Skip to content

Add schema descriptions to disambiguate network field contexts#6357

Closed
Copilot wants to merge 5 commits intomainfrom
copilot/add-schema-descriptions-network
Closed

Add schema descriptions to disambiguate network field contexts#6357
Copilot wants to merge 5 commits intomainfrom
copilot/add-schema-descriptions-network

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Dec 13, 2025
edited
Loading

The network field appears in two distinct contexts with different purposes: top-level for AI engine permissions and nested in MCP tool config for container egress. Users may incorrectly assume engine network rules apply to MCP servers or vice versa.

Changes

Schema descriptions (pkg/parser/schemas/main_workflow_schema.json):

  • Top-level network: "Engine network permissions (does not apply to MCP tool network isolation)"
  • MCP tool network: "MCP tool container network isolation allowlist (separate from engine network permissions)"

Documentation cross-references:

  • network.md: Added note linking to MCP network egress section
  • mcps.md: Added explanation that the two network contexts are independent with clear differentiation

Example

# Engine network permissions - controls AI agent web access
network:
  allowed: [defaults, python]

mcp-servers:
  custom:
    container: "mcp/tool"
    # MCP container isolation - controls container egress (independent)
    network:
      allowed: ["api.example.com"]
Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Add schema descriptions to disambiguate network field contexts</issue_title>
<issue_description>## Objective

Add clear schema descriptions to differentiate between the two network field contexts: engine network permissions vs MCP tool network isolation.

Context

The network field appears in two distinct contexts:

  1. Top-level network: Controls AI engine network access with ecosystem identifiers and domains
  2. $defs.stdio_mcp_tool.network: Controls egress from containerized MCP servers with domain allowlist

Users might confuse these and expect engine network rules to apply to MCP servers.

Approach

  1. Add schema description field to top-level network: "Engine network permissions (does not apply to MCP tool network isolation)"
  2. Add schema description field to MCP tool network: "MCP tool container network isolation allowlist (separate from engine network permissions)"
  3. Add cross-references in existing docs (reference/network.md and guides/mcps.md)

Files to Modify

  • Update: pkg/parser/schemas/workflow.schema.json (add descriptions to both network fields)
  • Update: docs/src/content/docs/reference/network.md (add note about MCP network isolation)
  • Update: docs/src/content/docs/guides/mcps.md (add note about engine network permissions)

Acceptance Criteria

AI generated by Plan Command for discussion #6312

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 4 commits December 13, 2025 16:44
Copilot AI changed the title [WIP] Add schema descriptions for network field contexts Add schema descriptions to disambiguate network field contexts Dec 13, 2025
Copilot AI requested a review from mnkiefer December 13, 2025 17:00
@pelikhan pelikhan closed this Dec 13, 2025
@pelikhan pelikhan deleted the copilot/add-schema-descriptions-network branch December 15, 2025 04:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnkiefer mnkiefer Awaiting requested review from mnkiefer

Assignees

@mnkiefer mnkiefer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Add schema descriptions to disambiguate network field contexts

3 participants

@pelikhan @mnkiefer