Document mandatory sudo requirement for self-hosted agentic workflows

docs/src/content/docs/guides/self-hosted-runners.md

@@ -8,6 +8,11 @@ Use the `runs-on` frontmatter field to target a self-hosted runner instead of th
 > [!NOTE]
 > Runners must be Linux with Docker support. macOS and Windows are not supported — agentic workflows require container jobs for the [sandbox](/gh-aw/reference/sandbox/).
 
+> [!WARNING]
+> Self-hosted runners must allow `sudo` for agentic workflows. This is a deliberate security requirement. AWF (Agentic Workflow Firewall) applies host-level `iptables` rules to the Linux kernel `DOCKER-USER` chain to enforce network egress filtering for all agent containers on the AWF bridge network. This outer security boundary requires root UID.
+>
+> Container-level `iptables`, Squid proxy ACLs, and capability drops add defense in depth, but they do not replace host-level filtering. A non-sudo mode is not supported, including ARC configurations with `allowPrivilegeEscalation: false`.
+
 ## runs-on formats
 
 **String** — single runner label: