Update firewall to v0.9.0 with SSL Bump and URL path filtering support

[Copilot]

• Analyze v0.9.0 release notes and identify features to implement
• Update DefaultFirewallVersion from v0.8.2 to v0.9.0 in pkg/constants/constants.go
• Add SSLBump boolean field to FirewallConfig struct for HTTPS content inspection
• Add AllowURLs string slice field to FirewallConfig struct for URL path filtering
• Update JSON schemas to include new ssl-bump and allow-urls properties
• Update AWF command builder in all engines (Copilot, Claude, Codex) to use shared getSSLBumpArgs helper function
• Add unit tests for new firewall features
• Add unit test for getSSLBumpArgs helper function
• Code review feedback addressed: extracted duplicated SSL Bump logic into shared helper
• Clarify in docs/comments that SSL Bump and allow-urls are AWF-specific features (not SRT)
• Run linting and verify tests pass
• Run security check with codeql_checker - no vulnerabilities found

Summary

This PR updates gh-aw-firewall from v0.8.2 to v0.9.0 and adds support for:

• SSL Bump (ssl-bump: true): Enables HTTPS content inspection for URL path filtering
• URL Pattern Filtering (allow-urls): Restricts HTTPS access to specific URL patterns with wildcards

Note: These features are specific to AWF (Agent Workflow Firewall) and do not apply to Sandbox Runtime (SRT).

Usage Example

network:
  allowed:
    - github.com
  firewall:
    ssl-bump: true
    allow-urls:
      - "https://github.com/githubnext/*"
      - "https://api.github.com/repos/*"

Original prompt

update firewall to v0.9.0

you shoul first understand this release notes, and then choose features that make sense to the gh-aw repo to implement:

https://github.com/githubnext/gh-aw-firewall/releases/tag/v0.9.0

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test Results - Copilot Engine

Last 2 Merged PRs:

• Add Makefile targets for Astro docs build and update technical-doc-writer agent #9984: Add Makefile targets for Astro docs build and update technical-doc-writer agent
• Add test coverage and documentation for org/repo-scoped fuzzy schedule scattering #9976: Add test coverage and documentation for org/repo-scoped fuzzy schedule scattering

Test Results:

• ✅ GitHub MCP: Successfully retrieved merged PRs
• ❌ Serena Go: go command not available
• ✅ Playwright: Navigated to GitHub (title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-21005890128.txt
• ✅ Bash Tool: Verified file creation

Overall Status: FAIL (1/5 tests failed)

cc @Mossaka

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results - Claude Engine

Last 2 Merged PRs:

• PR Add workflow: githubnext/agentics/weekly-research #8: Add workflow: githubnext/agentics/weekly-research
• PR Remove ai-inference, opencode, genaiscript agentic engines for now #10: Remove ai-inference, opencode, genaiscript agentic engines for now

Test Results:

• ✅ GitHub MCP: Retrieved 2 merged PRs
• ✅ Serena Go: Tool initialized successfully
• ✅ Playwright: Navigated to github.com (title contains "GitHub")
• ✅ Tavily Search: Found 3 results for "GitHub Agentic Workflows"
• ✅ File Writing: Created test file successfully
• ✅ Bash Tool: Verified file contents

Overall Status: PASS

AI generated by Smoke Claude

[Mossaka]

@copilot these features are exclusive to awf firewall and not to the agent-sandbox. Can you be explicit about it

[Copilot]

Pull request overview

This PR updates the gh-aw-firewall to v0.9.0 and implements support for new SSL Bump and URL path filtering features. The update enables HTTPS content inspection and path-based filtering beyond domain-only restrictions.

Changes:

• Bumped default firewall version from v0.8.2 to v0.9.0
• Added SSLBump and AllowURLs fields to FirewallConfig struct
• Implemented getSSLBumpArgs() helper function for consistent SSL Bump argument generation across all engines
• Updated JSON schemas with validation patterns requiring https:// scheme for allowed URLs
• Recompiled all workflow lock files to reference the new v0.9.0 version

Reviewed changes

Copilot reviewed 128 out of 128 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/constants/constants.go	Updated DefaultFirewallVersion constant from v0.8.2 to v0.9.0
pkg/workflow/firewall.go	Added SSLBump and AllowURLs fields to FirewallConfig struct and implemented getSSLBumpArgs() helper
pkg/workflow/firewall_test.go	Added comprehensive test suite for getSSLBumpArgs() function
pkg/workflow/firewall_args_test.go	Added integration tests verifying SSL Bump flags in AWF commands
pkg/workflow/copilot_engine_execution.go	Integrated getSSLBumpArgs() into Copilot engine execution
pkg/workflow/claude_engine.go	Integrated getSSLBumpArgs() into Claude engine execution
pkg/workflow/codex_engine.go	Integrated getSSLBumpArgs() into Codex engine execution
pkg/parser/schemas/*.json	Added ssl-bump and allow-urls schema properties with validation
.github/workflows/*.lock.yml	Updated all workflow lock files to use v0.9.0

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@copilot these features are exclusive to awf firewall and not to the agent-sandbox. Can you be explicit about it

Updated in 74c8e23 - added explicit "AWF-only feature" prefix to schema descriptions for ssl-bump and allow-urls, and clarified in Go code comments that these features are specific to AWF and do not apply to Sandbox Runtime (SRT).