[CI Failure Doctor] Strict-mode guard rejects custom network domains in integration tests

[github-actions]

🏥 CI Failure Investigation - Run #35378

Summary

Integration suites now fail immediately during compilation because the workflows compiled in the tests set network.allowed to literal custom domains while running on engines (Copilot/Claude) that do not support the LLM gateway in strict mode. The new strict-mode network validation refuses those domains before any test logic executes.

Failure Details

• Run: 21990624788
• Commit: 929dd97
• Trigger: push

Root Cause Analysis

Every failing test compiles a workflow with engine: copilot or engine: claude and populates network.allowed with explicit domains like github.com, api.github.com, and other non-ecosystem URLs. With strict mode enabled (the default unless strict: false is set) and without LLM gateway support, the compiler raises strict mode: engine 'copilot' does not support LLM gateway and requires network domains to be from known ecosystems... and aborts, so none of the integration assertions ever run.

Failed Jobs and Errors

• Integration: Workflow Tools & MCP failure – compilation aborts with test-ssl-bump.md: error: strict mode: engine 'copilot' does not support LLM gateway and requires network domains to be from known ecosystems (e.g., 'defaults', 'python', 'node').
• Integration: Workflow Misc Part 2 failure – dozens of tests (allowed-domain sanitization, sandbox-agent defaults, strict-mode helpers, protocol-specific domains) stop with the same strict-mode guard because they compile workflows with custom domains.

Investigation Findings

• pkg/workflow/firewall_args_integration_test.go creates a workflow that allows github.com/api.github.com plus additional allow-urls, but compiler.CompileWorkflow() now returns a strict-mode error before the lock file is generated.
• pkg/workflow/allowed_domains_sanitization_test.go, domains_protocol_integration_test.go, and strict_mode_test.go all compile temporary workflows with literal custom domains that do not appear in pkg/workflow/data/ecosystem_domains.json, so the validator rejects them under strict mode for Copilot/Claude.

Recommended Actions

• Update the integration fixtures so that workflows using custom network.allowed entries either rely on known ecosystem identifiers (e.g., defaults, node) or explicitly set strict: false when compiling with Copilot/Claude, ensuring the compiler no longer rejects them before the test logic runs.
• Document this strict-mode requirement in docs/src/content/docs/reference/network.md (or the strict-mode testing guide) so authors know to pair custom domains with strict: false for engines that lack LLM gateway support.

Prevention Strategies

• Add regression coverage that asserts strict-mode validation errors trigger when Copilot workflows list custom domains without strict: false, preventing the rest of the integration test from assuming such workloads compile.
• Lint the integration fixtures that compile workflows (or add a check in the compiler test harness) to flag network.allowed entries outside the ecosystem map unless strict: false is present.

AI Team Self-Improvement

Before adding workflow samples that whitelist explicit domains for engines without LLM gateway support (Copilot/Claude), verify that either the domains are ecosystem identifiers or that strict: false is set in the frontmatter; otherwise strict mode will block compilation immediately.

Historical Context

This mirrors earlier strict-mode enforcement (see pkg/workflow/strict_mode_validation.go), where Copilot/Claude reject custom domains because they do not support the LLM gateway. Past runs failed for the same reason when the test fixtures did not opt out of strict mode.

AI generated by CI Failure Doctor

To add this workflow in your repository, run gh aw add githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d. See usage guide.

• expires on Feb 14, 2026, 2:42 PM UTC