Skip to content

Comments

Allow ecosystem and custom domains in strict mode network configuration#16732

Merged
pelikhan merged 3 commits intomainfrom
copilot/allow-custom-domains-strict-mode
Feb 19, 2026
Merged

Allow ecosystem and custom domains in strict mode network configuration#16732
pelikhan merged 3 commits intomainfrom
copilot/allow-custom-domains-strict-mode

Conversation

Copy link
Contributor

Copilot AI commented Feb 19, 2026
edited
Loading

Strict mode now allows both ecosystem domains and custom domains in network.allowed, with warnings for ecosystem domains suggesting the use of ecosystem identifiers for better maintainability.

Changes

Validation logic (pkg/workflow/strict_mode_validation.go)

  • Modified validateStrictFirewall to allow all domains (ecosystem and custom) in strict mode
  • Emit warnings (instead of errors) for ecosystem domains, suggesting ecosystem identifiers
  • Warning format: 'pypi.org' → 'python' for better readability
  • Increment warning count to track suggestions
  • Allow truly custom domains without warnings (e.g., api.example.com, cdn.myservice.io)

Tests (pkg/workflow/strict_mode_llm_gateway_test.go)

  • Updated 9 tests to expect warnings instead of errors for ecosystem domains
  • Tests verify warning count increases for ecosystem domains
  • Tests verify no warnings for ecosystem identifiers and custom domains
  • Added TestValidateStrictFirewall_CustomDomainBehavior covering custom domain scenarios

Documentation (docs/src/content/docs/reference/network.md)

  • Changed from "Ecosystem Identifier Requirement" to "Ecosystem Identifier Recommendation"
  • Updated examples to show warnings (⚠) instead of errors (❌)
  • Clarified that workflows compile successfully with warnings

Example

# ✅ Allowed in strict mode (no warnings)
strict: true
network:
  allowed:
    - python                  # Ecosystem identifier
    - "api.example.com"       # Custom domain

# ⚠ Allowed in strict mode with warning
strict: true
network:
  allowed:
    - "pypi.org"              # Warning: suggest using 'python' ecosystem identifier

Warning message:

⚠ strict mode: recommend using ecosystem identifiers instead of individual domain names for better maintainability: 'pypi.org' → 'python'
✓ Compiled 1 workflow(s): 0 error(s), 1 warning(s)

Behavior Change

Before: Ecosystem domains were rejected with an error, preventing compilation.

After: Ecosystem domains are allowed and workflows compile successfully, but a warning is emitted suggesting the use of ecosystem identifiers for better maintainability.

> [!WARNING]
>
>

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@pelikhan
Allow custom domains in strict mode network configuration
15eca7b 
Modified strict mode validation to allow truly custom domains (domains not part of known ecosystems) while still enforcing ecosystem identifiers for domains that belong to known ecosystems.

Changes:
- Updated validateStrictFirewall to distinguish between ecosystem domains and custom domains
- Only reject domains that belong to known ecosystems but are not specified as identifiers
- Allow truly custom domains (e.g., api.example.com) in strict mode
- Updated error messages to clarify that custom domains are allowed
- Updated tests to reflect new behavior
- Updated documentation to match implementation

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for custom domains in network.allowed configuration Allow custom domains in strict mode network configuration Feb 19, 2026
Copilot AI requested a review from pelikhan February 19, 2026 02:54
@pelikhan
Copy link
Contributor

pelikhan commented Feb 19, 2026

@copilot allow domain from know sets but suggest sets instead

@pelikhan
Change strict mode to warn instead of reject ecosystem domains
c85d988 
Per feedback, changed strict mode behavior:
- BEFORE: Reject ecosystem domains (e.g., pypi.org) with error
- AFTER: Allow ecosystem domains with warning suggesting ecosystem identifiers

Changes:
- Modified validateStrictFirewall to emit warnings instead of errors for ecosystem domains
- Warnings suggest using ecosystem identifiers (e.g., 'pypi.org' → 'python')
- Updated all tests to expect warnings instead of errors
- Updated documentation to reflect new warning-based approach

Truly custom domains remain allowed without warnings.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 19, 2026

@copilot allow domain from know sets but suggest sets instead

Done! Changed strict mode to allow ecosystem domains (like pypi.org) while emitting a warning suggesting to use ecosystem identifiers instead (like python).

Example warning output:

⚠ strict mode: recommend using ecosystem identifiers instead of individual domain names for better maintainability: 'pypi.org' → 'python', 'npmjs.org' → 'node'

Workflows now compile successfully with warnings instead of failing with errors. Commit: c85d988

Copilot AI changed the title Allow custom domains in strict mode network configuration Allow ecosystem and custom domains in strict mode network configuration Feb 19, 2026
@pelikhan pelikhan marked this pull request as ready for review February 19, 2026 03:41
Copilot AI review requested due to automatic review settings February 19, 2026 03:41
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR changes strict mode network validation from rejecting ecosystem domains with errors to allowing them with warnings, while continuing to allow truly custom domains. The goal is to improve usability by making strict mode less restrictive while still encouraging best practices through warnings.

Changes:

  • Modified validation logic to emit warnings instead of errors for ecosystem domains like pypi.org, suggesting ecosystem identifiers like python
  • Updated 9 existing tests and added new comprehensive test suite covering custom domain behavior
  • Updated reference documentation to reflect the new "recommendation" model rather than "requirement" model

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
pkg/workflow/strict_mode_validation.go Changed validateStrictFirewall to allow all domains (ecosystem and custom) with warnings for ecosystem domains instead of errors
pkg/workflow/strict_mode_llm_gateway_test.go Updated test expectations from errors to warnings, added comprehensive test coverage for custom domain scenarios
docs/src/content/docs/reference/network.md Updated documentation from "requirement" to "recommendation" language, changed examples from errors (❌) to warnings (⚠)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan merged commit fa48f1b into main Feb 19, 2026
130 checks passed
@pelikhan pelikhan deleted the copilot/allow-custom-domains-strict-mode branch February 19, 2026 03:49
@github-actions github-actions bot mentioned this pull request Feb 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan