Summary
The gh-aw compiler needs to be updated to support AWF's strict security default. Today the compiler auto-injects flags that are incompatible with strict security into generated .lock.yml files.
Strict security is the default — the compiler should simply stop emitting sudo and host-access flags. Only workflows that genuinely need legacy behavior should opt in via legacy-security: enable.
Current Behavior
When the compiler processes workflow .md files with runtime: gvisor and sudo: true in frontmatter, it injects:
sudo -E prefix on the awf command (via AWFDefaultCommand constant)
--enable-host-access flag
--allow-host-ports 80,443,8080 flag
--enable-api-proxy (no longer needed — API proxy is always on)
For workflows with a services: block, it also injects:
5. --allow-host-service-ports with dynamic port expressions
Required Changes
1. Change AWFDefaultCommand from "sudo -E awf" to "awf"
In pkg/constants/constants.go:
const AWFDefaultCommand = "awf" // was: "sudo -E awf"
2. Stop injecting --enable-host-access and --allow-host-ports
In pkg/workflow/awf_helpers.go (around line 675-698): remove the branch that adds --enable-host-access and --allow-host-ports. These are incompatible with strict security.
3. Stop emitting --enable-api-proxy
The API proxy is always enabled in AWF now. The compiler should not emit --enable-api-proxy in the config file (AWFAPIProxyConfig.Enabled should be removed or always true without emitting the flag).
4. Add legacy-security: enable frontmatter support
Add a new field to AgentSandboxConfig:
LegacySecurity bool `yaml:"legacy-security,omitempty"`
When legacy-security: enable is set in frontmatter, the compiler should emit:
sudo -E awf (override command prefix)
--legacy-security flag
--enable-host-access --allow-host-ports 80,443,8080
5. GetAWFCommandPrefix logic change
In pkg/workflow/awf_helpers.go:
- Default: return
"awf" (no sudo)
- When
legacy-security: enable: return "sudo -E awf"
- Remove the
isAWFNetworkIsolationEnabled gating (network isolation is now always on in strict mode)
6. Workflows requiring legacy security
Only workflows that use --allow-host-service-ports (i.e., those with a services: block that need to reach host-bound service ports) should use legacy-security: enable. All others use strict security (the default).
Key Files to Modify
pkg/constants/constants.go — AWFDefaultCommand
pkg/workflow/awf_helpers.go — GetAWFCommandPrefix(), BuildAWFArgs() (host-access logic)
pkg/workflow/awf_config.go — AWFAPIProxyConfig (stop requiring enabled: true)
pkg/workflow/sandbox.go — AgentSandboxConfig (add LegacySecurity field)
pkg/workflow/frontmatter_extraction_security.go — parse legacy-security from frontmatter
Dependency
This is blocked on the AWF release containing --legacy-security (github/gh-aw-firewall#6207). Once that ships, the compiler can be updated and lock files regenerated.
Related
Summary
The gh-aw compiler needs to be updated to support AWF's strict security default. Today the compiler auto-injects flags that are incompatible with strict security into generated
.lock.ymlfiles.Strict security is the default — the compiler should simply stop emitting sudo and host-access flags. Only workflows that genuinely need legacy behavior should opt in via
legacy-security: enable.Current Behavior
When the compiler processes workflow
.mdfiles withruntime: gvisorandsudo: truein frontmatter, it injects:sudo -Eprefix on theawfcommand (viaAWFDefaultCommandconstant)--enable-host-accessflag--allow-host-ports 80,443,8080flag--enable-api-proxy(no longer needed — API proxy is always on)For workflows with a
services:block, it also injects:5.
--allow-host-service-portswith dynamic port expressionsRequired Changes
1. Change
AWFDefaultCommandfrom"sudo -E awf"to"awf"In
pkg/constants/constants.go:2. Stop injecting
--enable-host-accessand--allow-host-portsIn
pkg/workflow/awf_helpers.go(around line 675-698): remove the branch that adds--enable-host-accessand--allow-host-ports. These are incompatible with strict security.3. Stop emitting
--enable-api-proxyThe API proxy is always enabled in AWF now. The compiler should not emit
--enable-api-proxyin the config file (AWFAPIProxyConfig.Enabledshould be removed or always true without emitting the flag).4. Add
legacy-security: enablefrontmatter supportAdd a new field to
AgentSandboxConfig:When
legacy-security: enableis set in frontmatter, the compiler should emit:sudo -E awf(override command prefix)--legacy-securityflag--enable-host-access --allow-host-ports 80,443,80805.
GetAWFCommandPrefixlogic changeIn
pkg/workflow/awf_helpers.go:"awf"(no sudo)legacy-security: enable: return"sudo -E awf"isAWFNetworkIsolationEnabledgating (network isolation is now always on in strict mode)6. Workflows requiring legacy security
Only workflows that use
--allow-host-service-ports(i.e., those with aservices:block that need to reach host-bound service ports) should uselegacy-security: enable. All others use strict security (the default).Key Files to Modify
pkg/constants/constants.go—AWFDefaultCommandpkg/workflow/awf_helpers.go—GetAWFCommandPrefix(),BuildAWFArgs()(host-access logic)pkg/workflow/awf_config.go—AWFAPIProxyConfig(stop requiringenabled: true)pkg/workflow/sandbox.go—AgentSandboxConfig(addLegacySecurityfield)pkg/workflow/frontmatter_extraction_security.go— parselegacy-securityfrom frontmatterDependency
This is blocked on the AWF release containing
--legacy-security(github/gh-aw-firewall#6207). Once that ships, the compiler can be updated and lock files regenerated.Related
feat: add --security-mode strict|compat with strict as default--legacy-securityboolean flag in AWF