[Code Quality] Document firewall SSL bump and allow-urls configuration

[github-actions]

Description

The firewall SSL bump feature for HTTPS inspection is fully implemented but completely undocumented. Users have no way to discover this advanced security capability.

Problem

Current Documentation Coverage:

• ✅ network.firewall (boolean and object form)
• ✅ network.firewall.log-level (enum values documented)
• ✅ network.firewall.version (implied by examples)
• ❌ network.firewall.ssl-bump (NOT documented)
• ❌ network.firewall.allow-urls (NOT documented)
• ❌ network.firewall.cleanup-script (NOT documented, deprecated)

Impact:

• Users cannot discover SSL inspection capabilities
• Advanced security feature remains hidden
• HTTPS URL filtering cannot be configured without documentation

Suggested Changes

File: docs/src/content/docs/reference/network.md

Add new section after the log-level section (after line 262):

### SSL Bump for HTTPS Inspection

Enable SSL bump to allow the firewall to inspect HTTPS traffic and filter by URL path. This feature uses man-in-the-middle inspection to examine encrypted traffic.

``````yaml
network:
  firewall:
    ssl-bump: true
    allow-urls:
      - "https://github.com/githubnext/*"
      - "https://api.github.com/repos/*/issues"
      - "(pypi.org/redacted)
  allowed:
    - defaults

Configuration:

• ssl-bump (boolean): Enable SSL interception for HTTPS inspection
• allow-urls (array of strings): URL patterns that should be permitted through the firewall

How it works:

1. AWF firewall intercepts HTTPS connections
2. Decrypts traffic using a trusted CA certificate
3. Inspects URLs against the allow-urls patterns
4. Re-encrypts and forwards allowed traffic

Security Considerations:

• SSL bump requires installing a trusted CA certificate in the container
• Only use SSL bump when you need to filter HTTPS URLs
• The firewall can see decrypted HTTPS traffic
• Use specific URL patterns to minimize inspection scope

Example Use Cases:

• Allow GitHub API access but block other HTTPS sites
• Permit Python package downloads from PyPI only
• Restrict npm package installations to specific registries

Note: Requires AWF firewall to be enabled. This feature provides deep packet inspection of HTTPS traffic, which may impact performance for high-volume workflows.

## Success Criteria

- [ ] SSL bump section added to network.md after log-level
- [ ] Configuration parameters documented (ssl-bump, allow-urls)
- [ ] YAML example provided
- [ ] Security considerations explained
- [ ] Example use cases included
- [ ] Documentation builds successfully
- [ ] Cross-references from firewall overview section

## Files Affected

- `docs/src/content/docs/reference/network.md` (add section after line 262)

## Related Issues

This documentation depends on issue #TBD (Fix firewall field extraction) being resolved first, as the fields are currently not parsed from YAML.

## Source

Extracted from [Schema Consistency Analysis discussion #13862](https://github.com/github/gh-aw/discussions/13862)

**Discussion finding**: "Firewall Advanced Features Not Documented - ssl-bump and allow-urls are implemented but users cannot discover these capabilities."

## Priority

**Medium** - Documentation gap preventing discovery of advanced security features.


<!-- gh-aw-tracker-id: discussion-task-miner -->




> AI generated by [Discussion Task Miner - Code Quality Improvement Agent](https://github.com/github/gh-aw/actions/runs/21705434918)
> - [x] expires <!-- gh-aw-expires: 2026-02-06T09:14:56.503Z --> on Feb 6, 2026, 9:14 AM UTC

<!-- gh-aw-agentic-workflow: Discussion Task Miner - Code Quality Improvement Agent, gh-aw-tracker-id: discussion-task-miner, engine: copilot, run: https://github.com/github/gh-aw/actions/runs/21705434918 -->

<!-- gh-aw-workflow-id: discussion-task-miner -->