorkflowData() after network domain validation

• Documentation constant: Added DocsNetworkURL to pkg/constants/constants.go for error messages

• Test coverage: 13 test cases covering valid/invalid configurations and edge cases

Error Message

✗ error: Validation failed for field 'network.firewall.allow-urls'

Reason: allow-urls requires ssl-bump: true to function. 
        SSL Bump enables HTTPS content inspection for URL path filtering

Suggestion: Enable SSL Bump in your firewall configuration:

network:
  firewall:
    ssl-bump: true
    allow-urls:
      - "https://github.com/githubnext/*"

See: https://github.com/github/gh-aw/.../network.md

The validation runs regardless of firewall.enabled state to catch misconfiguration early.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Code Quality] Add validation: allow-urls requires ssl-bump: true</issue_title>
<issue_description>### Description

The allow-urls network configuration option requires ssl-bump: true to function, but this dependency is not enforced by validation. The schema documents this requirement in the description field but doesn't validate it at compile time.

Current behavior:

• Users can specify allow-urls without ssl-bump
• No validation error is raised
• Configuration may silently fail or behave unexpectedly

Expected behavior:

• Validation error if allow-urls is specified without ssl-bump: true
• Clear error message explaining the dependency

Suggested Changes

Add validation in pkg/workflow/firewall.go or pkg/workflow/frontmatter_extraction_security.go:

// Validate allow-urls requires ssl-bump
if len(networkConfig.AllowURLs) > 0 && !networkConfig.SSLBump {
    return fmt.Errorf("network.allow-urls requires network.ssl-bump: true to function")
}

Files Affected

• pkg/workflow/firewall.go (network configuration processing)
• pkg/workflow/frontmatter_extraction_security.go (network validation)
• Schema: pkg/parser/schemas/main_workflow_schema.json:2180 (already documents requirement)

Success Criteria

• Validation error raised when allow-urls is specified without ssl-bump: true
• Error message is clear and actionable
• Existing tests pass
• Add test case for this validation

Source

Extracted from Schema Consistency Checker discussion github/gh-aw#14471

Finding excerpt:

"URL patterns to allow for HTTPS traffic (requires ssl-bump: true) but there's no validation enforcing this dependency... Users could specify allow-urls without ssl-bump, leading to silent failure or confusion."

Priority

High - Prevents user confusion and silent failures. Aligns with release mode focus on quality and stability.

AI generated by Discussion Task Miner - Code Quality Improvement Agent

• expires on Feb 9, 2026, 9:06 AM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [Code Quality] Add validation: allow-urls requires ssl-bump: true #14487

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Adds compile-time validation to prevent misconfigured network firewall settings where network.firewall.allow-urls is set without enabling network.firewall.ssl-bump, aligning runtime behavior with the documented schema constraint.

Changes:

• Introduces validateNetworkFirewallConfig to enforce allow-urls ⇒ ssl-bump: true with a structured validation error.
• Integrates the new validator into Compiler.validateWorkflowData.
• Adds a docs URL constant and accompanying unit tests; includes a small docs table correction.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/workflow/network_firewall_validation.go	New validator enforcing allow-urls requires ssl-bump: true, returning a WorkflowValidationError.
pkg/workflow/compiler.go	Wires the new network firewall validation into the compiler validation flow.
pkg/constants/constants.go	Adds DocsNetworkURL for consistent documentation links in validation errors.
pkg/workflow/network_firewall_validation_test.go	Adds test coverage for valid/invalid allow-urls/ssl-bump combinations and edge cases.
docs/src/content/docs/agent-factory-status.mdx	Updates the “Smoke Project” engine label in the status table.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

NewValidationError(field, value, reason, suggestion) is being called with the requirement text as the value argument. This causes the rendered error to show Value: requires ssl-bump: true instead of the actual invalid configuration (e.g., ssl-bump: false and/or the provided allow-urls). Swap/populate the value parameter with the offending config and keep the requirement in reason so the error output is accurate and consistent with other validators.

[Copilot]

This test is labeled as a compiler “integration” check, but it never exercises Compiler.validateWorkflowData/CompileWorkflowData; it calls validateNetworkFirewallConfig directly (and the compiler instance/strict-mode setting don’t affect the validation). Either rename the test to reflect that it’s a unit test for validateNetworkFirewallConfig, or restructure it to assert that compilation/validation fails via the compiler entrypoint to actually test the wiring in compiler.go.