Skip to content

[task] Add Actionable Hints to Strict Mode Validation Errors #3963

New issue
New issue
Closed
#4013
Closed
[task] Add Actionable Hints to Strict Mode Validation Errors#3963
#4013
Assignees
copilot-swe-agent
Labels
ai-generatedtask
@github-actions

Description

@github-actions
github-actions
bot
opened on Nov 14, 2025

Objective

Enhance strict mode validation error messages to include actionable hints about alternative approaches, explaining WHY restrictions exist and HOW to achieve goals safely.

Context

Part of Discussion #3956 - Workflow Validation and Error Feedback Quality improvements.

When strict mode rejects an operation, users need to understand the security rationale and learn safe alternatives (like using safe-outputs).

Implementation Approach

Update Error Messages in pkg/workflow/strict_mode_validation.go

Transform all strict mode errors to include:

  1. Security rationale (WHY)
  2. Safe alternative approaches (HOW)
  3. Documentation links

Example transformations:

1. Write Permissions Error

// Before:
fmt.Errorf("strict mode: write permission '%s: write' is not allowed", scope)

// After:
fmt.Errorf("strict mode: write permission '%s: write' is not allowed for security reasons. Use 'safe-outputs.create-issue' or 'safe-outputs.create-pull-request' to perform write operations safely. See: (redacted)", scope)

2. Network Configuration Error

// Before:
fmt.Errorf("strict mode: 'network' configuration is required")

// After:
fmt.Errorf("strict mode: 'network' configuration is required to prevent unrestricted network access. Add 'network: { allowed: [...] }' or 'network: defaults' to your frontmatter. See: (redacted)")

3. Wildcard Error

// Before:
fmt.Errorf("strict mode: wildcard '*' is not allowed in network.allowed domains")

// After:  
fmt.Errorf("strict mode: wildcard '*' is not allowed in network.allowed domains to prevent unrestricted internet access. Specify explicit domains or use ecosystem identifiers like 'python', 'node', 'containers'. See: (redacted)#ecosystem-identifiers")

Use Enhanced Error Formatting

  • Leverage console.CompilerError struct with Hint field for better formatting
  • Ensure all errors use console.FormatErrorMessage

Files to Modify

  • Update: pkg/workflow/strict_mode_validation.go
  • Update: pkg/workflow/strict_mode_validation_test.go (add hint verification tests)

Acceptance Criteria

  • All 4+ strict mode error messages include actionable hints
  • Error messages explain security rationale (WHY)
  • Error messages suggest safe-outputs alternatives where applicable (HOW)
  • Error messages use console.FormatErrorMessage with hint field
  • Documentation links are valid and helpful
  • Unit tests verify hint content is present in error output
  • All tests pass (make test-unit)

Priority

High - Quick win that significantly improves security guidance and user experience
Related to #3956

AI generated by Plan Command for discussion #3956

Metadata

Metadata

Assignees

Labels

ai-generatedtask

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions