[task] Document CLI-only strict-mode feature in JSON schema

[github-actions]

Objective

Add schema documentation for the strict-mode CLI-only feature to improve developer understanding and IDE tooling support.

Context

The schema consistency audit (Discussion #4177) identified that strict-mode is extensively implemented in the compiler but has no representation in main_workflow_schema.json. This creates a gap where users and IDE tooling have no schema-level indication that strict mode exists as a CLI feature.

Related to #4177

Current State

• Implementation: Extensive (15+ test files, compiler.go:111, strict_mode.go, etc.)
• Documentation: Mentioned in guides/security.md but NOT in reference/frontmatter.md
• Schema: No entry in main_workflow_schema.json
• Usage: CLI-only via gh aw compile --strict flag

Proposed Approach

Add a $comment field or dedicated section in the schema to document CLI-only features:

{
  "$comment": "CLI-ONLY: strict-mode is set via gh-aw CLI flag --strict, not in frontmatter",
  "strict-mode": {
    "type": "null",
    "description": "This field is not configurable in frontmatter. Strict mode is enabled via CLI flag: gh aw compile --strict. Enforces action pinning, network configuration, and safe-outputs usage."
  }
}

Files to Modify

• pkg/parser/schemas/main_workflow_schema.json - Add CLI-only features section or $comment
• Consider adding to schema definitions or a dedicated x-cli-features section

Acceptance Criteria

• Schema includes documentation for strict-mode as CLI-only feature
• Documentation clearly states it cannot be set in frontmatter
• Documentation references the CLI flag: gh aw compile --strict
• Documentation lists enforcement areas (action pinning, network config, safe-outputs)
• Schema validation still passes (strict-mode should not accept frontmatter values)
• Run make test to ensure no regressions

Additional Context

Enforcement areas documented in implementation:

• Action pinning (requires SHA pins)
• Network permissions (requires explicit configuration)
• Write permissions (requires safe-outputs)
• Bash tool restrictions
  Related to [Schema Consistency] 🔍 Schema Consistency Check - 2025-11-17: 83% Consistency Rate (CLI-Only Feature Gap) #4177

AI generated by Plan Command for discussion #4177

[pelikhan]

@copilot the equivalent in the schema is "strict". make sure it is documented.