githubnext · pelikhan · Jan 23, 2026 · Jan 23, 2026
diff --git a/pkg/workflow/step_order_validation.go b/pkg/workflow/step_order_validation.go
@@ -178,17 +178,17 @@ func (t *StepOrderTracker) findUnscannablePaths(artifactUploads []StepRecord) []
 
 // isPathScannedBySecretRedaction checks if a path would be scanned by the secret redaction step
 func isPathScannedBySecretRedaction(path string) bool {
-	// Paths must be under /tmp/gh-aw/ to be scanned
+	// Paths must be under /tmp/gh-aw/ or /opt/gh-aw/ to be scanned
 	// Accept both literal paths and environment variable references
-	if !strings.HasPrefix(path, "/tmp/gh-aw/") {
-		// Check if it's an environment variable that might resolve to /tmp/gh-aw/
+	if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") {
+		// Check if it's an environment variable that might resolve to /tmp/gh-aw/ or /opt/gh-aw/
 		// For now, we'll allow ${{ env.* }} patterns through as we can't resolve them at compile time
-		// Assume environment variables that might contain /tmp/gh-aw paths are safe
+		// Assume environment variables that might contain /tmp/gh-aw or /opt/gh-aw paths are safe
 		// This is a conservative assumption - in practice these are controlled by the compiler
 		return strings.Contains(path, "${{ env.")
 	}
 
-	// Path must have one of the scanned extensions: .txt, .json, .log
+	// Path must have one of the scanned extensions: .txt, .json, .log, .jsonl
 	ext := filepath.Ext(path)
 	scannedExtensions := []string{".txt", ".json", ".log", ".jsonl"}
 	for _, scannedExt := range scannedExtensions {

diff --git a/pkg/workflow/step_order_validation_integration_test.go b/pkg/workflow/step_order_validation_integration_test.go
@@ -178,9 +178,9 @@ This workflow uploads artifacts.
 
 	for _, path := range uploadPaths {
 		if strings.Contains(contentStr, path) {
-			// Verify it's under /tmp/gh-aw/ (already true by construction)
-			if !strings.HasPrefix(path, "/tmp/gh-aw/") {
-				t.Errorf("Upload path %s is not under /tmp/gh-aw/ and won't be scanned", path)
+			// Verify it's under /tmp/gh-aw/ or /opt/gh-aw/ (scannable paths)
+			if !strings.HasPrefix(path, "/tmp/gh-aw/") && !strings.HasPrefix(path, "/opt/gh-aw/") {
+				t.Errorf("Upload path %s is not under /tmp/gh-aw/ or /opt/gh-aw/ and won't be scanned", path)
 			}
 		}
 	}

diff --git a/pkg/workflow/step_order_validation_test.go b/pkg/workflow/step_order_validation_test.go
@@ -48,7 +48,7 @@ func TestStepOrderTracker_ValidateOrdering_UploadBeforeSecretRedaction(t *testin
 	if err == nil {
 		t.Error("Expected error when upload comes before secret redaction, got nil")
 	}
-	expectedMsg := "compiler bug: secret redaction must happen before artifact uploads"
+	expectedMsg := "This is a compiler bug - secret redaction must happen before artifact uploads"
 	if err != nil && !contains(err.Error(), expectedMsg) {
 		t.Errorf("Expected error message to contain '%s', got: %v", expectedMsg, err)
 	}

diff --git a/pkg/workflow/strict_mode_test.go b/pkg/workflow/strict_mode_test.go
@@ -165,6 +165,8 @@ network:
     - "api.example.com"
 tools:
   github: false
+  playwright:
+    allowed_domains: ["example.com"]
 ---
 
 # Test Workflow`,
@@ -174,7 +176,7 @@ tools:
 			name: "shorthand write permission refused in strict mode",
 			content: `---
 on: push
-permissions: write
+permissions: write-all
 features:
   dangerous-permissions-write: true
 timeout-minutes: 10

diff --git a/pkg/workflow/template_rendering_test.go b/pkg/workflow/template_rendering_test.go
@@ -171,9 +171,9 @@ Normal content without conditionals.
 		t.Error("Compiled workflow should contain interpolation and template rendering step because GitHub tool is added by default")
 	}
 
-	// Verify the GitHub context was added
-	if !strings.Contains(compiledStr, "- name: Append GitHub context to prompt") {
-		t.Error("Compiled workflow should contain GitHub context step because GitHub tool is added by default")
+	// Verify the GitHub context was added (now part of unified prompt creation step)
+	if !strings.Contains(compiledStr, "- name: Create prompt with built-in context") {
+		t.Error("Compiled workflow should contain unified prompt creation step (which includes GitHub context)")
 	}
 }
 
@@ -225,8 +225,8 @@ Normal content without conditionals in markdown.
 		t.Error("Compiled workflow should contain interpolation and template rendering step when GitHub tool is enabled")
 	}
 
-	// Verify the GitHub context was added
-	if !strings.Contains(compiledStr, "- name: Append GitHub context to prompt") {
-		t.Error("Compiled workflow should contain GitHub context step when GitHub tool is enabled")
+	// Verify the GitHub context was added (now part of unified prompt creation step)
+	if !strings.Contains(compiledStr, "- name: Create prompt with built-in context") {
+		t.Error("Compiled workflow should contain unified prompt creation step (which includes GitHub context)")
 	}
 }