From 5d4d3fd2bfa3ee320979732ed30be629167c5043 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Feb 2026 20:46:46 +0000
Subject: [PATCH 1/2] Initial plan


From 25ef2ff9d51712b9e1df718a0bd54d0493d02808 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Feb 2026 20:53:36 +0000
Subject: [PATCH 2/2] docs: require sudo on self-hosted runners for AWF
 security

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
---
 docs/src/content/docs/guides/self-hosted-runners.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/src/content/docs/guides/self-hosted-runners.md b/docs/src/content/docs/guides/self-hosted-runners.md
index dbff97264ba..0351923292e 100644
--- a/docs/src/content/docs/guides/self-hosted-runners.md
+++ b/docs/src/content/docs/guides/self-hosted-runners.md
@@ -8,6 +8,11 @@ Use the `runs-on` frontmatter field to target a self-hosted runner instead of th
 > [!NOTE]
 > Runners must be Linux with Docker support. macOS and Windows are not supported — agentic workflows require container jobs for the [sandbox](/gh-aw/reference/sandbox/).
 
+> [!WARNING]
+> Self-hosted runners must allow `sudo` for agentic workflows. This is a deliberate security requirement. AWF (Agentic Workflow Firewall) applies host-level `iptables` rules to the Linux kernel `DOCKER-USER` chain to enforce network egress filtering for all agent containers on the AWF bridge network. This outer security boundary requires root UID.
+>
+> Container-level `iptables`, Squid proxy ACLs, and capability drops add defense in depth, but they do not replace host-level filtering. A non-sudo mode is not supported, including ARC configurations with `allowPrivilegeEscalation: false`.
+
 ## runs-on formats
 
 **String** — single runner label: