Document SSL-bump feature for AWF firewall

[Copilot]

The AWF firewall's SSL-bump feature existed in schema and code but was undocumented in the network reference.

Changes

Added "SSL Bump for HTTPS Inspection" section to docs/src/content/docs/reference/network.md:

• Configuration parameters: ssl-bump (boolean, enables HTTPS inspection) and allow-urls (array of HTTPS URL patterns with wildcard support)
• Security considerations: HTTPS interception behavior, man-in-the-middle implications, AWF-specific (not SRT), requires v0.9.0+
• Usage guidance: When to use URL path filtering vs domain-only filtering

Example

network:
  firewall:
    ssl-bump: true
    allow-urls:
      - "https://github.com/githubnext/*"
      - "https://api.github.com/repos/*/issues"
    log-level: debug
  allowed:
    - defaults
    - "github.com"

Enables deep packet inspection of HTTPS traffic, allowing firewall to filter on URL paths instead of just domain names. Positioned after the log-level section to maintain logical flow with other firewall configuration options.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Code Quality] Document firewall SSL-bump feature</issue_title>
<issue_description>## Description

The network documentation (docs/src/content/docs/reference/network.md) mentions the log-level field but does NOT document the SSL-bump feature and related configuration options.

Current Documentation Coverage

• ✅ network.firewall (boolean and object form)
• ✅ network.firewall.log-level (enum values documented, lines 243-262)
• ✅ network.firewall.version (implied by examples)
• ❌ network.firewall.ssl-bump (NOT documented)
• ❌ network.firewall.allow-urls (NOT documented)

Missing Feature

The firewall supports SSL bump for HTTPS inspection:

• ssl-bump: Enable SSL interception for HTTPS URL filtering
• allow-urls: URL patterns to allow when SSL bump is enabled

This feature exists in the schema and code but is not documented.

Suggested Changes

Add to docs/src/content/docs/reference/network.md after the log-level section (after line 262):

### SSL Bump for HTTPS Inspection

Enable SSL bump to allow the firewall to inspect HTTPS traffic and filter by URL path:

```yaml
network:
  firewall:
    ssl-bump: true
    allow-urls:
      - "https://github.com/githubnext/*"
      - "https://api.github.com/repos/*/issues"
  allowed:
    - defaults

Note: SSL bump requires the AWF firewall and enables deep packet inspection of HTTPS traffic. Use allow-urls to specify URL patterns that should be permitted through the firewall.

Security Considerations:

• SSL bump intercepts and decrypts HTTPS traffic for inspection
• Only enable when URL-level filtering is necessary
• Use allow-urls patterns carefully to avoid breaking legitimate HTTPS connections

## Files Affected

- `docs/src/content/docs/reference/network.md` (add SSL-bump section)

## Success Criteria

- [ ] SSL-bump feature documented with examples
- [ ] `allow-urls` parameter explained with URL pattern examples
- [ ] Security considerations noted (HTTPS interception)
- [ ] Documentation consistent with other firewall features

## Dependencies

This documentation complements #aw_firewall_extraction (fix extraction bug). Once that bug is fixed, users can actually use this documented feature.

## Source

Extracted from [Schema Consistency Analysis discussion github/gh-aw#13862](https://github.com/github/gh-aw/discussions/13862)

## Priority

**Medium** - Documentation gap for existing feature. Should be documented once extraction bug (#aw_firewall_extraction) is fixed.


<!-- gh-aw-tracker-id: discussion-task-miner -->




> AI generated by [Discussion Task Miner - Code Quality Improvement Agent](https://github.com/github/gh-aw/actions/runs/21739679187)
> - [x] expires <!-- gh-aw-expires: 2026-02-07T05:23:42.145Z --> on Feb 7, 2026, 5:23 AM UTC

<!-- gh-aw-agentic-workflow: Discussion Task Miner - Code Quality Improvement Agent, gh-aw-tracker-id: discussion-task-miner, engine: copilot, run: https://github.com/github/gh-aw/actions/runs/21739679187 -->

<!-- gh-aw-workflow-id: discussion-task-miner --></issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes [Code Quality] Document firewall SSL-bump feature #14047

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Adds missing documentation for the AWF firewall’s SSL-bump (HTTPS inspection) capability in the network reference, aligning the docs with existing schema/code support.

Changes:

• Documented network.firewall.ssl-bump and network.firewall.allow-urls configuration options.
• Added usage examples (including with log-level) plus caution/tip guidance around HTTPS interception and when to use URL-path filtering.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The first example enables ssl-bump with allow-urls, but the network.allowed list only contains defaults. In the compiler/engines AWF is still invoked with --allow-domains derived from network.allowed; allow-urls is additive and does not replace the domain allowlist. As written, this example would still block github.com/api.github.com unless those domains (or the github ecosystem) are included in network.allowed.

Suggestion: update this example to include the corresponding domains in network.allowed, or add an explicit note that allow-urls refines HTTPS access after the domain allowlist is satisfied.

Suggested change

	- defaults
	- defaults
	- github.com
	- api.github.com