Remove timeout_minutes breaking change callout from documentation

.github/aw/actions-lock.json

@@ -125,6 +125,11 @@
       "version": "v2.0.3",
       "sha": "e95548e56dfa95d4e1a28d6f422fafe75c4c26fb"
     },
+    "docker/build-push-action@v6": {
+      "repo": "docker/build-push-action",
+      "version": "v6",
+      "sha": "ee4ca427a2f43b6a16632044ca514c076267da23"
+    },
     "docker/build-push-action@v6.18.0": {
       "repo": "docker/build-push-action",
       "version": "v6.18.0",

docs/src/content/docs/guides/upgrading.md

@@ -85,9 +85,8 @@ The upgrade automatically applies codemods to fix deprecated fields in all workf
 
 | Codemod | What It Fixes | Example |
 |---------|---------------|---------|
-| **timeout-minutes-migration** | Replaces `timeout_minutes` with `timeout-minutes` | `timeout_minutes: 30` → `timeout-minutes: 30` |
+| **sandbox-false-to-agent-false** | Converts `sandbox: false` to `sandbox.agent: false` | `sandbox: false` → `sandbox: { agent: false }` |
 | **network-firewall-migration** | Removes deprecated `network.firewall` field | Deletes `firewall: mandatory` |
-| **sandbox-agent-false-removal** | Removes `sandbox.agent: false` (firewall now mandatory) | Deletes `agent: false` |
 | **safe-inputs-mode-removal** | Removes deprecated `safe-inputs.mode` field | Deletes `mode: auto` |
 | **schedule-at-to-around-migration** | Converts `daily at TIME` to `daily around TIME` | `daily at 10:00` → `daily around 10:00` |
 | **delete-schema-file** | Deletes deprecated schema file | Removes `.github/aw/schemas/agentic-workflow.json` |
@@ -147,7 +146,14 @@ Review changes with `git diff .github/workflows/` to verify that deprecated fiel
 
 ### Common Changes
 
-Typical migrations include `timeout_minutes` → `timeout-minutes`, `daily at` → `daily around`, and removal of deprecated `network.firewall` and `safe-inputs.mode` fields. Use `git diff --word-diff` for detailed comparison.
+Typical migrations include `sandbox: false` → `sandbox.agent: false`, `daily at` → `daily around`, and removal of deprecated `network.firewall` and `safe-inputs.mode` fields. Use `git diff --word-diff` for detailed comparison.
+
+> [!CAUTION]
+> Breaking Changes
+>
+> **`timeout_minutes` Removed:** The underscore variant `timeout_minutes` has been completely removed from the schema. Workflows using this field will fail compilation. Use `timeout-minutes` (with hyphen) instead.
+>
+> **`sandbox: false` Changed:** Top-level `sandbox: false` is no longer supported. Use `sandbox.agent: false` instead to disable only the agent firewall. The MCP gateway remains enabled and cannot be disabled. The `gh aw fix` command includes a codemod to automatically migrate this change.
 
 ## Step 5: Verify Compilation
 

docs/src/content/docs/reference/frontmatter.md

@@ -376,11 +376,9 @@ Standard GitHub Actions properties:
 ```yaml wrap
 run-name: "Custom workflow run name"  # Defaults to workflow name
 runs-on: ubuntu-latest               # Defaults to ubuntu-latest (main job only)
-timeout-minutes: 30                  # Defaults to 20 minutes (timeout_minutes deprecated)
+timeout-minutes: 30                  # Defaults to 20 minutes
 ```
 
-**Note**: The `timeout_minutes` field is deprecated. Use `timeout-minutes` instead to follow GitHub Actions naming convention.
-
 ### Workflow Concurrency Control (`concurrency:`)
 
 Automatically generates concurrency policies for the agent job. See [Concurrency Control](/gh-aw/reference/concurrency/).

docs/src/content/docs/reference/sandbox.md

@@ -26,12 +26,20 @@ sandbox:
 sandbox:
   agent: srt
 
+# Disable agent sandbox (firewall only) - use with caution
+sandbox:
+  agent: false
+
 # Or omit sandbox entirely to use the default (awf)
 ```
 
 > [!NOTE]
 > Default Behavior
-> If `sandbox` is not specified in your workflow, it defaults to `sandbox.agent: awf`. The agent sandbox is now mandatory for all workflows.
+> If `sandbox` is not specified in your workflow, it defaults to `sandbox.agent: awf`. The agent sandbox is recommended for all workflows.
+
+> [!CAUTION]
+> Disabling Agent Sandbox
+> Setting `sandbox.agent: false` disables only the agent firewall while keeping the MCP gateway enabled. This reduces security isolation and should only be used when necessary. The MCP gateway cannot be disabled and remains active in all workflows.
 
 ### MCP Gateway (Experimental)
 

docs/src/content/docs/setup/cli.md

@@ -229,7 +229,7 @@ gh aw fix --list-codemods              # List available codemods
 
 **Options:** `--write`, `--list-codemods`
 
-Available codemods: `timeout_minutes` → `timeout-minutes`, `network.firewall` → `sandbox.agent`, `on.command` → `on.slash_command`
+Available codemods: `sandbox: false` → `sandbox.agent: false`, `network.firewall` removal, `on.command` → `on.slash_command`, and more. Use `--list-codemods` to see all available fixes.
 
 #### `compile`
 
@@ -249,6 +249,22 @@ gh aw compile --purge                      # Remove orphaned .lock.yml files
 
 **Options:** `--validate`, `--strict`, `--fix`, `--zizmor`, `--dependabot`, `--json`, `--watch`, `--purge`
 
+**Error Reporting:** The compile command displays detailed error messages with the exact location and context of compilation failures:
+
+```text
+✗ Compiled 1 workflow(s): 1 error(s), 0 warning(s)
+.github/workflows/example.md:6:1: error: Unknown property: bad_field...
+3 |   workflow_dispatch:
+4 |
+5 | # Comment
+6 | bad_field: value
+    ^^^^^^^^^
+7 | ---
+✗ compilation failed
+```
+
+Error messages include file paths, line numbers, column positions, and contextual code snippets to help identify and resolve issues quickly.
+
 **Dependabot Integration (`--dependabot`):** Automatically generates dependency manifests (`package.json`, `requirements.txt`, `go.mod`) and `.github/dependabot.yml` configuration by analyzing runtime tools (`npx`, `pip install`, `go install`) used across all workflows. This enables Dependabot to detect and update outdated dependencies. See [Dependabot Support reference](/gh-aw/reference/dependabot/) for details on handling Dependabot PRs.
 
 **Strict Mode (`--strict`):** Enforces security best practices: no write permissions (use [safe-outputs](/gh-aw/reference/safe-outputs/)), explicit `network` config, no wildcard domains, pinned Actions, no deprecated fields. See [Strict Mode reference](/gh-aw/reference/frontmatter/#strict-mode-strict).