Fix Workflow Tools & MCP integration failures after network.firewall deprecation

[Copilot]

The Integration: Workflow Tools & MCP CI shard failed because firewall integration tests still used deprecated network.firewall frontmatter, which now fails schema validation and no longer matches current extraction behavior.

• Root cause alignment (tests vs current schema/runtime)

  • Replaced deprecated network.firewall usage in integration test fixtures with supported sandbox.agent + network.allowed patterns.
  • Updated old AWF version pinning fixture from network.firewall.version to sandbox.agent.version.

• Firewall args integration updates

  • Migrated custom firewall argument tests to sandbox.agent.args (with strict: false where internal args are intentionally exercised).
  • Preserved assertions for generated AWF flags and env exclusions (--exclude-env ...) under the new config shape.
  • Kept --allow-urls input in the same comma-joined format emitted by getSSLBumpArgs().

• Firewall disable integration updates

  • Reworked tests to validate the supported migration path (sandbox.agent: false) instead of deprecated network.firewall: "disable".
  • Updated expectations to ensure no warning/error is emitted from deprecated firewall validation paths when using the new configuration.

# before (deprecated)
network:
  firewall:
    version: v0.25.0

# after (supported)
sandbox:
  agent:
    version: v0.25.0

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/pkg/tool/linux_amd64/compile GOINSECURE fips140hash 7283400/b011/sym--git-dir 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env 7283400/b233/_pkg_.a 7LFx/9x5EhNlMwHDxpQFH7LFx .cfg GOINSECURE a95/uritemplate/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true estl�� 1927691/b390/_pkg_.a log .cfg --format=%H:%ct GOWORK 64/bin/go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env 1646267617 vNkW/MmwpPo_3e3tB-Au8vNkW 64/pkg/tool/linux_amd64/link GOINSECURE fips140/ecdh GOMODCACHE 64/pkg/tool/linux_amd64/link -c 89/001/test-frontmatter-with-nes-p _L0m/ZbUGNwZMKnO7zDW0_L0m ortcfg.link -n1 b/gh-aw/pkg/acticonfig --end-of-options--get-regexp 9Ym34G_sfJyM6o-I^remote\..*\.gh-resolved$ (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD s,MFiles,HFiles,-bool node (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv xterm-color 64/pkg/tool/linu-tests /usr/bin/infocmp ty-test.md GO111MODULE 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linux_amd64/vet /usr/bin/git 1646267617 stmain.go .cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv 55/001 go /usr/bin/git -json GO111MODULE 64/bin/go git init�� GOMODCACHE go ps 1984912718/.githnode GO111MODULE ache/go/1.25.8/xinstall ps (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv -m Test commit /usr/bin/git -json GO111MODULE 64/bin/go git remo�� remove upstream /usr/bin/git -json GO111MODULE ache/go/1.25.8/xinstall git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestCompileUpdateDiscussionFieldEnforcement1529227050/001 remote /usr/bin/git -json GO111MODULE x_amd64/vet git conf�� user.email l (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260421-184104-61446/test-3654552072/.github/workflows rev-parse o.git hyphen3072184141git hyphen3072184141rev-parse 64/bin/go node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/ace-editor.md go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_KeyOrdering112471129/001/test1.md go ache/node/24.14.1/x64/bin/node hyphen116730963/git hyphen116730963/rev-parse 64/bin/go ache/node/24.14.1/x64/bin/node 7251�� ts.result go ache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go ache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 7283400/b204/importcfg -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p unique -lang=go1.25 hz/8-8vmLiYCmHH9yLNKNaz/ITCHFh6R_3VA1bELNvSY -o 1372023320 -trimpath 1927691/b183/vet.cfg -p crypto/internal/rev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuTest User (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git e-analyzer.md -o .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linutest@example.com /usr/bin/git 3547-38115/test-git pkg/mod/github.crev-parse ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuTest User /usr/bin/git 1602065958 -trimpath /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --get remote.origin.urrev-parse /usr/bin/gh git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 1927691/b462/types.test config 1927691/b462/importcfg.link remote.origin.urgit h865974135/001' x_amd64/compile VWw7VJguVlRAx/jNQYSQDdMsvnnTZDbyx2/zg1-jwF1IRoPasY5xy3c/9ezsDU_VWw7VJguVlRAx conf�� ry=1 remote.origin.url om/org2/repo.git -json GO111MODULE x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv UpdateDiscussionFieldEnforcement3455503572/001 -buildtags /usr/bin/infocmp -errorsas -ifaceassert -nilfunc infocmp -1 xterm-color -tests /usr/bin/git GOPATH); \ if cogit GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 965452213/001 -buildtags /usr/bin/gh -errorsas -ifaceassert -nilfunc gh work�� list --json /usr/bin/git ck 'scripts/**/*git GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x12345 /usr/bin/git ApprovalLabelsCogit 1927691/b220/vetcheckout x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git -unreachable=falgit /tmp/go-build152rev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x-b git rev-�� --show-toplevel go /usr/bin/git 448581818/.githugit GO111MODULE /opt/hostedtoolc--show-toplevel /usr/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --git-dir go /usr/bin/git SameOutput333267git GO111MODULE ache/go/1.25.8/x-b git rev-�� --show-toplevel go /usr/bin/git 858617922/.githugit GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build1521927691/b438/importcfg -pack /tmp/go-build1521927691/b438/_testmain.go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json g/catmsg.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git ortcfg .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git ned-imports-enabgit itbranch_with_hyrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git conf�� user.email test@example.com /usr/bin/git 4/001/test-emptygit GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git conf�� --get remote.origin.url /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git -obugO3Wj .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 7283400/b198/_pkgit om/segmentio/encrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git 89/001/test-emptgit GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 1927691/b456/_pkg_.a --json 1927691/b456=> -c=4 -nolocalimports -importcfg git 1927�� s/test.md 1927691/b441/_testmain.go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json o x_amd64/compile node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/ace-editor.md GOPROXY /opt/hostedtoolcache/node/24.14.1/x64/bin/node GOSUMDB GOWORK 64/bin/go node /tmp�� /tmp/TestHashCon--workflow go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv GOOS=js GOARCH=wasm go build -ldflags="-w -s" -o gh-aw.wasm ./cmd/gh-aw-wasm GOPROXY /usr/lib/git-core/git GOSUMDB GOWORK 64/bin/go /usr/lib/git-core/git rev-�� --objects --stdin /usr/bin/git --exclude-hidden/usr/bin/git --all --quiet git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git init�� GOMODCACHE D8RXanEmFBss /usr/bin/infocmp mLsRemoteWithReagit mLsRemoteWithRearev-parse 64/pkg/tool/linu--show-toplevel infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git -json GO111MODULE 64/bin/go git conf�� user.name Test User /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv bility_SameInputSameOutput1597001985/001/stabili--workflow rev-parse /usr/bin/git 505912/001' 505912/001' x_amd64/compile git -C /tmp/gh-aw-test-runs/20260421-183547-38115/test-2323062440 l 64/pkg/tool/linux_amd64/compile -json GO111MODULE x_amd64/compile 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv runs/20260421-184104-61446/test-3844565389/custom/workflows GOPROXY /usr/lib/git-core/git GOSUMDB GOWORK 64/bin/go /usr/lib/git-core/git main�� run --auto /usr/bin/git --detach GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 GOPROXY bject.type] | @tsv GOSUMDB GOWORK 64/bin/go /usr/lib/git-core/git main�� run --auto /usr/bin/git --detach GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv bility_SameInputSameOutput1597001985/001/stability-test.md -extld=gcc /usr/bin/git -json GO111MODULE x_amd64/compile git -C /tmp/gh-aw-test-runs/20260421-183547-38115/test-2323062440 rev-parse /usr/bin/git -json g.go x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 GOPROXY sv GOSUMDB GOWORK 64/bin/go /usr/lib/git-core/git rev-�� --objects --stdin /usr/bin/git --exclude-hiddengit --all --quiet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv echo " Copy wasm_exec.js from: $(go env GOROOT)/lib/wasm/wasm_exec.js (or misc/wasm/ for Go <1.git GOPROXY /usr/lib/git-core/git-receive-pack GOSUMDB GOWORK 64/bin/go git-receive-pack--json /tmp�� GOMODCACHE go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linu-nilfunc GOINSECURE GOMOD 7283400/b007/sym--show-toplevel 64/pkg/tool/linu-tests ache�� 7283400/b178/_pkg_.a r73k/ZR15bOYtzO_sNGC5r73k ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-dwarf=false (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE ntio/asm/cpu/armrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2479718059/custom/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 87918/b464/vet.cfg ions.md GOMOD GOMODCACHE go env -json l 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE 1/x64/bin/node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/sha256 GOMODCACHE 64/pkg/tool/linutest@example.com env 2503588190 t2Bi/LbyKJAzlPTfrrG8ct2Bi .cfg GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/check GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1646267617 wDwi/8TvZlM4P0nfuVfRvwDwi x_amd64/compile GOINSECURE fips140/ecdsa GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 87918/b394/vet.cfg GOINSECURE GOMOD GOMODCACHE go env licyMinIntegrityOnlyCompiledOutput367067026/001 GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.8/xTest User (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 2503588190 GO111MODULE .cfg GOINSECURE l/ascii GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User ortc�� 1646267617 stmain.go .cfg GOINSECURE g/x/net/http/httrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 87918/b398/vet.cfg GOINSECURE GOMOD GOMODCACHE go env licyMinIntegrityOnlyCompiledOutput367067026/001 GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet l GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name rg/x/text@v0.36.0/internal/langu-c=4 64/pkg/tool/linux_amd64/vet GOINSECURE hlite 7283400/b013/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 7283400/b245/_pkg_.a _zAe/m6K4S-499xrKjIdi_zAe 64/pkg/tool/linux_amd64/vet GOINSECURE t/internal/strinrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE ntio/asm/cpu/armrev-parse ache/go/1.25.8/x--show-toplevel 64/pkg/tool/linux_amd64/vet env 7283400/b199/_pkg_.a GO111MODULE k GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 87918/b465/vet.cfg GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/node/24.14.1/x64/bin/node GOINSECURE GOMOD GOMODCACHE node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 80008139/.github/workflows 7Ps3/Xuna8G_bMUX3GMM57Ps3 ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE hpke GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu/tmp/file-tracker-test928557373/test2.lock.yml (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE /cpu GOMODCACHE 64/pkg/tool/linux_amd64/vet env 7283400/b235/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE osh-tekuri/jsonsrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 7283400/b013/symuser.name 64/pkg/tool/linuTest User env 80008139/.github/workflows taK6/ikh7gQ1RReQdq87ptaK6 ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE b/gh-aw/pkg/giturev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE boring GOMODCACHE 64/pkg/tool/linux_amd64/vet env 7283400/b225/_pkg_.a 3NxN/fOrMapTM_SttVIFB3NxN 64/pkg/tool/linux_amd64/compile GOINSECURE ce GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 87918/b474/vet.cfg GOINSECURE GOMOD GOMODCACHE go env -instructions-test-289345733/.github/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 7283400/b007/symuser.email 64/pkg/tool/linutest@example.com env 80008139/.github/workflows 7283400/b007/importcfg ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE /semver GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/pkg/consrev-parse 7283400/b029/sym--git-dir 64/pkg/tool/linux_amd64/vet env 7283400/b228/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE l/httpcommon GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE che/go-build/2c/2c5ab5fe5ff77aae29a5f83f19d35048f4a5b97d40b30a1ec73412dbdadb00e5-d GOINSECURE GOMOD GOMODCACHE go env -instructions-test-289345733/.github/workflows GO111MODULE /opt/hostedtoolcache/node/24.14.1/x64/bin/node l GOMOD GOMODCACHE node (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build1521927691/b419/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json o x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 7283400/b197/_pkg_.a HJpH/bR5uMPu5Fr3Cy4PJHJpH x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build1521927691/b404/cli.test /tmp/go-build1521927691/b404/cli.test -test.testlogfile=/tmp/go-build1521927691/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /tmp/go-build28987918/b404/cli.test /tmp/go-build28987918/b404/cli.test -test.testlogfile=/tmp/go-build28987918/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE erignore env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /tmp/go-build3441684955/b404/cli.test /tmp/go-build3441684955/b404/cli.test -test.testlogfile=/tmp/go-build3441684955/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git 1985/001/stabiligit pkg/mod/github.crev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ortcfg /usr/bin/git g/envutil/envutils g/envutil/envuti-lh outil.test git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv GOMODCACHE go /usr/bin/git ai-moderator.md GO111MODULE ache/go/1.25.8/x--show-toplevel git init�� GOMODCACHE go /usr/bin/git 4104-61446/test-ls GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --git-dir go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 1927691/b001/_pkg_.a .cfg Name,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle GOINSECURE b/gh-aw/actions/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv npx prettier --c-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go prettier --ch�� scripts/**/*.js --ignore-path 64/bin/go -d git 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� y-frontmatter.md **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/TestGuardPolicyMinIntegrityOnlyrepos_only_without_min-integrity2906471359/001 go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv go GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv che/go-build/57/GOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcremote -o 42049141/001 42049141/002/work 64/bin/go -p main -lang=go1.25 go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv "prettier" --check '**/*.cjs' '*GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go Y9NydNx/kaRytlLAremote env -json GO111MODULE 15c9da64d3752ebe5e9a593cfb056690-d GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build1521927691/b431/importcfg -pack /tmp/go-build1521927691/b431/_testmain.go env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/gh-aw-test-runs/20260421-184104-61446/test-3654552072/.github/workflows go env lGitbranch_with_hyphen3072184141/001' lGitbranch_with_hyphen3072184141/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv "prettier" --check 'scripts/**/*GOINSECURE node 64/bin/go prettier --write 64/bin/go go env b/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv se 1927691/b012/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv prettier --check 64/bin/go **/*.ts **/*.json --ignore-path go env GOPATH sh 64/bin/go -d git 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/TestGuardPolicyMinIntegrityOnlyCompiledOutput92417779/001 go (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD 7283400/b087/sym--show-toplevel 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE git conf�� user.name Test User /opt/hostedtoolcache/node/24.14.1/x64/bin/node GOSUMDB GOWORK 64/bin/go node (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOSUMDB GOWORK 64/bin/go git-upload-pack /tmp�� GOMODCACHE go /usr/bin/git ck '**/*.cjs' '*/usr/bin/git GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json age/compact/comp-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state .cfg GOINSECURE l GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet estl�� t699691418/.github/workflows 1927691/b289/vet.cfg .cfg GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/x^remote\..*\.gh-resolved$ (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json ag.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE /bin/sh (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 7283400/b236/_pkg_.a Kv-X/SrddFjc3EqPBzwz7Kv-X x_amd64/compile GOINSECURE osh-tekuri/jsonsrev-parse GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch --show-toplevel l /usr/bin/git -json GO111MODULE 64/bin/go git init�� GOMODCACHE go /usr/bin/git -json GO111MODULE x_amd64/link git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch runs/20260421-184329-83876/test-test-logs/run-2 go /usr/bin/git s/test.md GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/link git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 97/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	2 (Test* functions, 7 subtests total)
✅ Design tests (behavioral contracts)	2 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	2 (100%)
Duplicate test clusters	0
Test inflation detected	No (net -3 lines across both files)
🚨 Coding-guideline violations	None

---

Test Classification Details

View all subtest classifications (7 subtests)

Test	File	Classification	Notes
TestFirewallArgsIntegration → "workflow with custom firewall args compiles correctly"	firewall_args_integration_test.go	✅ Design	End-to-end: compiles workflow, asserts custom flags in generated YAML
TestFirewallArgsIntegration → "workflow without custom args uses only default flags"	firewall_args_integration_test.go	✅ Design	Verifies default flag set is stable
TestFirewallArgsIntegration → "workflow with ssl-bump and allow-urls compiles correctly"	firewall_args_integration_test.go	✅ Design	Verifies ssl-bump and URL pattern passthrough
TestFirewallArgsIntegration → "workflow with github tool excludes GITHUB_MCP_SERVER_TOKEN"	firewall_args_integration_test.go	✅ Design	Security edge case: token exclusion when tools.github is set
TestFirewallArgsIntegration → "workflow pinning old AWF version does not emit --exclude-env"	firewall_args_integration_test.go	✅ Design	Version-boundary edge case with explicit negative assertion
TestFirewallDisableIntegration → "sandbox agent false with allowed domains does not warn"	firewall_disable_integration_test.go	✅ Design	Negative assertion: no deprecation warnings for new API
TestFirewallDisableIntegration → "sandbox agent false in strict mode does not error"	firewall_disable_integration_test.go	✅ Design	Verifies strict-mode compatibility with new sandbox.agent: false

---

Flagged Tests — Requires Review

No tests were flagged. All tests meet quality standards.

Minor observation (not blocking): TestFirewallDisableIntegration accesses the internal compiler.warningCount field to assert no warnings were emitted. This is a pragmatic choice for verifying a behavioral contract (deprecation warning suppression) and remains acceptable as long as the field name doesn't change frequently. If warningCount is refactored, this test will break even though the behavior is correct — consider exposing a Warnings() int accessor in the future.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 2 test functions (14 stdlib assertions via t.Error/t.Fatalf/t.Errorf) — integration (//go:build integration) ✅

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). Both modified test files cover genuine behavioral contracts: the compiler's AWF flag generation behavior after the network.firewall → sandbox.agent deprecation. The "old AWF version" subtest and both TestFirewallDisableIntegration subtests are especially valuable — they enforce version-boundary semantics and deprecation-path guarantees that would otherwise be invisible to future refactors.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24740885761

Note

🔒 Integrity filter blocked 1 item

The following item was blocked because it doesn't meet the GitHub integrity level.

• Fix Workflow Tools & MCP integration failures after network.firewall deprecation #27645 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🧪 Test quality analysis by Test Quality Sentinel · ● 807.7K · ◷

[github-actions]

✅ Test Quality Sentinel: 97/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 7 subtests across both modified files enforce genuine behavioral contracts for the network.firewall → sandbox.agent deprecation path.

[Copilot]

Pull request overview

Updates integration tests in the Workflow Tools & MCP shard to stop using deprecated network.firewall frontmatter and instead use the supported sandbox.agent + network.allowed configuration so schema validation and runtime behavior align.

Changes:

• Migrated firewall disable integration tests from network.firewall: "disable" to sandbox.agent: false.
• Migrated firewall args/version pinning integration fixtures from network.firewall.* to sandbox.agent.{args,version}.
• Updated SSL bump allowlist fixture to pass the expected --allow-urls format via sandbox.agent.args.

Show a summary per file

File	Description
pkg/workflow/firewall_disable_integration_test.go	Reworks disable-path integration coverage to use sandbox.agent: false instead of deprecated network.firewall.
pkg/workflow/firewall_args_integration_test.go	Updates integration fixtures to configure AWF args/version via sandbox.agent and uses network.allowed instead of network.firewall.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 2

[Copilot]

This strict-mode subtest is asserting that sandbox.agent: false "does not error", but strict mode explicitly forbids sandbox.agent: false in validateStrictFirewall (see pkg/workflow/strict_mode_permissions_validation.go). This test should either (a) compile a workflow and assert the expected strict-mode error mentioning sandbox.agent: false, or (b) rename/re-scope the test to clarify it's only about checkFirewallDisable not producing a deprecated network.firewall error (and avoid implying the overall config is valid in strict mode).

[Copilot]

extractNetworkPermissions never populates NetworkPermissions.Firewall, so checkFirewallDisable(networkPerms) will always early-return and cannot increment warningCount. As written, this subtest will pass regardless of whether firewall-disable warnings are emitted elsewhere, which makes it a weak regression test. Consider asserting behavior through the real compilation path (where strict-mode/firewall validations run), or adjust the test to exercise the intended warning/error condition in a way that still reflects supported configuration.