Add YAML ruleset support for domain allowlists

[Copilot]

AWF now accepts YAML rule files so complex allowlists aren’t confined to long CLI strings.

• Ruleset loading: Added loadRuleSet/mergeRuleSets with validation (version 1, domain + optional subdomains; future-only fields rejected).
• CLI integration: New --ruleset-file (repeatable) merged with existing --allow-domains/--allow-domains-file sources; unified validation and error messaging.
• Documentation: CLI reference updated with the new option and usage.

Example YAML and invocation:

# awf-rules.yaml
version: 1
rules:
  - domain: github.com
    subdomains: true
  - domain: api.github.com

awf --ruleset-file ./awf-rules.yaml --allow-domains extra.com -- <command>

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature] Add YAML rule configuration support</issue_title>
<issue_description>## Priority
P2 - Medium

Summary

Currently AWF only supports domain allowlisting via CLI --allow-domains flag. This becomes unwieldy for complex rule sets. Add support for YAML configuration files with richer rule syntax.

Current Behavior

awf --allow-domains github.com,api.github.com,registry.npmjs.org,... 'command'

For complex setups, this results in very long command lines that are hard to maintain.

Proposed Solution

YAML Rule File Format

# awf-rules.yaml
version: 1
rules:
  - domain: github.com
    subdomains: true  # Allow *.github.com
    
  - domain: api.github.com
    
  - domain: registry.npmjs.org
    
  - domain: pypi.org
    subdomains: true
    
  # Future: URL path rules (requires TLS inspection)
  # - url: https://github.com/githubnext/*
  #   methods: [GET]

CLI Usage

# Use rule file
awf --ruleset-file ./awf-rules.yaml 'command'

# Combine with CLI domains
awf --ruleset-file ./rules.yaml --allow-domains extra.com 'command'

# Multiple rule files
awf --ruleset-file base.yaml --ruleset-file project.yaml 'command'

Implementation

New File: src/rules.ts

interface Rule {
  domain?: string;
  subdomains?: boolean;
  url?: string;  // Future: requires TLS inspection
  methods?: string[];  // Future: requires TLS inspection
}

interface RuleSet {
  version: number;
  rules: Rule[];
}

export function loadRuleSet(filePath: string): RuleSet {
  const content = readFileSync(filePath, 'utf-8');
  const ruleSet = yaml.parse(content);
  validateRuleSet(ruleSet);
  return ruleSet;
}

export function mergeRuleSets(sets: RuleSet[]): string[] {
  // Extract all domains for Squid config
  return sets.flatMap(set => 
    set.rules.map(rule => rule.domain).filter(Boolean)
  );
}

CLI Changes (src/cli.ts)

program
  .option('--ruleset-file <file>', 'YAML rule configuration file (can be repeated)', collect, [])
  .option('--allow-domains <domains>', 'Comma-separated allowed domains');

Benefits

• Maintainability: Rules in version-controlled files
• Reusability: Share rule sets across projects
• Documentation: Comments in YAML explain rules
• Future extensibility: Easy to add URL path rules when TLS inspection is implemented

Files to Create/Modify

• New: src/rules.ts - Rule loading and validation
• New: src/rules.test.ts - Tests for rule parsing
• Modify: src/cli.ts - Add --ruleset-file option
• Modify: src/squid-config.ts - Accept rules from file
• New: examples/rules/ - Example rule files

Testing

• Valid YAML parses correctly
• Invalid YAML shows helpful error
• Multiple rule files merge correctly
• CLI domains combine with file rules
• Squid config generated correctly from rules</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Feature] Add YAML rule configuration support #136

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• docs: streamline README for first-time visitors #111: docs: streamline README for first-time visitors
• feat(cli): add container hardening measures #96: feat(cli): add container hardening measures

Test Results:

• ✅ GitHub MCP Testing
• ✅ File Writing Testing
• ✅ Bash Tool Testing

Status: PASS

📰 BREAKING: Report filed by Smoke Copilot fer issue #141 🗺️

[github-actions]

Test Coverage Report

Metric	Coverage	Covered/Total
Lines	66.1%	708/1071
Statements	66.27%	729/1100
Functions	70.73%	87/123
Branches	60.89%	232/381

Coverage Thresholds

The project has the following coverage thresholds configured:

• Lines: 38%
• Statements: 38%
• Functions: 35%
• Branches: 30%

---

Coverage report generated by `npm run test:coverage`

[github-actions]

Claude Smoke Test Results

Last 2 Merged PRs:

• docs: streamline README for first-time visitors #111: docs: streamline README for first-time visitors
• feat(cli): add container hardening measures #96: feat(cli): add container hardening measures

Test Results:

• ✅ GitHub MCP (list PRs)
• ✅ File Writing (/tmp/gh-aw/agent/smoke-test-claude-20378116228.txt)
• ✅ Bash Tool (verified file creation)
• ❌ Playwright (ERR_TUNNEL_CONNECTION_FAILED - page loaded but assets blocked)

Overall: FAIL (Playwright network errors)

💥 [THE END] — Illustrated by Smoke Claude fer issue #141 🗺️