Add `gh aw domains` command to list network domains configured in workflows by Copilot · Pull Request #21086 · github/gh-aw

Copilot · 2026-03-15T15:18:12Z

Adds a new domains CLI command that surfaces the effective network domain configuration for agentic workflows — both as a summary across all workflows and as a detailed per-workflow view with ecosystem annotations.

Commands

gh aw domains — table of all workflows with allowed/blocked domain counts (Workflow | Engine | Allowed | Blocked)
gh aw domains <name> — full domain list for a specific workflow with ecosystem labels (Domain | Ecosystem | Status), including domains expanded from ecosystem identifiers (e.g. node, python, github) and engine defaults
Both support --json / -j for machine-readable output

Example

$ gh aw domains code-simplifier
✓ Network domains for code-simplifier (engine: copilot)
Domains for code-simplifier
╭──────────────────────────────────────┬─────────┬─────────╮
│Domain                                │Ecosystem│Status   │
├──────────────────────────────────────┼─────────┼─────────┤
│api.github.com                        │         │✓ Allowed│
│go.dev                                │go       │✓ Allowed│
│registry.npmjs.org                    │node     │✓ Allowed│
│...                                   │         │         │
╰──────────────────────────────────────┴─────────┴─────────╯
17 allowed, 0 blocked

$ gh aw domains code-simplifier --json
{
  "workflow": "code-simplifier",
  "engine": "copilot",
  "allowed_domains": ["api.github.com", "go.dev", ...],
  "blocked_domains": []
}

Changes

pkg/cli/domains_command.go — new command with RunListDomains / RunWorkflowDomains functions; reuses workflow.GetAllowedDomainsForEngine, workflow.GetBlockedDomains, and workflow.GetDomainEcosystem
pkg/cli/workflows.go — extracts extractEngineIDFromFrontmatter(map[string]any) helper shared between extractEngineIDFromFile and the new domains config reader, avoiding duplicate Compiler instantiation
cmd/gh-aw/main.go — registers domains in the "Development" command group

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE tions/node_modul--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 0/x64/bin/node git (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -pOH6J5YoELjpq_JbW5I/-pOH6J5YoELjpq_JbW5I -goversion /usr/bin/git 346 -nolocalimports -importcfg git rev-�� --show-toplevel /home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha "prettier" --check 'scripts/**/*.js' --ignore-path .prettierignore l /tmp/go-build473160243/b395/envutil.test "prettier" --wrigit go 64/bin/go /tmp/go-build473160243/b395/envutil.test -tes�� -test.paniconexit0 -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ules/.bin/node GOINSECURE GOMOD GOMODCACHE go 8d51�� 10/001/test-frontmatter-with-arrays.md GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha GOMODCACHE go /opt/hostedtoolcache/node/24.14.0/x64/bin/node m/workflows GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.0/x64/bin/node /tmp�� REDACTED.os go /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/uv/0.10.10/--show-toplevel git rev-�� --show-toplevel go /usr/bin/git 4043-68840/test-git GO111MODULE es.test git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript2530436610/001/test-frontmatter-with-nested-objects.md /tmp/go-build473160243/b392/_testmain.go ache/node/24.14.0/x64/bin/node ath ../../../.prgit GO111MODULE 64/bin/go ache/node/24.14.0/x64/bin/node 1301�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha user.name Test User /usr/bin/git -json GO111MODULE 64/bin/go git conf�� --get remote.origin.url r,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,disp--show-toplevel l 2>&1 || [ -x "git flow 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE rgo/bin/sh git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha .json..." **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.prettinpx prettier --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json sh -c "prettier" --wriGOSUMDB go /sh rror GO111MODULE 64/bin/go go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build473160243/b374/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/access_log.go /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/actionlint.go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha npx prettier --wGOINSECURE go 64/bin/go -json GO111MODULE ache/go/1.25.0/x--check go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --get remote.origin.url ache/node/24.14.0/x64/bin/node -json GO111MODULE 64/bin/go ache/node/24.14.0/x64/bin/node 6301�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --get (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /home/REDACTED/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore GOPROXY ache/node/24.14.0/x64/bin/node GOSUMDB GOWORK run-script/lib/n--show-toplevel gcc (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha runs/20260315-154043-68840/test-2028455853/.github/workflows GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE sh t-ha�� ithub/workflows/archie.md GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3912448167/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0/x64/lib/node_modules/npm/node_-importcfg GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3912448167/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE n-dir/sh GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3912448167/.github/workflows GO111MODULE 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x86_64/sh GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path prettier --write 64/bin/go --ignore-path .prettierignore --log-level=erroprettier sh -c "prettier" --wri**/*.ts s/github-workfl 64/bin/go */*.ts' '**/*.js/bin/sh GO111MODULE 64/bin/go dependencies." (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/sliceutil/sliceutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/sliceutil/sliceutil_test.go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 0/x64/bin/npx GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE tions/setup/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --write ../../../**/*.jsGOWORK 64/bin/go --ignore-path ../../../.prettistatus 64/bin/go go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --write ../../../**/*.jsGOWORK 64/bin/go --ignore-path ../../../.prettienv /usr/bin/git go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --write ../../../**/*.jsGOWORK 64/bin/go --ignore-path ../../../.pretticonfig modules/@npmcli/extensions.objectformat go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha q "All matched files use Prettier code style"; then \ echo "JSON files are not formatted. Run '/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile go 64/bin/go .json --ignore-p/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile GO111MODULE 64/bin/go go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --write ../../../**/*.jsGOWORK /node --ignore-path ../../../.prettilist /usr/bin/git go /pre�� orts,XTestImpor GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE de_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -json GO111MODULE de_modules/.bin/prettier sh -c "prettier" --wri**/*.ts go /prettier -json GO111MODULE 64/bin/go go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -json GO111MODULE ache/go/1.25.0/x"prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore prettier --wr�� ../../../**/*.jsGOSUMDB !../../../pkg/woGOWORK 64/bin/go ../../../.prettigit GO111MODULE 64/bin/go go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go --show-toplevel erignore /usr/bin/git node /opt�� prettier --write 64/bin/go !../../../pkg/wonode --ignore-path ../../../.prettiprettier go (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build473160243/b383/cli.test /tmp/go-build473160243/b383/cli.test -test.testlogfile=/tmp/go-build473160243/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -json GO111MODULE 0/x64/lib/node_m-json npx pret�� --write ../../../**/*.jsGOMOD 64/bin/go --ignore-path ../../../.pretti/opt/hostedtoolcache/node/24.14.0/x64/bin/npx 64/bin/go go (http block)
- Triggering command: /tmp/go-build1826386557/b383/cli.test /tmp/go-build1826386557/b383/cli.test -test.testlogfile=/tmp/go-build1826386557/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true **/*.ts **/*.json --ignore-path sh -c npx prettier --wGOINSECURE git 64/bin/go nPathSetup_Goroonode go /usr/bin/git go (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --write **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.prettinpx prettier --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json sh -c "prettier" --wriGOSUMDB go modules/@npmcli/run-script/lib/node-gyp-bin/sh ow.json --ignorenode GO111MODULE 64/bin/go go (http block)
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name INVALID,NEW -j DROP --show-toplevel go /usr/bin/git -diff 2>&1); \ GOPROXY /opt�� prettier --write 64/bin/go !../../../pkg/woiptables --ignore-path ../../../.pretti-t go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Create a cli command that lists all the network domains and their contents.

gh aw domains
gh aw domains

Support --json or console rendering

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot

Pull request overview

Adds a new gh aw domains command to inspect the effective network domain allow/block configuration for agentic workflows, with both summary and per-workflow detail views and optional JSON output.

Changes:

Introduces domains CLI command with list + per-workflow modes and --json support.
Refactors engine ID extraction into a shared extractEngineIDFromFrontmatter helper.
Registers the new command in the root CLI and adds unit tests for the new command types/outputs.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
pkg/cli/workflows.go	Extracts shared `extractEngineIDFromFrontmatter` helper used by multiple CLI features.
pkg/cli/domains_command.go	Implements `gh aw domains` summary + detail output, JSON formatting, and domain computation.
pkg/cli/domains_command_test.go	Adds unit tests for the new command and related helpers/JSON marshaling.
cmd/gh-aw/main.go	Registers the new `domains` command under the “development” group.

Comments suppressed due to low confidence (1)

pkg/cli/domains_command.go:234

extractWorkflowDomainConfig only reads tools from frontmatter, but the compiler’s effective tool set also includes entries from the legacy mcp-servers section (merged into tools before computing allowed domains). Because GetAllowedDomainsForEngine extracts HTTP MCP domains from the tools map, workflows that use mcp-servers: (without duplicating into tools:) will have missing domains in this command’s output. Suggest also extracting mcp-servers from frontmatter and merging it into toolsMap (same merge semantics as workflow.Compiler.mergeToolsAndMCPServers, i.e., maps.Copy(toolsMap, mcpServers)).

	// Extract tools map from raw frontmatter (tools is kept as map[string]any)
	var toolsMap map[string]any
	if toolsRaw, ok := result.Frontmatter["tools"]; ok {
		toolsMap, _ = toolsRaw.(map[string]any)
	}

	return engineID, config.Network, toolsMap, config.Runtimes

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

pkg/cli/domains_command_test.go

+func TestExtractWorkflowDomainConfig(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	t.Run("workflow with network config", func(t *testing.T) {
+		content := `---
+engine: claude
+network:
+  allowed:
+    - github
+    - python
+  blocked:
+    - bad.example.com
+---
+# Test
+`
+		path := filepath.Join(tmpDir, "test.md")
+		err := os.WriteFile(path, []byte(content), 0600)
+		require.NoError(t, err, "Failed to write test file")
+
+		engineID, network, _, _ := extractWorkflowDomainConfig(path)
+		assert.Equal(t, "claude", engineID, "Engine should be claude")
+		require.NotNil(t, network, "Network should not be nil")
+		assert.Equal(t, []string{"github", "python"}, network.Allowed, "Allowed should match")
+		assert.Equal(t, []string{"bad.example.com"}, network.Blocked, "Blocked should match")
+	})
+
+	t.Run("workflow without network config defaults to copilot", func(t *testing.T) {
+		content := `---
+engine: copilot
+---
+# Test
+`
+		path := filepath.Join(tmpDir, "no-network.md")
+		err := os.WriteFile(path, []byte(content), 0600)
+		require.NoError(t, err, "Failed to write test file")
+
+		engineID, network, _, _ := extractWorkflowDomainConfig(path)
+		assert.Equal(t, "copilot", engineID, "Engine should be copilot")
+		assert.Nil(t, network, "Network should be nil when not configured")
+	})
+
+	t.Run("nonexistent file defaults to copilot", func(t *testing.T) {
+		engineID, network, _, _ := extractWorkflowDomainConfig("/nonexistent/file.md")
+		assert.Equal(t, "copilot", engineID, "Engine should default to copilot")
+		assert.Nil(t, network, "Network should be nil for nonexistent file")
+	})
+}


pkg/cli/domains_command.go

+	// Parse structured frontmatter config to get NetworkPermissions and runtimes
+	config, err := workflow.ParseFrontmatterConfig(result.Frontmatter)
+	if err != nil {
+		domainsCommandLog.Printf("Failed to parse frontmatter config from %s: %v", filePath, err)
+		return engineID, nil, nil, nil
+	}
+
+	// Extract tools map from raw frontmatter (tools is kept as map[string]any)
+	var toolsMap map[string]any
+	if toolsRaw, ok := result.Frontmatter["tools"]; ok {
+		toolsMap, _ = toolsRaw.(map[string]any)
+	}
+
+	return engineID, config.Network, toolsMap, config.Runtimes


Document two user-facing features merged on 2026-03-15 after DDUw's 04:31 UTC scan: - gh aw domains (PR #21086): new CLI command to list effective network domains for each workflow, including ecosystem-expanded domains and engine defaults. Added to the Monitoring section of cli.md. - safe-outputs.allowed-url-domains (PR #21083): new safe-outputs field that additively extends the URL sanitization domain allowlist (unions with the engine/network base set). Distinct from allowed-domains, which replaces the default set. Updated the Text Sanitization section of safe-outputs.md. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Initial plan

30b376c

Copilot AI assigned Copilot and pelikhan Mar 15, 2026

Copilot started work on behalf of pelikhan March 15, 2026 15:22 View session

Add gh aw domains command to list network domains in workflows

ff395b0

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add CLI command to list network domains and contents~~ Add gh aw domains command to list network domains configured in workflows Mar 15, 2026

Copilot AI requested a review from pelikhan March 15, 2026 15:46

Copilot finished work on behalf of pelikhan March 15, 2026 15:46

pelikhan marked this pull request as ready for review March 15, 2026 16:06

Copilot AI review requested due to automatic review settings March 15, 2026 16:06

Copilot started reviewing on behalf of pelikhan March 15, 2026 16:07 View session

Copilot AI reviewed Mar 15, 2026

View reviewed changes

pelikhan merged commit 023192c into main Mar 15, 2026
144 checks passed

pelikhan deleted the copilot/add-cli-command-list-domains branch March 15, 2026 16:26

github-actions bot mentioned this pull request Mar 15, 2026

[code-simplifier] Code Simplification - 2026-03-15: domains command and safe-outputs token logic #21104

Merged

github-actions bot mentioned this pull request Mar 15, 2026

[docs] Self-healing documentation fixes from issue analysis - 2026-03-15 #21105

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add `gh aw domains` command to list network domains configured in workflows#21086

Add `gh aw domains` command to list network domains configured in workflows#21086
pelikhan merged 2 commits intomainfrom
copilot/add-cli-command-list-domains

Copilot AI commented Mar 15, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Mar 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Commands

Example

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Mar 15, 2026 •

edited

Loading