Bump firewall version to v0.25.43

[lpcox]

Summary

Bump the default Agent Workflow Firewall (AWF) version from v0.25.42 to v0.25.43.

Changes Required

File: pkg/constants/version_constants.go

// Before
const DefaultFirewallVersion Version = "v0.25.42"

// After
const DefaultFirewallVersion Version = "v0.25.43"

Changelog (since v0.25.41)

New features

• --docker-host-path-prefix <prefix> — Prefix bind-mount source paths so the Docker daemon can resolve runner filesystem paths. Required for ARC DinD sidecar runners where the runner and daemon have separate filesystems. Kernel virtual filesystems (/dev, /sys, /proc) are automatically excluded from prefixing. (Treat under-provisioned permissions as warnings in non-strict mode #2843)
• apiProxy.maxRuns (--max-runs) — Absolute maximum number of LLM invocations allowed per run. When reached, API proxy returns HTTP 429 with max_runs_exceeded. (Prettify permissions validation error messages #2798)
• apiProxy.auth — OIDC-based credential exchange configuration for Azure, AWS, and GCP. Enables GitHub OIDC → cloud provider token exchange so agents can reach cloud-hosted LLM endpoints without static API keys. ([smoke-detector] 🔍 Smoke Test Investigation - Smoke OpenCode Run #51: OpenCode Agent Execution Failure #2772)
• container.dockerHostPathPrefix — Config-file equivalent of --docker-host-path-prefix. (Treat under-provisioned permissions as warnings in non-strict mode #2843)

ARC/DinD support

• Honor Unix DOCKER_HOST sockets for DinD mounts on ARC runners — when DOCKER_HOST points to a non-default Unix socket (e.g. /run/dind/docker.sock), AWF now exposes that socket inside the agent container instead of assuming /var/run/docker.sock. (🔑 Add flag for using local secrets during workflow execution #2841)
• Fix chroot bind mounts for ARC/DinD split runner-daemon filesystems — adds normalizeDockerHostPathPrefix() and translateBindMountHostPath() with kernel VFS passthrough (/dev, /sys, /proc). (Treat under-provisioned permissions as warnings in non-strict mode #2843)
• Add hidepid=2 to procfs mount at /host/proc — prevents agent from reading PID 1 /proc/1/environ (credential isolation against race window). (Treat under-provisioned permissions as warnings in non-strict mode #2843)

Bug fixes & refactoring

• COPILOT_PROVIDER_WIRE_API=responses for GPT-5-family Copilot BYOK runs ([test-coverage] Add comprehensive tests for console renderSlice function (+56.2% function coverage, +0.1% overall) #2842)
• Align ET budget error strings with gh-aw detection patterns (Add GitHub tool/toolset validator for allowed tools configuration #2770)
• Restore --ignore-scripts for engine CLI installs in lock files (🔍 Agentic Workflow Audit Report - October 31, 2025 #2840)
• Patch high-severity vulnerabilities in babel and fast-uri ([tidy] Format JSON schema file #2799)
• Extract shared test utilities, remove dead exports/imports (Fix test suite for GitHub MCP toolset permission validation #2800, [tidy] Format code with make fmt #2811, Fix changeset generator workflow instructions for push_to_pull_request_branch tool #2812, Rename engine "agent" field to "custom-agent" #2814, Add schema descriptions for runs-on and concurrency fields #2819, [WIP] Refactor duplicate MCP config loading logic #2829)

New Frontmatter / Config Fields for gh-aw Compiler

The following new AWF config properties should be considered for exposure through gh-aw workflow frontmatter:

1. container.dockerHostPathPrefix (string)

container:
  dockerHostPathPrefix: /host

CLI: --docker-host-path-prefix /host

Prefixes all AWF bind-mount source paths so a Docker daemon with a separate filesystem can resolve them. Essential for ARC DinD sidecar runners. Kernel virtual filesystems (/dev, /sys, /proc) are automatically excluded.

Frontmatter suggestion: firewall.container.dockerHostPathPrefix or a simpler firewall.arc-dind-prefix.

2. apiProxy.maxRuns (integer)

apiProxy:
  maxRuns: 100

CLI: --max-runs 100

Hard cap on the number of LLM API invocations per workflow run. Complements the existing maxEffectiveTokens budget guard. Returns HTTP 429 with max_runs_exceeded error type when exceeded.

Frontmatter suggestion: firewall.apiProxy.maxRuns — useful for cost-control guardrails in agentic workflows.

3. apiProxy.auth (object)

apiProxy:
  auth:
    type: github-oidc
    provider: azure
    azureTenantId: "..."
    azureClientId: "..."

Enables OIDC-based credential exchange — agents can reach Azure OpenAI, AWS Bedrock, or GCP Vertex AI without static API keys by exchanging GitHub OIDC tokens for cloud provider tokens.

Frontmatter suggestion: firewall.apiProxy.auth.* — enables keyless LLM access in enterprise environments. Requires id-token: write permission.

Checklist

• Update DefaultFirewallVersion in pkg/constants/version_constants.go
• Run make build to rebuild the binary
• Run make recompile to regenerate all lock files with the new version
• Run make agent-finish to validate
• Verify lock files reference the new firewall version
• Evaluate new config fields (dockerHostPathPrefix, maxRuns, auth) for frontmatter exposure

References

• gh-aw-firewall releases
• AWF config schema
• AWF config spec