[docs] Update documentation for features from 2026-03-29

docs/public/editor/autocomplete-data.json

@@ -658,11 +658,6 @@
               "type": "array",
               "desc": "URL patterns to allow for HTTPS traffic (requires ssl-bump: true).",
               "array": true
-            },
-            "cleanup-script": {
-              "type": "string",
-              "desc": "Path to cleanup script run after AWF shuts down (default: ./scripts/ci/cleanup.sh)",
-              "leaf": true
             }
           }
         }

docs/src/content/docs/reference/cache-memory.md

@@ -103,6 +103,26 @@ For unlimited retention with version control, see [Repo Memory](/gh-aw/reference
 - **File access issues**: Create subdirectories first, verify permissions, use absolute paths.
 - **Cache size issues**: Track growth, clear periodically, or use time-based keys for auto-expiration.
 
+## Integrity-Aware Caching
+
+When a workflow uses `tools.github.min-integrity`, cache-memory automatically applies integrity-level isolation. Cache keys include the workflow's integrity level and a hash of the guard policy so that changing any policy field forces a cache miss.
+
+The compiler generates git-backed branching steps around the agent. Before the agent runs, it checks out the matching integrity branch and merges down from all higher-integrity branches (higher integrity always wins conflicts). After the agent runs, changes are committed to that branch. The agent itself sees only plain files — the `.git/` directory rides along transparently in the Actions cache tarball.
+
+### Merge semantics
+
+| Run integrity | Sees data written by | Cannot see |
+|---|---|---|
+| `merged` | `merged` only | `approved`, `unapproved`, `none` |
+| `approved` | `approved` + `merged` | `unapproved`, `none` |
+| `unapproved` | `unapproved` + `approved` + `merged` | `none` |
+| `none` | all levels | — |
+
+This prevents a lower-integrity agent from poisoning data that a higher-integrity run would later read.
+
+> [!NOTE]
+> Existing caches will get a cache miss on first run after upgrading to a version that includes this feature — intentional, as legacy data has no integrity provenance.
+
 ## Security
 
 Don't store sensitive data in cache memory. Cache memory follows repository permissions.

docs/src/content/docs/reference/frontmatter-full.md

@@ -1549,31 +1549,6 @@ engine:
   env:
     {}
 
-  # Custom error patterns for validating agent logs
-  # (optional)
-  error_patterns: []
-    # Array items:
-      # Unique identifier for this error pattern
-      # (optional)
-      id: "example-value"
-
-      # Ecma script regular expression pattern to match log lines
-      pattern: "example-value"
-
-      # Capture group index (1-based) that contains the error level. Use 0 to infer from
-      # pattern content.
-      # (optional)
-      level_group: 1
-
-      # Capture group index (1-based) that contains the error message. Use 0 to use the
-      # entire match.
-      # (optional)
-      message_group: 1
-
-      # Human-readable description of what this pattern matches
-      # (optional)
-      description: "Description of the workflow"
-
   # Additional TOML configuration text that will be appended to the generated
   # config.toml in the action (codex engine only)
   # (optional)

docs/src/content/docs/reference/frontmatter.md

@@ -423,6 +423,22 @@ Debug workflow using script mode for custom actions.
 
 **Note:** The `action-mode` can also be overridden via the CLI flag `--action-mode` or the environment variable `GH_AW_ACTION_MODE`. The precedence is: CLI flag > feature flag > environment variable > auto-detection.
 
+#### DIFC Proxy (`features.difc-proxy`)
+
+Opt in to DIFC (Data Integrity and Flow Control) proxy injection. When enabled alongside `tools.github.min-integrity`, the compiler inserts proxy steps around the agent that enforce integrity-level isolation at the network boundary.
+
+```yaml wrap
+features:
+  difc-proxy: true
+tools:
+  github:
+    min-integrity: approved
+```
+
+Without this flag, configuring `min-integrity` alone performs content filtering at the MCP gateway level but does not inject the additional proxy steps. Enable `difc-proxy` when you need the full proxy-based enforcement.
+
+The flag can also be set via the environment variable `GH_AW_FEATURES=difc-proxy`.
+
 ### AI Engine (`engine:`)
 
 Specifies which AI engine interprets the markdown section. See [AI Engines](/gh-aw/reference/engines/) for details.