[plan] Fix schema/code inconsistencies: engine.firewall dead code, error_patterns removal, and network.firewall.cleanup-script

[github-actions]

Context

This issue tracks three schema/code inconsistencies identified in the Schema Consistency Check for 2026-03-29.

---

Finding 1 (HIGH): engine.firewall — dead extraction code

Problem: ExtractEngineConfig() in pkg/workflow/engine.go:280–314 extracts engineObj["firewall"] into EngineConfig.Firewall, but EngineConfig.Firewall is never read after being set. Additionally, firewall is not a valid property in any of the engine_config.oneOf schema variants (all have additionalProperties: false), so users who configure it get a schema validation error before the dead code is even reached.

Fix: Remove the dead extraction block (engine.go:280–314) and the Firewall *FirewallConfig field from EngineConfig.

Files:

• pkg/workflow/engine.go — remove the firewall extraction block (lines ~280–314) and the Firewall field from EngineConfig

---

Finding 2 (HIGH): error_patterns — removed from runtime, still in schema and example

Problem: error_patterns is still defined in engine_config.oneOf[1].properties in the schema and demoed in pkg/cli/workflows/example-custom-error-patterns.md, but the feature has been removed from the runtime (evidence: comments in audit_report.go:293 and logs_report.go:922–924). Users who configure it per the schema/example will be silently ignored.

Fix: Remove error_patterns from the schema and remove or archive the example workflow.

Files:

• pkg/parser/schemas/ — remove error_patterns from engine_config.oneOf[1].properties
• pkg/cli/workflows/example-custom-error-patterns.md — delete or archive

---

Finding 3 (MEDIUM): network.firewall.cleanup-script — in schema but not extracted

Problem: The network.firewall object schema variant defines a cleanup-script property, but extractFirewallConfig() in pkg/workflow/frontmatter_extraction_security.go:99–147 does not extract it. FirewallConfig.CleanupScript is only written from the dead engine.firewall path (Finding 1) and never consumed in compilation.

Fix: Since CleanupScript is never read in the compilation pipeline, remove cleanup-script from the network.firewall schema definition and drop the CleanupScript field from FirewallConfig.

Files:

• pkg/parser/schemas/ — remove cleanup-script from network.firewall object variant
• pkg/workflow/frontmatter_types.go (or wherever FirewallConfig is defined) — remove CleanupScript field

---

Acceptance Criteria

• EngineConfig.Firewall field and its extraction code in engine.go are removed
• error_patterns is removed from the engine_config schema
• example-custom-error-patterns.md is deleted or archived
• cleanup-script is removed from the network.firewall schema
• FirewallConfig.CleanupScript field is removed (if no longer needed by any path)
• make build succeeds after schema changes (schemas are embedded via //go:embed)
• make agent-finish passes (build, test, lint, fmt)
• make recompile runs cleanly after any workflow changes

Generated by Plan Command for issue #discussion #23416 · ◷

• expires on Mar 31, 2026, 10:42 AM UTC