feat: enable firewall on claude and remove hooks"

[Mossaka]

• feat: enable firewall on claude engine ana remove hooks
• update the awf to v0.4.0

---

---

Smoke Test: Copilot Engine (No Firewall)

Timestamp: 2025-11-28 00:31 UTC
Status: PASS ✅
All core functionalities validated: GitHub MCP, file writing, bash tools, and Playwright MCP.

AI generated by Smoke Copilot No Firewall

[github-actions]

✅ Agentic Changeset Generator completed successfully.

[Copilot]

Pull request overview

This pull request enables firewall support for the Claude engine and removes the legacy network permissions hooks system. The changes replace the hook-based approach (which used Python scripts and Claude settings.json) with the AWF (Agentic Workflows Firewall) binary approach that was previously only available for the Copilot engine. Additionally, the AWF version is updated from v0.3.0 to v0.4.0.

Key changes:

• Claude engine now supports AWF firewall (matching Copilot's capabilities)
• Removed deprecated hooks-based network permissions system
• Updated enableFirewallByDefault to use engine interface instead of string-based engine ID
• Added GetClaudeAllowedDomains helper function for Claude-specific domain handling
• Updated all tests to reflect Claude's new firewall support

Reviewed changes

Copilot reviewed 66 out of 66 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/claude_engine.go	Enabled firewall support flag; removed hooks/settings generation; added AWF wrapper logic in GetExecutionSteps; implemented GetSquidLogsSteps
pkg/workflow/firewall.go	Refactored enableFirewallByDefault to accept engine interface and check SupportsFirewall() method
pkg/workflow/domains.go	Added GetClaudeAllowedDomains function for Claude-specific domain handling (similar to Copilot's)
pkg/workflow/compiler.go	Updated call to enableFirewallByDefault to pass engine instead of engine ID string
pkg/constants/constants.go	Updated DefaultFirewallVersion from v0.3.0 to v0.4.0
pkg/workflow/engine_firewall_support_test.go	Updated tests to verify Claude now supports firewall
pkg/workflow/firewall_default_enablement_test.go	Updated tests to use engine instances; added Claude firewall tests
pkg/workflow/firewall_workflow_test.go	Updated tests to expect AWF installation instead of hooks for Claude
pkg/workflow/claude_engine_network_test.go	Updated all tests to expect AWF wrapper instead of settings/hooks
pkg/workflow/network_test.go	Removed deprecated test for HasNetworkPermissions
pkg/workflow/agentic_output_test.go	Removed tests for Claude hooks cleanup (no longer needed)
pkg/workflow/claude_settings.go	Deleted (hooks-based settings no longer used)
pkg/workflow/claude_settings_test.go	Deleted (tests for deleted functionality)
pkg/workflow/claude_settings_tmp_test.go	Deleted (tests for deleted functionality)
pkg/workflow/engine_network_hooks.go	Deleted (hooks system no longer used)
pkg/workflow/engine_network_test.go	Deleted (tests for deleted functionality)
.github/workflows/*.lock.yml	All compiled workflows updated to use AWF v0.4.0 and remove hooks generation steps

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pelikhan]

@copilot Claude agentic engine should be updated to reflect that it supports network firewall.

[Copilot]

@pelikhan I've opened a new pull request, #4794, to work on those changes. Once the pull request is ready, I'll request review from you.

[Mossaka]

@copilot remove github-script@v7 from this branch

[Mossaka]

@copilot remove github-script@v7 from this pr

[Copilot]

@Mossaka I've opened a new pull request, #4795, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

✅ Agentic Changeset Generator completed successfully.

[Mossaka]

@copilot can you figure out why the integration test is failing and can you fix it? https://github.com/githubnext/gh-aw/actions/runs/19717073693/job/56491771896?pr=4792

[github-actions]

✅ Agentic Changeset Generator completed successfully.

[Copilot]

@Mossaka I've opened a new pull request, #4884, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

❌ Agentic Smoke Copilot failed and wasn't able to produce a result.

[github-actions]

Agentic Smoke Codex triggered by this pull request.

[github-actions]

Agentic Smoke Copilot No Firewall triggered by this pull request.

[github-actions]

❌ Agentic Smoke Claude failed and wasn't able to produce a result.

[github-actions]

✅ Agentic Changeset Generator completed successfully.

[github-actions]

Smoke test results for the Codex engine:

• Merged PR review:
  • docs: clarify AWF does not support wildcard domain syntax #4892 – Docs now clarify that AWF already handles subdomains without *. wildcards; network/frontmatter/tool docs updated and caution callouts added so users configure allowed domains correctly.
  • Update AWF to v0.5.0 and migrate to new container/log naming conventions #4877 – AWF dependency bumped to v0.5.0 and internal "copilot" identifiers migrated to "agent" (container names, log dirs, env vars, CI artifacts) with backward-compatible log discovery and tests updated accordingly.
• File writing test: ✅ Created /tmp/gh-aw/agent/smoke-test-codex-.txt (sandbox requires the /tmp/gh-aw/agent/ prefix) containing Smoke test passed for Codex at Thu Nov 27 00:32:20 UTC 2025.
• Bash verification: ✅ cat /tmp/gh-aw/agent/smoke-test-codex-.txt echoed the expected line above.
• Playwright test: ✅ Navigated to https://github.com and saw the title GitHub · Change is constant. GitHub keeps you ahead. · GitHub (contains "GitHub").
• Overall status: ✅ All Codex smoke checks passed.

AI generated by Smoke Codex for #4792

[github-actions]

✅ Smoke Test Results: Copilot Engine (No Firewall)

All smoke tests for the Copilot engine passed successfully!

Test Results

1. GitHub MCP Testing ✅

Successfully reviewed the last 2 merged pull requests:

PR #4892: "docs: clarify AWF does not support wildcard domain syntax"

• Merged: 2025-11-26
• Updated documentation to clarify that AWF (Agent Workflow Firewall) automatically matches subdomains without wildcard syntax
• Fixed examples across reference docs, guides, and troubleshooting sections
• Changed from incorrect *.trusted.com pattern to correct trusted.com pattern

PR #4877: "Update AWF to v0.5.0 and migrate to new container/log naming conventions"

• Merged: 2025-11-26
• Updated AWF version to v0.5.0
• Migrated from "copilot" to "agent" naming conventions for better multi-agent support
• Updated log directories from .copilot/logs/ to .agent/logs/
• Updated container names from awf-copilot to awf-agent
• Maintained backward compatibility for log discovery patterns

2. File Writing Testing ✅

Successfully created test file /tmp/smoke-test-copilot-20251127-003259.txt with content:

Smoke test passed for Copilot at Thu Nov 27 00:32:59 UTC 2025

3. Bash Tool Testing ✅

Successfully verified file creation using bash commands:

• Listed test files in /tmp/ directory
• Read file content using cat command
• Confirmed file content matches expected output

4. Playwright MCP Testing ✅

Successfully navigated to https://github.com and verified:

• Page URL: https://github.com/
• Page Title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub" ✅ (contains "GitHub")
• Successfully loaded page with all content visible

Overall Status

🎉 All tests PASSED for Copilot engine (no firewall variant)

The smoke test validates:

• ✅ GitHub MCP integration and API access
• ✅ File system write operations
• ✅ Bash command execution and verification
• ✅ Playwright browser automation and page navigation

AI generated by Smoke Copilot No Firewall for #4792

[Mossaka]

@copilot tests failed because it couldn't find claude CLI. you should add claude CLI to the awf mount so that it could be found (or run npx)

[Copilot]

@Mossaka I've opened a new pull request, #4900, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🤖 SYSTEM_INIT: Smoke Copilot No Firewall ACTIVATED. PROCESSING pull request. ALL SUBSYSTEMS ONLINE.

[github-actions]

🔮 The ancient spirits stir... Smoke Codex awakens to divine this pull request...

[github-actions]

Copilot Engine Smoke Test Results

Last 2 Merged PRs:

• fix: use npx to run Claude CLI when AWF firewall is enabled #4900: fix: use npx to run Claude CLI when AWF firewall is enabled
• Update issue arborist to filter out issues that are already sub-issues #4959: Update issue arborist to filter out issues that are already sub-issues

Test Results:

• ✅ GitHub MCP (PR review)
• ✅ File writing (/tmp/smoke-test-copilot-4792.txt)
• ✅ Bash tools (verified file creation)
• ✅ Playwright MCP (GitHub.com title verified)

Overall Status: PASS ✅

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #4792 🗺️

[github-actions]

✅ fix: use npx to run Claude CLI when AWF firewall is enabled
✅ Update issue arborist to filter out issues that are already sub-issues
✅ File write + cat check (/tmp/smoke-test-codex-.txt)
✅ Playwright GitHub title
Overall: PASS

🔮 The oracle has spoken through Smoke Codex fer issue #4792 🗺️