Skip to content

[plan] Fix network/firewall schema description and engine support inconsistencies #17906

New issue
New issue
Closed
#17909
Closed
[plan] Fix network/firewall schema description and engine support inconsistencies#17906
#17909
Assignees
pelikhancopilot-swe-agent
Labels
ai-generatedcookieIssue Monster Loves Cookies!plan
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 23, 2026

Context

From schema consistency discussion #17876 (2026-02-23 run, findings 1–5).

Objective

Fix five related network/firewall bugs where the schema, documentation, and code are inconsistent about which engines support the firewall feature and how firewall config is parsed.

Issues to Fix

1. Schema network.firewall description incorrectly says "Only supported for Copilot engine"

  • File: pkg/parser/schemas/main_workflow_schema.json:2225
  • All four engines (copilot, claude, codex, gemini) have supportsFirewall: true — remove the Copilot-only restriction from the description.

2. log_level vs log-level key name mismatch

  • Files: pkg/workflow/engine.go:220, pkg/workflow/frontmatter_extraction_security.go:123
  • engine.go uses firewallObj["log_level"] (underscore) while the security extraction path uses firewallObj["log-level"] (hyphen).
  • Standardize to log-level (hyphen) in engine.go:220 to match frontmatter_extraction_security.go.

3. cleanup_script field missing from schema

  • Files: pkg/workflow/engine.go:227, pkg/parser/schemas/main_workflow_schema.json
  • engine.go:227 reads firewallObj["cleanup_script"] but the field is absent from the schema (which has additionalProperties: false).
  • Add cleanup_script to the appropriate schema object so users can discover and use this field.

4. hasNetworkRestrictions() ignores Blocked domain list

  • File: pkg/workflow/engine_firewall_support.go:17-35
  • The function only checks Allowed list; a workflow with only network: blocked: [...] returns false, skipping firewall validation.
  • Add: if len(networkPermissions.Blocked) > 0 { return true }.

5. computeAllowedDomainsForSanitization missing gemini case

  • File: pkg/workflow/domains.go:695-706
  • Gemini falls into default which calls GetAllowedDomains() instead of GetGeminiAllowedDomainsWithToolsAndRuntimes().
  • Add case "gemini": return GetGeminiAllowedDomainsWithToolsAndRuntimes(...) to the switch.

Files to Modify

  • pkg/parser/schemas/main_workflow_schema.json
  • pkg/workflow/engine.go
  • pkg/workflow/engine_firewall_support.go
  • pkg/workflow/domains.go

Acceptance Criteria

  • Schema description for network.firewall no longer says "Only supported for Copilot engine"
  • cleanup_script is documented in the schema
  • engine.go uses log-level (hyphen) consistent with security extraction path
  • hasNetworkRestrictions() returns true when only Blocked list is non-empty
  • computeAllowedDomainsForSanitization calls the Gemini-specific function for "gemini" engine
  • Run make agent-finish with no errors before committing

Generated by Plan Command for issue #discussion #17876

  • expires on Feb 25, 2026, 12:04 PM UTC

Metadata

Metadata

Assignees

Labels

ai-generatedcookieIssue Monster Loves Cookies!plan

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions