Verify firewall SSL-bump extraction already implemented

[Copilot]

Issue claimed network.firewall.ssl-bump and network.firewall.allow-urls fields were not extracted from frontmatter. Investigation shows extraction was already implemented in frontmatter_extraction_security.go:129-145.

Status

No changes needed. Functionality exists and works correctly:

• Extraction: Both fields properly extracted with type-safe handling of edge cases
• Tests: 8 test cases cover normal and error paths (frontmatter_extraction_security_test.go)
• Integration: Compiled workflows generate correct AWF flags (--ssl-bump --allow-urls)

Implementation

// Extract ssl-bump if present
if sslBump, hasSslBump := firewallObj["ssl-bump"]; hasSslBump {
    if sslBumpBool, ok := sslBump.(bool); ok {
        config.SSLBump = sslBumpBool
    }
}

// Extract allow-urls if present
if allowUrls, hasAllowUrls := firewallObj["allow-urls"]; hasAllowUrls {
    if urlsSlice, ok := allowUrls.([]any); ok {
        for _, url := range urlsSlice {
            if urlStr, ok := url.(string); ok {
                config.AllowURLs = append(config.AllowURLs, urlStr)
            }
        }
    }
}

Note on cleanup-script

The cleanup-script field mentioned in the issue does not exist in the schema. The struct contains a deprecated CleanupScript field extracted from engine.firewall (not network.firewall) but it's unused. No action required.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Code Quality] Fix firewall SSL-bump configuration extraction</issue_title>
<issue_description>## Description

The firewall configuration fields ssl-bump, allow-urls, and cleanup-script are defined in the schema and used in code, but are not extracted from workflow frontmatter. This means users cannot configure these features even though they exist.

Problem Details

Schema defines (pkg/parser/schemas/main_workflow_schema.json):

• network.firewall.ssl-bump (boolean)
• network.firewall.allow-urls (array of strings)
• network.firewall.cleanup-script (string, deprecated)

Struct has fields (pkg/workflow/firewall.go:12-22):

type FirewallConfig struct {
    SSLBump       bool     `yaml:"ssl_bump,omitempty"`
    AllowURLs     []string `yaml:"allow_urls,omitempty"`
    CleanupScript string   `yaml:"cleanup_script,omitempty"`
    // ... other fields
}

Extraction code MISSING (pkg/workflow/frontmatter_extraction_security.go:98-132):

• The extractFirewallConfig() function only extracts: args, version, log-level
• It does NOT extract: ssl-bump, allow-urls, cleanup-script
• These fields remain at zero values (false, nil, empty string)

Used downstream (pkg/workflow/firewall.go:195-218):

• getSSLBumpArgs() function uses SSLBump and AllowURLs to generate AWF command-line arguments
• These configure HTTPS content inspection for the firewall

Suggested Changes

Add extraction logic to extractFirewallConfig() in pkg/workflow/frontmatter_extraction_security.go around line 127:

// Extract ssl-bump if present  
if sslBump, hasSslBump := firewallObj["ssl-bump"]; hasSslBump {
    if sslBumpBool, ok := sslBump.(bool); ok {
        config.SSLBump = sslBumpBool
    }
}

// Extract allow-urls if present
if allowUrls, hasAllowUrls := firewallObj["allow-urls"]; hasAllowUrls {
    if urlsSlice, ok := allowUrls.([]any); ok {
        for _, url := range urlsSlice {
            if urlStr, ok := url.(string); ok {
                config.AllowURLs = append(config.AllowURLs, urlStr)
            }
        }
    }
}

// Extract cleanup-script if present (deprecated but still in struct)
if cleanupScript, hasCleanup := firewallObj["cleanup-script"]; hasCleanup {
    if scriptStr, ok := cleanupScript.(string); ok {
        config.CleanupScript = scriptStr
    }
}

Files Affected

• pkg/workflow/frontmatter_extraction_security.go (add extraction logic)
• Consider adding tests in pkg/workflow/frontmatter_extraction_security_test.go

Success Criteria

• ssl-bump, allow-urls, and cleanup-script fields are extracted from workflow frontmatter
• Hyphenated YAML keys map correctly to camelCase struct fields
• Tests added for these fields in extraction tests
• Generated AWF command includes SSL bump args when configured

Source

Extracted from Schema Consistency Analysis discussion github/gh-aw#13862

Priority

High - This is a bug preventing users from configuring an existing feature.

AI generated by Discussion Task Miner - Code Quality Improvement Agent

• expires on Feb 7, 2026, 5:23 AM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [Code Quality] Fix firewall SSL-bump configuration extraction #14045

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.