Add actionable hints to strict mode validation errors (#4013)

Copilot · web-flow · commit d47c8e9c8355 · 2025-11-14T22:21:21.000-08:00
diff --git a/.changeset/patch-actionable-strict-mode-hints.md b/.changeset/patch-actionable-strict-mode-hints.md
diff --git a/pkg/workflow/strict_mode_validation.go b/pkg/workflow/strict_mode_validation.go
@@ -63,7 +63,7 @@ func (c *Compiler) validateStrictPermissions(frontmatter map[string]any) error {
 	for _, scope := range writePermissions {
 		if perms.IsAllowed(scope, "write") {
 			strictModeValidationLog.Printf("Write permission validation failed: scope=%s", scope)
-			return fmt.Errorf("strict mode: write permission '%s: write' is not allowed", scope)
+			return fmt.Errorf("strict mode: write permission '%s: write' is not allowed for security reasons. Use 'safe-outputs.create-issue', 'safe-outputs.create-pull-request', 'safe-outputs.add-comment', or 'safe-outputs.update-issue' to perform write operations safely. See: https://githubnext.github.io/gh-aw/reference/safe-outputs/", scope)
 		}
 	}
 
@@ -75,7 +75,7 @@ func (c *Compiler) validateStrictPermissions(frontmatter map[string]any) error {
 func (c *Compiler) validateStrictNetwork(networkPermissions *NetworkPermissions) error {
 	if networkPermissions == nil {
 		strictModeValidationLog.Printf("Network configuration missing")
-		return fmt.Errorf("strict mode: 'network' configuration is required")
+		return fmt.Errorf("strict mode: 'network' configuration is required to prevent unrestricted network access. Add 'network: { allowed: [...] }' or 'network: defaults' to your frontmatter. See: https://githubnext.github.io/gh-aw/reference/network/")
 	}
 
 	// If mode is "defaults", that's acceptable
@@ -88,7 +88,7 @@ func (c *Compiler) validateStrictNetwork(networkPermissions *NetworkPermissions)
 	for _, domain := range networkPermissions.Allowed {
 		if domain == "*" {
 			strictModeValidationLog.Printf("Network validation failed: wildcard detected")
-			return fmt.Errorf("strict mode: wildcard '*' is not allowed in network.allowed domains")
+			return fmt.Errorf("strict mode: wildcard '*' is not allowed in network.allowed domains to prevent unrestricted internet access. Specify explicit domains or use ecosystem identifiers like 'python', 'node', 'containers'. See: https://githubnext.github.io/gh-aw/reference/network/#available-ecosystem-identifiers")
 		}
 	}
 
@@ -127,7 +127,7 @@ func (c *Compiler) validateStrictMCPNetwork(frontmatter map[string]any) error {
 			if _, hasContainer := serverConfig["container"]; hasContainer {
 				// Check if network configuration is present
 				if _, hasNetwork := serverConfig["network"]; !hasNetwork {
-					return fmt.Errorf("strict mode: custom MCP server '%s' with container must have network configuration", serverName)
+					return fmt.Errorf("strict mode: custom MCP server '%s' with container must have network configuration for security. Add 'network: { allowed: [...] }' to the server configuration to restrict network access. See: https://githubnext.github.io/gh-aw/reference/network/", serverName)
 				}
 			}
 		}
diff --git a/pkg/workflow/strict_mode_validation_test.go b/pkg/workflow/strict_mode_validation_test.go
@@ -41,7 +41,7 @@ func TestValidateStrictPermissions(t *testing.T) {
 				},
 			},
 			expectError: true,
-			errorMsg:    "strict mode: write permission 'contents: write' is not allowed",
+			errorMsg:    "strict mode: write permission 'contents: write' is not allowed for security reasons. Use 'safe-outputs.create-issue', 'safe-outputs.create-pull-request', 'safe-outputs.add-comment', or 'safe-outputs.update-issue' to perform write operations safely",
 		},
 		{
 			name: "issues write permission is refused",
@@ -52,7 +52,7 @@ func TestValidateStrictPermissions(t *testing.T) {
 				},
 			},
 			expectError: true,
-			errorMsg:    "strict mode: write permission 'issues: write' is not allowed",
+			errorMsg:    "strict mode: write permission 'issues: write' is not allowed for security reasons. Use 'safe-outputs.create-issue', 'safe-outputs.create-pull-request', 'safe-outputs.add-comment', or 'safe-outputs.update-issue' to perform write operations safely",
 		},
 		{
 			name: "pull-requests write permission is refused",
@@ -63,7 +63,7 @@ func TestValidateStrictPermissions(t *testing.T) {
 				},
 			},
 			expectError: true,
-			errorMsg:    "strict mode: write permission 'pull-requests: write' is not allowed",
+			errorMsg:    "strict mode: write permission 'pull-requests: write' is not allowed for security reasons. Use 'safe-outputs.create-issue', 'safe-outputs.create-pull-request', 'safe-outputs.add-comment', or 'safe-outputs.update-issue' to perform write operations safely",
 		},
 		{
 			name: "multiple write permissions fail on first one",
@@ -89,7 +89,7 @@ func TestValidateStrictPermissions(t *testing.T) {
 				},
 			},
 			expectError: true,
-			errorMsg:    "strict mode: write permission 'issues: write' is not allowed",
+			errorMsg:    "strict mode: write permission 'issues: write' is not allowed for security reasons. Use 'safe-outputs.create-issue', 'safe-outputs.create-pull-request', 'safe-outputs.add-comment', or 'safe-outputs.update-issue' to perform write operations safely",
 		},
 		{
 			name: "other write permissions are allowed (not in sensitive scopes)",
@@ -117,7 +117,7 @@ func TestValidateStrictPermissions(t *testing.T) {
 				"permissions": "write",
 			},
 			expectError: true,
-			errorMsg:    "strict mode: write permission 'contents: write' is not allowed",
+			errorMsg:    "strict mode: write permission 'contents: write' is not allowed for security reasons. Use 'safe-outputs.create-issue', 'safe-outputs.create-pull-request', 'safe-outputs.add-comment', or 'safe-outputs.update-issue' to perform write operations safely",
 		},
 		{
 			name: "shorthand write-all is refused",
@@ -126,7 +126,7 @@ func TestValidateStrictPermissions(t *testing.T) {
 				"permissions": "write-all",
 			},
 			expectError: true,
-			errorMsg:    "strict mode: write permission 'contents: write' is not allowed",
+			errorMsg:    "strict mode: write permission 'contents: write' is not allowed for security reasons. Use 'safe-outputs.create-issue', 'safe-outputs.create-pull-request', 'safe-outputs.add-comment', or 'safe-outputs.update-issue' to perform write operations safely",
 		},
 		{
 			name: "empty permissions map is allowed",
@@ -176,7 +176,7 @@ func TestValidateStrictNetwork(t *testing.T) {
 			name:               "nil network permissions is refused",
 			networkPermissions: nil,
 			expectError:        true,
-			errorMsg:           "strict mode: 'network' configuration is required",
+			errorMsg:           "strict mode: 'network' configuration is required to prevent unrestricted network access",
 		},
 		{
 			name: "defaults mode is allowed",
@@ -200,7 +200,7 @@ func TestValidateStrictNetwork(t *testing.T) {
 				Allowed: []string{"*"},
 			},
 			expectError: true,
-			errorMsg:    "strict mode: wildcard '*' is not allowed in network.allowed domains",
+			errorMsg:    "strict mode: wildcard '*' is not allowed in network.allowed domains to prevent unrestricted internet access",
 		},
 		{
 			name: "wildcard among other domains is refused",
@@ -209,7 +209,7 @@ func TestValidateStrictNetwork(t *testing.T) {
 				Allowed: []string{"api.example.com", "*", "github.com"},
 			},
 			expectError: true,
-			errorMsg:    "strict mode: wildcard '*' is not allowed in network.allowed domains",
+			errorMsg:    "strict mode: wildcard '*' is not allowed in network.allowed domains to prevent unrestricted internet access",
 		},
 		{
 			name: "empty allowed list is allowed",
@@ -306,7 +306,7 @@ func TestValidateStrictMode(t *testing.T) {
 				Allowed: []string{"api.example.com"},
 			},
 			expectError: true,
-			errorMsg:    "strict mode: write permission 'contents: write' is not allowed",
+			errorMsg:    "strict mode: write permission 'contents: write' is not allowed for security reasons",
 		},
 		{
 			name:       "strict mode fails on missing network config",
@@ -319,7 +319,7 @@ func TestValidateStrictMode(t *testing.T) {
 			},
 			networkPermissions: nil,
 			expectError:        true,
-			errorMsg:           "strict mode: 'network' configuration is required",
+			errorMsg:           "strict mode: 'network' configuration is required to prevent unrestricted network access",
 		},
 		{
 			name:       "strict mode fails on wildcard network",
@@ -335,7 +335,7 @@ func TestValidateStrictMode(t *testing.T) {
 				Allowed: []string{"*"},
 			},
 			expectError: true,
-			errorMsg:    "strict mode: wildcard '*' is not allowed in network.allowed domains",
+			errorMsg:    "strict mode: wildcard '*' is not allowed in network.allowed domains to prevent unrestricted internet access",
 		},
 		{
 			name:       "strict mode with container MCP requiring network",
@@ -356,7 +356,7 @@ func TestValidateStrictMode(t *testing.T) {
 				Allowed: []string{"api.example.com"},
 			},
 			expectError: true,
-			errorMsg:    "strict mode: custom MCP server 'my-server' with container must have network configuration",
+			errorMsg:    "strict mode: custom MCP server 'my-server' with container must have network configuration for security",
 		},
 		{
 			name:       "strict mode with container MCP and network config",
diff --git a/pkg/workflow/validation_strict_mcp_network_test.go b/pkg/workflow/validation_strict_mcp_network_test.go
@@ -1,6 +1,7 @@
 package workflow
 
 import (
+	"strings"
 	"testing"
 )
 
@@ -82,9 +83,9 @@ func TestValidateStrictMCPNetwork_ContainerWithoutNetwork(t *testing.T) {
 	if err == nil {
 		t.Error("Expected error for container without network configuration, got nil")
 	}
-	expectedMsg := "strict mode: custom MCP server 'my-server' with container must have network configuration"
-	if err != nil && err.Error() != expectedMsg {
-		t.Errorf("Expected error message %q, got: %q", expectedMsg, err.Error())
+	expectedMsg := "strict mode: custom MCP server 'my-server' with container must have network configuration for security"
+	if err != nil && !strings.Contains(err.Error(), expectedMsg) {
+		t.Errorf("Expected error message to contain %q, got: %q", expectedMsg, err.Error())
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func (c *Compiler) validateStrictPermissions(frontmatter map[string]any) error {`
`63`	`63`	`for _, scope := range writePermissions {`
`64`	`64`	`if perms.IsAllowed(scope, "write") {`
`65`	`65`	`strictModeValidationLog.Printf("Write permission validation failed: scope=%s", scope)`
`66`		`- return fmt.Errorf("strict mode: write permission '%s: write' is not allowed", scope)`
	`66`	`+ return fmt.Errorf("strict mode: write permission '%s: write' is not allowed for security reasons. Use 'safe-outputs.create-issue', 'safe-outputs.create-pull-request', 'safe-outputs.add-comment', or 'safe-outputs.update-issue' to perform write operations safely. See: https://githubnext.github.io/gh-aw/reference/safe-outputs/", scope)`
`67`	`67`	`}`
`68`	`68`	`}`
`69`	`69`
`@@ -75,7 +75,7 @@ func (c *Compiler) validateStrictPermissions(frontmatter map[string]any) error {`
`75`	`75`	`func (c Compiler) validateStrictNetwork(networkPermissions NetworkPermissions) error {`
`76`	`76`	`if networkPermissions == nil {`
`77`	`77`	`strictModeValidationLog.Printf("Network configuration missing")`
`78`		`- return fmt.Errorf("strict mode: 'network' configuration is required")`
	`78`	`+ return fmt.Errorf("strict mode: 'network' configuration is required to prevent unrestricted network access. Add 'network: { allowed: [...] }' or 'network: defaults' to your frontmatter. See: https://githubnext.github.io/gh-aw/reference/network/")`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`// If mode is "defaults", that's acceptable`
`@@ -88,7 +88,7 @@ func (c Compiler) validateStrictNetwork(networkPermissions NetworkPermissions)`
`88`	`88`	`for _, domain := range networkPermissions.Allowed {`
`89`	`89`	`if domain == "*" {`
`90`	`90`	`strictModeValidationLog.Printf("Network validation failed: wildcard detected")`
`91`		`- return fmt.Errorf("strict mode: wildcard '*' is not allowed in network.allowed domains")`
	`91`	`+ return fmt.Errorf("strict mode: wildcard '*' is not allowed in network.allowed domains to prevent unrestricted internet access. Specify explicit domains or use ecosystem identifiers like 'python', 'node', 'containers'. See: https://githubnext.github.io/gh-aw/reference/network/#available-ecosystem-identifiers")`
`92`	`92`	`}`
`93`	`93`	`}`
`94`	`94`
`@@ -127,7 +127,7 @@ func (c *Compiler) validateStrictMCPNetwork(frontmatter map[string]any) error {`
`127`	`127`	`if _, hasContainer := serverConfig["container"]; hasContainer {`
`128`	`128`	`// Check if network configuration is present`
`129`	`129`	`if _, hasNetwork := serverConfig["network"]; !hasNetwork {`
`130`		`- return fmt.Errorf("strict mode: custom MCP server '%s' with container must have network configuration", serverName)`
	`130`	`+ return fmt.Errorf("strict mode: custom MCP server '%s' with container must have network configuration for security. Add 'network: { allowed: [...] }' to the server configuration to restrict network access. See: https://githubnext.github.io/gh-aw/reference/network/", serverName)`
`131`	`131`	`}`
`132`	`132`	`}`
`133`	`133`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package workflow`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "strings"`
`4`	`5`	`"testing"`
`5`	`6`	`)`
`6`	`7`
`@@ -82,9 +83,9 @@ func TestValidateStrictMCPNetwork_ContainerWithoutNetwork(t *testing.T) {`
`82`	`83`	`if err == nil {`
`83`	`84`	`t.Error("Expected error for container without network configuration, got nil")`
`84`	`85`	`}`
`85`		`- expectedMsg := "strict mode: custom MCP server 'my-server' with container must have network configuration"`
`86`		`- if err != nil && err.Error() != expectedMsg {`
`87`		`- t.Errorf("Expected error message %q, got: %q", expectedMsg, err.Error())`
	`86`	`+ expectedMsg := "strict mode: custom MCP server 'my-server' with container must have network configuration for security"`
	`87`	`+ if err != nil && !strings.Contains(err.Error(), expectedMsg) {`
	`88`	`+ t.Errorf("Expected error message to contain %q, got: %q", expectedMsg, err.Error())`
`88`	`89`	`}`
`89`	`90`	`}`
`90`	`91`