Fix firewall log parsing by relaxing field validation to match JavaScript parser

[Copilot]

The Go firewall log parser was rejecting valid log entries due to overly strict field validation, causing the daily firewall report to show 0 blocked requests. The JavaScript parser only validates timestamps; the Go parser was also validating client IP:port, domain, dest IP:port, status, and decision formats.

Changes

• Relaxed validation in pkg/cli/firewall_log.go: Removed regex validation for all fields except timestamp, matching JavaScript parser behavior (lines 115-119 in parse_firewall_logs.cjs)
• Updated tests in pkg/cli/firewall_log_test.go: Modified 5 test cases to accept non-standard field formats (e.g., "Accepting" for IP, "DNS" for domain, "Waiting" for decision)

Before/After

Before (rejected these lines):

1761332530.474 Accepting api.github.com:443 ...        # Non-standard IP format
1761332530.474 172.30.0.20:35288 DNS ...               # Domain without port
1761332530.474 ... CONNECT Swap TCP_TUNNEL ...         # Non-numeric status

After (accepts all with valid timestamps):

// Only validate timestamp (essential for log format detection)
timestamp := fields[0]
if matched, _ := regexp.MatchString(`^\d+(\.\d+)?$`, timestamp); !matched {
    return nil
}
// Extract other fields without validation

This restores firewall log parsing for entries with non-standard field formats, fixing the blocked request counting in daily reports.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login 568ff642939f9258 refs/tags/v2.2.1 /usr/bin/gh l GO111MODULE 64/bin/go gh api runs/20260107-132231-44639/test-3142533917 --jq /usr/bin/infocmp 3401984/run-1 GO111MODULE 64/bin/go infocmp (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login /ref/tags/v8 l /usr/bin/git 0576552/run-1002/tmp/gh-aw-compile-integration-2397209944/gh-aw GO111MODULE 64/pkg/tool/linuadd git -C pload-artifact/g--verbose rev-parse (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse cecc0dae6db3adb38654cf91de62ae108d7/log.json 3752254/run-1011gh GO111MODULE 64/bin/go infocmp -1 /ref/tags/v8 l /usr/bin/infocmp -json GO111MODULE ache/go/1.25.0/xmoby infocmp (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Firewall log parsing is broken</issue_title>
<issue_description>Somehow the firewall daily report got broken with v0.8 and is now reporting 0 blocked calls.

#8868

Investigate why and fix.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Firewall log parsing is broken #9223

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.