Add JSON Schema if/then conditional validation for field requirements

[Copilot]

Several field requirements depend on other field values (e.g., MCP containers need network config in strict mode) but were only enforced at compile time. Users discovered these requirements through compilation errors rather than immediate schema validation feedback.

Changes

Added four if/then conditional constraints to pkg/parser/schemas/main_workflow_schema.json:

1. MCP containers in strict mode require network

# Now caught at schema validation:
strict: true
mcp-servers:
  my-tool:
    container: "image:latest"
    # Missing: network configuration

2. Write permissions require safe-outputs in strict mode

strict: true
permissions:
  contents: write
# Missing: safe-outputs

3. Sandbox-runtime requires feature flag

sandbox: sandbox-runtime
# Missing: features.sandbox-runtime: true

4. UV runtime requires network access

runtimes:
  uv:
    version: "latest"
# Missing: network configuration

Implementation

• Added conditional validation constraints to schema's allOf section
• Fixed MCP config validation to recognize network as valid field in both mcp-config.go and mcp_config_validation.go
• Rebuilt binary with make build to embed updated schema

Schema validation now catches these violations immediately with clear error messages indicating missing required fields, before compilation begins.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login te '../../**/*.jGOINSECURE 0/x64/bin/npm 64/bin/go k/gh-aw/gh-aw/.g/bin/sh -tests (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login d-artifact.git --jq /usr/bin/git l GOWORK 64/bin/go git desc�� k/gh-aw/gh-aw/.g.github/workflows/test.md --always /usr/bin/git l origin 64/pkg/tool/linuuser git (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login 7/update_issue.js c /usr/bin/git - git 64/bin/go git -C 1558-34581/test-id,name,path,state add e/git-remote-https by/f4ff9dc5e0a81sh git 64/bin/go e/git-remote-https (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Add if/then conditional validation for field requirements</issue_title>
<issue_description>## Objective

Implement JSON Schema if/then constraints for conditional field requirements that are currently only enforced at compile time.

Context

Several fields have requirements that depend on other fields' values (e.g., MCP containers need network configuration in strict mode), but these aren't enforced in the schema. Users discover these requirements only through compile errors.

Conditional Requirements to Implement

1. MCP containers in strict mode require network

   • If strict: true and tools.(tool).container is present
   • Then tools.(tool).network must be specified
   • Code: pkg/workflow/strict_mode_validation.go

2. Write permissions require safe-outputs in strict mode

   • If strict: true and permissions has write scopes
   • Then safe-outputs must be configured
   • Code: pkg/workflow/strict_mode_validation.go:68

3. Sandbox-runtime requires feature flag

   • If sandbox-runtime is specified
   • Then specific feature flag must be enabled
   • Code: pkg/workflow/compiler_parse.go

4. UV packages require network access

   • If runtime.uv packages are specified
   • Then network configuration must allow PyPI access
   • Code: pkg/workflow/bundler_validation.go

Approach

Use JSON Schema if/then for each conditional:

{
  "if": {
    "properties": {
      "strict": { "const": true },
      "tools": {
        "patternProperties": {
          ".*": {
            "required": ["container"]
          }
        }
      }
    }
  },
  "then": {
    "properties": {
      "tools": {
        "patternProperties": {
          ".*": {
            "required": ["network"]
          }
        }
      }
    }
  }
}

Files to Modify

• pkg/parser/schemas/frontmatter.json - Add if/then constraints
• After changes, run make build to rebuild with embedded schema

Acceptance Criteria

• Schema enforces MCP container network requirement in strict mode
• Schema enforces safe-outputs with write permissions in strict mode
• Schema enforces sandbox-runtime feature flag requirement
• Schema enforces UV package network requirements
• Error messages clearly explain conditional requirements
• Existing valid configurations still pass validation

Testing

Create test workflows violating each conditional and verify schema validation catches them.
Related to #7575

AI generated by Plan Command for discussion #7569

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Add if/then conditional validation for field requirements #7578

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.