feat: enable firewall on claude and remove hooks"

[Mossaka]

• feat: enable firewall on claude engine ana remove hooks
• update the awf to v0.4.0

---

---

Smoke Test: Copilot Engine (No Firewall)

Timestamp: 2025-11-28 00:31 UTC
Status: PASS ✅
All core functionalities validated: GitHub MCP, file writing, bash tools, and Playwright MCP.

AI generated by Smoke Copilot No Firewall

---

Changeset

• Type: patch
• Description: Enable firewall on the Claude engine, remove obsolete hooks, and update AWF to v0.4.0.

AI generated by Changeset Generator

---

---

Smoke Test Summary (Run 19878489061)

Timestamp: 2025-12-03T00:51:48Z
Status: PASS
All core functionality validated: GitHub MCP, file operations, bash execution, and Playwright browser automation.

AI generated by Smoke Copilot No Firewall

---

Changeset

• Type: patch
• Description: Enable firewall on the Claude engine, remove obsolete hooks, and update AWF to v0.4.0.

AI generated by Changeset Generator

---

---

Smoke Test Summary

Test Run: 2025-12-03T01:12:23Z
Status: PASS
Summary: All tools validated - GitHub MCP, file operations, bash execution, and Playwright browser automation working correctly.

AI generated by Smoke Copilot No Firewall

[github-actions]

✅ Agentic Changeset Generator completed successfully.

[Copilot]

Pull request overview

This pull request enables firewall support for the Claude engine and removes the legacy network permissions hooks system. The changes replace the hook-based approach (which used Python scripts and Claude settings.json) with the AWF (Agentic Workflows Firewall) binary approach that was previously only available for the Copilot engine. Additionally, the AWF version is updated from v0.3.0 to v0.4.0.

Key changes:

• Claude engine now supports AWF firewall (matching Copilot's capabilities)
• Removed deprecated hooks-based network permissions system
• Updated enableFirewallByDefault to use engine interface instead of string-based engine ID
• Added GetClaudeAllowedDomains helper function for Claude-specific domain handling
• Updated all tests to reflect Claude's new firewall support

Reviewed changes

Copilot reviewed 66 out of 66 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/claude_engine.go	Enabled firewall support flag; removed hooks/settings generation; added AWF wrapper logic in GetExecutionSteps; implemented GetSquidLogsSteps
pkg/workflow/firewall.go	Refactored enableFirewallByDefault to accept engine interface and check SupportsFirewall() method
pkg/workflow/domains.go	Added GetClaudeAllowedDomains function for Claude-specific domain handling (similar to Copilot's)
pkg/workflow/compiler.go	Updated call to enableFirewallByDefault to pass engine instead of engine ID string
pkg/constants/constants.go	Updated DefaultFirewallVersion from v0.3.0 to v0.4.0
pkg/workflow/engine_firewall_support_test.go	Updated tests to verify Claude now supports firewall
pkg/workflow/firewall_default_enablement_test.go	Updated tests to use engine instances; added Claude firewall tests
pkg/workflow/firewall_workflow_test.go	Updated tests to expect AWF installation instead of hooks for Claude
pkg/workflow/claude_engine_network_test.go	Updated all tests to expect AWF wrapper instead of settings/hooks
pkg/workflow/network_test.go	Removed deprecated test for HasNetworkPermissions
pkg/workflow/agentic_output_test.go	Removed tests for Claude hooks cleanup (no longer needed)
pkg/workflow/claude_settings.go	Deleted (hooks-based settings no longer used)
pkg/workflow/claude_settings_test.go	Deleted (tests for deleted functionality)
pkg/workflow/claude_settings_tmp_test.go	Deleted (tests for deleted functionality)
pkg/workflow/engine_network_hooks.go	Deleted (hooks system no longer used)
pkg/workflow/engine_network_test.go	Deleted (tests for deleted functionality)
.github/workflows/*.lock.yml	All compiled workflows updated to use AWF v0.4.0 and remove hooks generation steps

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pelikhan]

@copilot Claude agentic engine should be updated to reflect that it supports network firewall.

[Copilot]

@pelikhan I've opened a new pull request, #4794, to work on those changes. Once the pull request is ready, I'll request review from you.

[Mossaka]

@copilot remove github-script@v7 from this branch

[Mossaka]

@copilot remove github-script@v7 from this pr

[Copilot]

@Mossaka I've opened a new pull request, #4795, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

✅ Agentic Changeset Generator completed successfully.

[Mossaka]

@copilot can you figure out why the integration test is failing and can you fix it? https://github.com/githubnext/gh-aw/actions/runs/19717073693/job/56491771896?pr=4792

[github-actions]

✅ Agentic Changeset Generator completed successfully.

[Copilot]

@Mossaka I've opened a new pull request, #4884, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

❌ Agentic Smoke Copilot failed and wasn't able to produce a result.

[github-actions]

Agentic Smoke Codex triggered by this pull request.

[github-actions]

Agentic Smoke Copilot No Firewall triggered by this pull request.

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🔮 The ancient spirits stir... Smoke Codex awakens to divine this pull request...

[github-actions]

🤖 SYSTEM_INIT: Smoke Copilot No Firewall ACTIVATED. PROCESSING pull request. ALL SUBSYSTEMS ONLINE.

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• Convert embedded custom agents to prompt file format #5337: Convert embedded custom agents to prompt file format
• refactor: rename to firewall-escape.md, add 80% novelty requirement, and increase timeout #4789: refactor: rename to firewall-escape.md, add 80% novelty requirement, and increase timeout

Test Results:

• ✅ GitHub MCP: Retrieved recent PRs
• ✅ File Writing: Created test file successfully
• ✅ Bash Tool: Verified file content

Status: PASS

📰 BREAKING: Report filed by Smoke Copilot fer issue #4792 🗺️

[github-actions]

Smoke Test Results

Timestamp: 2025-12-03T00:51:48Z

• ✅ GitHub MCP: Last 2 PRs retrieved (Convert embedded custom agents to prompt file format #5337, refactor: rename to firewall-escape.md, add 80% novelty requirement, and increase timeout #4789)
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-19878489061.txt
• ✅ Bash Tool: Verified file creation
• ✅ Playwright MCP: Navigated to github.com, title contains "GitHub"

Overall Status: PASS

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #4792 🗺️

[github-actions]

Convert embedded custom agents to prompt file format
refactor: rename to firewall-escape.md, add 80% novelty requirement, and increase timeout
GitHub MCP test ✅
File write test ✅ (/tmp/gh-aw/agent/smoke-test-codex-19878489043.txt)
Bash cat test ✅
Playwright title test ✅
Overall: PASS

🔮 The oracle has spoken through Smoke Codex fer issue #4792 🗺️

[github-actions]

Smoke Test Results: Copilot Engine + Playwright

✅ Playwright Navigation: Successfully navigated to https://github.com
✅ Page Title Verification: Confirmed title contains "GitHub"

Overall Status: ✅ PASS

📰 BREAKING: Report filed by Smoke Copilot Playwright fer issue #4792 🗺️

[pelikhan]

Too old.

[Mossaka]

Oh wait, I am working on this one!

[github-actions]

🔮 The ancient spirits stir... Smoke Codex awakens to divine this pull request...

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[github-actions]

🤖 SYSTEM_INIT: Smoke Copilot No Firewall ACTIVATED. PROCESSING pull request. ALL SUBSYSTEMS ONLINE.

[github-actions]

📰 BREAKING: Smoke Copilot Playwright is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

Smoke Test Results (Copilot - No Firewall)

Last 2 Merged PRs:

• Migrate workflow commands (run, status, logs, audit) to RunE #5329: Migrate workflow commands (run, status, logs, audit) to RunE
• Add safe output for assigning users to issues #5333: Add safe output for assigning users to issues

Test Results:

• ✅ GitHub MCP: Retrieved recent merged PRs
• ✅ File Writing: Created test file successfully
• ✅ Bash Tool: Verified file content
• ✅ Playwright: Navigated to GitHub, title verified

Overall: PASS

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #4792 🗺️

[github-actions]

Migrate workflow commands (run, status, logs, audit) to RunE
Convert embedded custom agents to prompt file format
✅ GitHub MCP review
✅ File write + cat
✅ Playwright title check
Overall: PASS

🔮 The oracle has spoken through Smoke Codex fer issue #4792 🗺️

[github-actions]

Smoke Test Results

✅ Playwright Navigation: Successfully navigated to https://github.com
✅ Page Title Validation: Title contains "GitHub" ✓

Overall Status: PASS

📰 BREAKING: Report filed by Smoke Copilot Playwright fer issue #4792 🗺️

[Mossaka]

This PR will be blocked by a new release of awf that supports user mode