Remove firewall.effective-token-steering frontmatter key

[Copilot]

✨ Enhancement

Token steering is now on by default — the opt-in firewall.effective-token-steering key is removed. To disable budget enforcement and token steering together, set max-effective-tokens to any negative value.

# Before: explicit opt-in required
firewall:
  effective-token-steering: true
max-effective-tokens: 5000000

# After: steering on by default; use negative to disable both
max-effective-tokens: -1   # disables budget enforcement AND token steering

What does this improve?
Eliminates a redundant knob — steering behaviour was already tied to the ET budget, so a separate boolean was unnecessary friction.

Implementation approach:

• Schema — removed the firewall top-level key entirely; max-effective-tokens now accepts negative integers (previously minimum: 1)
• Compiler — removed EnableTokenSteering from EngineConfig, parseEffectiveTokenSteering, and extractEffectiveTokenSteering; awf_config.go now derives enableTokenSteering from maxEffectiveTokens >= 0
• Negative sentinel — parseMaxEffectiveTokensValue passes negatives through; GetMaxEffectiveTokens uses == 0 (not <= 0) as the "not configured" sentinel; a negative value zeroes the AWF budget field (omitted via omitempty) and suppresses steering
• Workflow files — stripped firewall.effective-token-steering: true from 32 workflow files; refreshed all corresponding .lock.yml frontmatter hashes
• Tests & docs — updated schema, engine-config, AWF-config, and orchestrator tests; updated reference/network.md and reference/frontmatter.md

[Copilot]

Pull request overview

This PR removes the firewall.effective-token-steering opt-in and makes token steering default behavior, using negative max-effective-tokens values as the disable sentinel.

Changes:

• Removed EnableTokenSteering parsing/storage and derives AWF token steering from the effective token budget.
• Updated schema/tests/docs for negative max-effective-tokens and removed the top-level firewall schema key.
• Removed the old frontmatter key from workflow files and refreshed corresponding lock metadata.

Show a summary per file

File	Description
pkg/workflow/engine.go	Removes token-steering config field and updates ET parsing/default behavior.
pkg/workflow/engine_config_test.go	Updates engine config tests for negative ET sentinel.
pkg/workflow/compiler_orchestrator_engine.go	Preserves negative ET values through engine/import setup.
pkg/workflow/compiler_orchestrator_engine_test.go	Updates preservation test for negative ET values.
pkg/workflow/awf_config.go	Enables token steering by default and omits budget when disabled.
pkg/workflow/awf_config_test.go	Updates AWF config tests for default steering and negative disable.
pkg/parser/schemas/main_workflow_schema.json	Allows negative ET values and removes top-level firewall.
pkg/parser/schema_test.go	Updates schema validation test for negative ET values.
docs/src/content/docs/reference/network.md	Documents default token steering and disable sentinel.
docs/src/content/docs/reference/frontmatter.md	Documents negative max-effective-tokens.
.github/workflows/daily-mcp-concurrency-analysis.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-malicious-code-scan.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-malicious-code-scan.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-issues-report.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-issues-report.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-hippo-learn.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-hippo-learn.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-grafana-otel-instrumentation-advisor.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-grafana-otel-instrumentation-advisor.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-geo-optimizer.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-geo-optimizer.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-function-namer.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-function-namer.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-firewall-report.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-firewall-report.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-file-diet.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-file-diet.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-fact.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-fact.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-experiment-report.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-experiment-report.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-doc-updater.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-doc-updater.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-doc-healer.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-doc-healer.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-compiler-threat-spec-optimizer.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-compiler-quality.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-compiler-quality.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-community-attribution.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-community-attribution.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-code-metrics.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-code-metrics.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-cli-tools-tester.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-cli-tools-tester.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-cli-performance.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-cli-performance.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-choice-test.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-choice-test.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-caveman-optimizer.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-caveman-optimizer.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-cache-strategy-analyzer.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-cache-strategy-analyzer.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-aw-cross-repo-compile-check.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-aw-cross-repo-compile-check.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-astrostylelite-markdown-spellcheck.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-assign-issue-to-user.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-assign-issue-to-user.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-architecture-diagram.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-architecture-diagram.lock.yml	Refreshes lock metadata hash.
.github/workflows/daily-agentrx-trace-optimizer.md	Removes old steering opt-in frontmatter.
.github/workflows/daily-agentrx-trace-optimizer.lock.yml	Refreshes lock metadata hash.
.github/workflows/cloclo.md	Removes old steering opt-in frontmatter.
.github/workflows/cloclo.lock.yml	Refreshes lock metadata hash.
.github/workflows/brave.md	Removes old steering opt-in frontmatter.
.github/workflows/brave.lock.yml	Refreshes lock metadata hash.
.github/workflows/archie.md	Removes old steering opt-in frontmatter.
.github/workflows/archie.lock.yml	Refreshes lock metadata hash.
.github/workflows/approach-validator.md	Removes old steering opt-in frontmatter.
.github/workflows/approach-validator.lock.yml	Refreshes lock metadata hash.
.github/workflows/ace-editor.md	Removes old steering opt-in frontmatter.
.github/workflows/ace-editor.lock.yml	Refreshes lock metadata hash.
.changeset/patch-bump-awf-v0-25-44.md	Updates release note text for token steering change.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 75/75 changed files
• Comments generated: 3

[pelikhan]

@copilot review all comments and pull request review comments. Handle the boundary max-effective-tokens: 0, or negative should turn off the feature.

[Copilot]

@copilot review all comments and pull request review comments. Handle the boundary max-effective-tokens: 0, or negative should turn off the feature.

Addressed all three review points in commit fix: import path handles negative max-effective-tokens; add integer-zero schema test; fix changeset:

1. Import path (compiler_orchestrator_engine.go:312): Changed parsed > 0 → parsed != 0 so a negative value (the disable sentinel) from an imported shared workflow is correctly propagated — zero stays as the "not configured" indicator and is never applied from imports.

2. Schema regression test (pkg/parser/schema_test.go): Added TestValidateMainWorkflowFrontmatterWithSchemaAndLocation_MaxEffectiveTokensIntegerZeroInvalid to confirm that integer 0 is rejected at the schema level (separate from the existing string "0" test).

3. Changeset (.changeset/patch-bump-awf-v0-25-44.md): Removed the stale "Bump default gh-aw-firewall to v0.25.44" claim — the current default is already v0.25.46.