From 4b6091753f5ca9d96e68474d191bf28e7432841c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 13 Feb 2026 14:14:56 +0000
Subject: [PATCH 1/3] Initial plan


From a393525f8c18e94223d690d347554c3c58cc0be4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 13 Feb 2026 14:21:26 +0000
Subject: [PATCH 2/3] Fix integration tests by adding strict: false to
 workflows with custom domains

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/workflow/allowed_domains_sanitization_test.go | 3 +++
 pkg/workflow/docker_predownload_test.go           | 1 +
 pkg/workflow/domains_protocol_integration_test.go | 3 +++
 pkg/workflow/sandbox_agent_false_test.go          | 1 +
 pkg/workflow/sandbox_agent_tools_default_test.go  | 1 +
 pkg/workflow/strict_mode_deprecated_test.go       | 3 +++
 pkg/workflow/strict_mode_test.go                  | 2 ++
 7 files changed, 14 insertions(+)

diff --git a/pkg/workflow/allowed_domains_sanitization_test.go b/pkg/workflow/allowed_domains_sanitization_test.go
index 8e525d88080..62fb3af390e 100644
--- a/pkg/workflow/allowed_domains_sanitization_test.go
+++ b/pkg/workflow/allowed_domains_sanitization_test.go
@@ -31,6 +31,7 @@ permissions:
   issues: read
   pull-requests: read
 engine: copilot
+strict: false
 network:
   allowed:
     - example.com
@@ -255,6 +256,7 @@ permissions:
   issues: read
   pull-requests: read
 engine: copilot
+strict: false
 network:
   allowed:
     - example.com
@@ -286,6 +288,7 @@ permissions:
   issues: read
   pull-requests: read
 engine: copilot
+strict: false
 network:
   allowed:
     - example.com
diff --git a/pkg/workflow/docker_predownload_test.go b/pkg/workflow/docker_predownload_test.go
index e0831e3e7f6..46b5ab4ebd8 100644
--- a/pkg/workflow/docker_predownload_test.go
+++ b/pkg/workflow/docker_predownload_test.go
@@ -81,6 +81,7 @@ Test workflow with custom MCP container.`,
 			frontmatter: `---
 on: issues
 engine: claude
+strict: false
 safe-outputs:
   create-issue:
 network:
diff --git a/pkg/workflow/domains_protocol_integration_test.go b/pkg/workflow/domains_protocol_integration_test.go
index 4e7b2fb0276..80777500b90 100644
--- a/pkg/workflow/domains_protocol_integration_test.go
+++ b/pkg/workflow/domains_protocol_integration_test.go
@@ -26,6 +26,7 @@ on: push
 permissions:
   contents: read
 engine: copilot
+strict: false
 network:
   allowed:
     - https://secure.example.com
@@ -205,6 +206,7 @@ on: push
 permissions:
   contents: read
 engine: copilot
+strict: false
 network:
   allowed:
     - https://example.com
@@ -249,6 +251,7 @@ on: push
 permissions:
   contents: read
 engine: copilot
+strict: false
 network:
   allowed:
     - example.com
diff --git a/pkg/workflow/sandbox_agent_false_test.go b/pkg/workflow/sandbox_agent_false_test.go
index 2570690a21e..44ff4a053d0 100644
--- a/pkg/workflow/sandbox_agent_false_test.go
+++ b/pkg/workflow/sandbox_agent_false_test.go
@@ -116,6 +116,7 @@ Test workflow to verify sandbox.agent: awf enables firewall.
 
 		markdown := `---
 engine: copilot
+strict: false
 network:
   allowed:
     - defaults
diff --git a/pkg/workflow/sandbox_agent_tools_default_test.go b/pkg/workflow/sandbox_agent_tools_default_test.go
index 0a73bbe6224..485e85e800a 100644
--- a/pkg/workflow/sandbox_agent_tools_default_test.go
+++ b/pkg/workflow/sandbox_agent_tools_default_test.go
@@ -227,6 +227,7 @@ Test workflow where explicit tools.bash should take precedence over default.
 		// No explicit sandbox.agent, but network restrictions will auto-enable firewall
 		markdown := `---
 engine: copilot
+strict: false
 network:
   allowed:
     - github.com
diff --git a/pkg/workflow/strict_mode_deprecated_test.go b/pkg/workflow/strict_mode_deprecated_test.go
index 4913b2b37a1..e67717fe86c 100644
--- a/pkg/workflow/strict_mode_deprecated_test.go
+++ b/pkg/workflow/strict_mode_deprecated_test.go
@@ -26,6 +26,7 @@ permissions:
   pull-requests: read
 timeout_minutes: 10
 engine: copilot
+strict: false
 network:
   allowed:
     - "api.example.com"
@@ -45,6 +46,7 @@ permissions:
   pull-requests: read
 timeout-minutes: 10
 engine: copilot
+strict: false
 network:
   allowed:
     - "api.example.com"
@@ -114,6 +116,7 @@ permissions:
   pull-requests: read
 timeout_minutes: 10
 engine: copilot
+strict: false
 network:
   allowed:
     - "api.example.com"
diff --git a/pkg/workflow/strict_mode_test.go b/pkg/workflow/strict_mode_test.go
index 45ded0fe7cd..e512bd579ea 100644
--- a/pkg/workflow/strict_mode_test.go
+++ b/pkg/workflow/strict_mode_test.go
@@ -27,6 +27,7 @@ permissions:
   issues: read
   pull-requests: read
 engine: copilot
+strict: false
 network:
   allowed:
     - "api.example.com"
@@ -45,6 +46,7 @@ permissions:
   pull-requests: read
 timeout-minutes: 10
 engine: copilot
+strict: false
 network:
   allowed:
     - "api.example.com"

From 2e8d4d63a3022dffec43831a0b4f0bc974bf13da Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 13 Feb 2026 14:23:04 +0000
Subject: [PATCH 3/3] Fix strict mode tests to use ecosystem domains instead of
 custom domains

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/workflow/strict_mode_deprecated_test.go | 9 +++------
 pkg/workflow/strict_mode_test.go            | 6 ++----
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/pkg/workflow/strict_mode_deprecated_test.go b/pkg/workflow/strict_mode_deprecated_test.go
index e67717fe86c..73a00e87559 100644
--- a/pkg/workflow/strict_mode_deprecated_test.go
+++ b/pkg/workflow/strict_mode_deprecated_test.go
@@ -26,10 +26,9 @@ permissions:
   pull-requests: read
 timeout_minutes: 10
 engine: copilot
-strict: false
 network:
   allowed:
-    - "api.example.com"
+    - defaults
 ---
 
 # Test Workflow`,
@@ -46,10 +45,9 @@ permissions:
   pull-requests: read
 timeout-minutes: 10
 engine: copilot
-strict: false
 network:
   allowed:
-    - "api.example.com"
+    - defaults
 ---
 
 # Test Workflow`,
@@ -116,10 +114,9 @@ permissions:
   pull-requests: read
 timeout_minutes: 10
 engine: copilot
-strict: false
 network:
   allowed:
-    - "api.example.com"
+    - defaults
 ---
 
 # Test Workflow`
diff --git a/pkg/workflow/strict_mode_test.go b/pkg/workflow/strict_mode_test.go
index e512bd579ea..a531bce6ab2 100644
--- a/pkg/workflow/strict_mode_test.go
+++ b/pkg/workflow/strict_mode_test.go
@@ -27,10 +27,9 @@ permissions:
   issues: read
   pull-requests: read
 engine: copilot
-strict: false
 network:
   allowed:
-    - "api.example.com"
+    - defaults
 ---
 
 # Test Workflow`,
@@ -46,10 +45,9 @@ permissions:
   pull-requests: read
 timeout-minutes: 10
 engine: copilot
-strict: false
 network:
   allowed:
-    - "api.example.com"
+    - defaults
 ---
 
 # Test Workflow`,