[Code Quality] Fix firewall configuration field extraction from YAML frontmatter

[github-actions]

Description

The firewall configuration defines three fields in the schema and Go struct (ssl-bump, allow-urls, cleanup-script) but the extraction logic in pkg/workflow/frontmatter_extraction_security.go does not parse these fields from YAML frontmatter. This means users cannot configure SSL inspection features even though the infrastructure exists.

Problem

Current State:

• Schema defines the fields in pkg/parser/schemas/main_workflow_schema.json
• FirewallConfig struct has the fields in pkg/workflow/firewall.go:12-22
• extractFirewallConfig() function only extracts: args, version, log-level
• Fields ssl-bump, allow-urls, cleanup-script remain at zero values

Impact:

• SSL bump feature for HTTPS inspection is unusable
• URL filtering with allow-urls cannot be configured
• Users cannot enable deep packet inspection

Suggested Changes

File: pkg/workflow/frontmatter_extraction_security.go

Add extraction logic in extractFirewallConfig() function (after line 127):

// Extract ssl-bump if present  
if sslBump, hasSslBump := firewallObj["ssl-bump"]; hasSslBump {
    if sslBumpBool, ok := sslBump.(bool); ok {
        config.SSLBump = sslBumpBool
    }
}

// Extract allow-urls if present
if allowUrls, hasAllowUrls := firewallObj["allow-urls"]; hasAllowUrls {
    if urlsSlice, ok := allowUrls.([]any); ok {
        for _, url := range urlsSlice {
            if urlStr, ok := url.(string); ok {
                config.AllowURLs = append(config.AllowURLs, urlStr)
            }
        }
    }
}

// Extract cleanup-script if present (deprecated but still in struct)
if cleanupScript, hasCleanup := firewallObj["cleanup-script"]; hasCleanup {
    if scriptStr, ok := cleanupScript.(string); ok {
        config.CleanupScript = scriptStr
    }
}

File: pkg/workflow/frontmatter_extraction_security_test.go

Add test cases for the new field extraction:

func TestExtractFirewallConfig_SSLBumpFields(t *testing.T) {
    frontmatter := map[string]any{
        "network": map[string]any{
            "firewall": map[string]any{
                "ssl-bump": true,
                "allow-urls": []any{
                    "https://github.com/githubnext/*",
                    "https://api.github.com/repos/*/issues",
                },
                "log-level": "info",
            },
        },
    }
    
    config, err := ParseFrontmatterConfig(frontmatter)
    require.NoError(t, err)
    require.NotNil(t, config.Network)
    require.NotNil(t, config.Network.Firewall)
    
    assert.True(t, config.Network.Firewall.SSLBump)
    assert.Len(t, config.Network.Firewall.AllowURLs, 2)
    assert.Equal(t, "https://github.com/githubnext/*", config.Network.Firewall.AllowURLs[0])
}

Success Criteria

• ssl-bump boolean field correctly parsed from YAML
• allow-urls array correctly parsed and stored
• cleanup-script string correctly parsed (even though deprecated)
• All tests pass including new test cases
• Firewall with SSL bump generates correct AWF command-line arguments
• Documentation updated (see related issue #TBD)

Files Affected

• pkg/workflow/frontmatter_extraction_security.go (lines 98-132)
• pkg/workflow/frontmatter_extraction_security_test.go (new tests)
• pkg/workflow/firewall.go (already uses the fields in getSSLBumpArgs)

Source

Extracted from Schema Consistency Analysis discussion #13862

Discussion finding: "Firewall Configuration Fields Not Extracted from YAML - Schema defines network.firewall.ssl-bump, allow-urls, cleanup-script but extraction code does not parse them."

Priority

High - Core functionality is broken, preventing users from using SSL inspection features despite full implementation being present.

AI generated by Discussion Task Miner - Code Quality Improvement Agent

• expires on Feb 6, 2026, 9:14 AM UTC