src/compile/filter_ir.rs:
step.push_str(&format!(" name: {}\n", ctx.step_name()));
step.push_str(&format!(" displayName: "{}"\n", ctx.display_name()));
These values come from &'static str constants so there's no injection risk today. But the pattern is fragile — a future GateContext variant with a display name containing " or \n would silently produce invalid YAML. Suggest serializing via serde_yaml or at minimum YAML-escaping display names.
src/compile/filter_ir.rs:
step.push_str(&format!(" name: {}\n", ctx.step_name()));
step.push_str(&format!(" displayName: "{}"\n", ctx.display_name()));
These values come from &'static str constants so there's no injection risk today. But the pattern is fragile — a future GateContext variant with a display name containing " or \n would silently produce invalid YAML. Suggest serializing via serde_yaml or at minimum YAML-escaping display names.