feat(workflow): opt-in auto-propagation of workflow headers on allow-listed hosts (closes #186)

[initializ-mk]

Summary

Adds a workflow_propagation.allowed_hosts block to forge.yaml. Outbound HTTP tool calls targeting a matching host automatically receive the workflow correlation headers (X-Workflow-Id / X-Workflow-Execution-Id / X-Workflow-Stage-Id / X-Workflow-Step-Id / X-Invocation-Caller) from the current request context. Hosts not on the list keep the pre-#186 opt-in posture — tools must call ApplyToHTTPHeaders explicitly. Empty / missing block = zero-overhead pass-through (current behavior).

workflow_propagation:
  allowed_hosts:
    - "orchestrator.svc"         # exact host (port stripped before compare)
    - "*.agents.internal"        # wildcard suffix (strictly-deeper subdomains)

Why

Forge already accepted the workflow headers inbound (FWS-2 / #185) and stamped them on every audit event. But propagation to downstream agents was manual: each HTTP tool had to call WorkflowContextFromContext(ctx).ApplyToHTTPHeaders(req.Header) itself. The skill correctly flagged that auto-propagation is risky (leaks workflow identity to third-party APIs like api.openai.com), but the manual approach broke the trace at every agent-to-agent hop where the tool author forgot.

This change keeps the safe default and adds an opt-in allow-list — the same shape as the existing egress allow-list — so operators get auto-propagation inside their trust boundary without leaking outside it.

Implementation

• forge-core/types/config.go — new WorkflowPropagationConfig with AllowedHosts []string; attached to ForgeConfig under workflow_propagation.
• forge-core/runtime/workflow_propagation.go — new WorkflowPropagationMatcher (exact + wildcard, port-stripped, case-insensitive). Wildcards match strictly-deeper subdomains — *.agents.internal matches payments.agents.internal but NOT the bare agents.internal. WrapTransportForWorkflowPropagation returns the underlying transport identity-equal when the matcher is empty, so zero-config deploys pay no per-request overhead.
• forge-cli/runtime/runner.go — builds the matcher from cfg.WorkflowPropagation.AllowedHosts and wraps the egress client's transport once at startup. Every built-in HTTP tool (http_request, webhook_call, web_search_*) routes through security.EgressTransportFromContext so all of them inherit the auto-apply without per-tool changes.

The wrapper clones the request before stamping headers (http.RoundTripper contract — must not mutate the caller's request) so a caller's req.Header is never modified across retries.

Safety

• Default-deploy unchanged: an absent workflow_propagation block (or allowed_hosts: []) returns the egress transport identity-equal — no wrapper, no header mutation, no observable change.
• No leaks: a request to a non-allowlisted host (e.g. api.openai.com) NEVER receives the workflow headers, even with a fully-populated WorkflowContext. Pinned by TestWorkflowPropagationTransport_OmitsHeadersOnUnlistedHost.
• No mutation across retries: caller's req.Header is preserved. Pinned by TestWorkflowPropagationTransport_DoesNotMutateOriginalRequest.
• No spurious empty headers: when the request ctx is IsZero (direct A2A invocation, no orchestrator), even allow-listed hosts get nothing — we don't stamp empty values. Pinned by TestWorkflowPropagationTransport_NoOpWhenContextIsZero.
• Transparent errors: underlying-transport errors pass through unchanged. Pinned by TestWorkflowPropagationTransport_PropagatesUnderlyingError.

Dependency

Builds on FORGE-2 (#185) — the propagated header set includes the new X-Workflow-Execution-Id from that PR.

Out of scope

• Subprocess egress proxy path: skills running in a subprocess that issue HTTP via the proxy don't route through security.EgressTransportFromContext. If that surface needs the same auto-apply, file a follow-up — needs proxy-side header injection, not in scope for this PR per the issue.

Test plan

• golangci-lint run across all four modules — 0 issues
• gofmt -w across all modules
• go test ./... in forge-core/ and forge-cli/ — all green
• New unit tests pin: host matcher (exact / wildcard / no-match / port-strip / case-insensitive / apex-doesn't-match / longer-host-doesn't-trick), nil-guard + IsEmpty short-circuit, headers applied on allow-listed host, headers absent on non-allowlisted host, no-op on IsZero context, no mutation of caller's request, full end-to-end against httptest.NewServer, underlying error propagation.
• Manual smoke: forge run an agent with workflow_propagation.allowed_hosts: ["127.0.0.1"], invoke a tool that POSTs to a local echo server, confirm the inbound request carries all five workflow headers; remove the entry, confirm headers are absent.