Remove `cli-proxy-writable` feature flag — agent gh CLI should be read-only

[lpcox]

Problem

PR #24997 introduced the cli-proxy-writable feature flag alongside cli-proxy. The cli-proxy-writable flag injects --cli-proxy-writable into the AWF command, enabling write operations (create issue, merge PR, etc.) via the gh CLI proxy sidecar.

Decision: The gh CLI in the agent container should only support read-only operations. The cli-proxy-writable flag should be removed entirely from the frontmatter schema and compiler.

What to remove

pkg/constants/feature_constants.go

• Remove CliProxyWritableFeatureFlag constant and its doc comment

pkg/workflow/awf_helpers.go

• Remove the cli-proxy-writable injection block:

  // Allow write operations when cli-proxy-writable feature flag is also set
  if isFeatureEnabled(constants.CliProxyWritableFeatureFlag, config.WorkflowData) {
      awfArgs = append(awfArgs, "--cli-proxy-writable")
      ...
  }

pkg/workflow/awf_helpers_test.go

• Remove test case: "includes --cli-proxy-writable when cli-proxy-writable feature flag is enabled"
• Remove test case: "does not include --cli-proxy-writable without --enable-cli-proxy"
• Remove --cli-proxy-writable assertions from remaining test cases (e.g., the old-version skip test)
• Update test case descriptions that reference writable

.changeset/minor-add-cli-proxy-feature-flag.md

• Update description to remove mention of cli-proxy-writable

PR description / docs

• Update any documentation referencing cli-proxy-writable: true in frontmatter examples

Context

The gh CLI proxy sidecar gives agents secure gh access without exposing GITHUB_TOKEN. Restricting it to read-only ensures agents cannot make unintended mutations through the CLI path. Write operations should continue to go through the existing safe-outputs / GitHub MCP tool path which has proper guard policies and audit logging.