fix: correct SEARCH_TITLE quoting and unsafe conditions in default-workflow

[rysweet]

Fixes #4206 — adaptive smart-orchestrator/default-workflow failed due to broken SEARCH_TITLE quoting and unsafe not in [...] conditions.

Changes

• Fix SEARCH_TITLE single-quote escaping in step-03-create-issue: ''' -> '' for WIQL-safe ADO search titles
• Rewrite 4 unsafe not in [...] conditions to explicit != ... and ... != ... checks
• Add regression coverage in tests/recipes/test_step03_bash_quoting.py
• Add regression coverage in tests/recipes/test_default_workflow_no_unsafe_conditions.py
• Add gadugi outside-in scenario tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml
• Refresh generated atlas metadata in docs/atlas/ast-lsp-bindings/index.md

Merge readiness

QA-team evidence

• Scenario files: tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml
• Validation command: npx gadugi-test validate -f tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml
• Validation result: passed
• Run command: npx gadugi-test run -d tests/gadugi -s pr-4207-default-workflow-quoting-and-conditions
• Run target: local PR worktree
• Run result: passed
• Evidence location: outputs/sessions/session_9538752d-6c59-490a-9ffd-e262f50f57d3_2026-04-03T15-52-14-686Z.json (1 passed, 0 failed)

Documentation

• User-facing docs impact: yes (generated atlas refresh only)
• Updated docs: docs/atlas/ast-lsp-bindings/index.md
• PR description links added: n/a
• Rationale if not applicable: workflow and regression-test surfaces are internal-only; the atlas file is generated metadata already carried by the PR diff, so no additional narrative docs update was needed

Quality-audit

• Cycle 1 summary: found 1 medium issue in the new gadugi scenario (grep -c 'not in [' produced a false-positive pass path); replaced it with a literal Python count and reran gadugi validate/run
• Cycle 2 summary: found 1 medium issue in the new gadugi scenario (the SEARCH_TITLE check could not distinguish the fixed form from the buggy 3-char form); replaced it with a behavioral check that executes the recipe's actual SEARCH_TITLE assignment and asserts doubled quotes
• Cycle 3 summary: final clean cycle via 3 independent PR-scoped reviews (pr4207-clean-a, pr4207-clean-b, pr4207-clean-c) reported no medium/high/critical findings
• Additional cycles: none
• Final clean cycle: 3
• Fixes followed default-workflow: partial — the core workflow fix in this PR already existed; merge-ready QA artifact corrections were applied manually after branch-scoped orchestration produced flawed QA output
• Convergence summary: two real medium QA-evidence defects were fixed; direct gadugi validate/run passes and the final three-reviewer clean cycle all converged on no remaining medium+ issues in the scoped PR surfaces

CI

• Checks command: gh pr checks 4207
• Result: all green
• Skipped checks: Atlas Staleness Gate, Scheduled Full Atlas Rebuild, Invisible Character Scan/scan, Bot Detection/activation, Bot Detection/agent, Bot Detection/conclusion, Bot Detection/safe_outputs (normal skipped jobs for this PR)
• Flaky reruns performed: none
• Real failures fixed: none

Scope

• Changed files reviewed: amplifier-bundle/recipes/default-workflow.yaml, docs/atlas/ast-lsp-bindings/index.md, tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml, tests/recipes/test_default_workflow_no_unsafe_conditions.py, tests/recipes/test_step03_bash_quoting.py
• Unrelated changes: none

Verdict

• Merge-ready: yes
• Remaining blockers: none

[github-actions]

Repo Guardian - Passed

All 3 changed files are durable project artifacts. No ephemeral content detected.

File	Type	Assessment
amplifier-bundle/recipes/default-workflow.yaml	Configuration	Core workflow recipe — condition syntax fix (not in [...] → != … and …). Durable tooling.
tests/recipes/test_default_workflow_no_unsafe_conditions.py	Test	Regression tests for parser-safe condition expressions (issue #4206). Durable test code.
tests/recipes/test_step03_bash_quoting.py	Test	Regression tests for step-03 shell quoting safety (issue #4206). Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 · ◷

[github-actions]

Repo Guardian - Passed

All 5 changed files are durable project artifacts. No ephemeral content detected.

File	Type	Assessment
.claude/context/PROJECT.md	Configuration	Project metadata update (name and language list). Classified as documentation/configuration per project rules.
.secrets.baseline	Tooling	Auto-regenerated detect-secrets baseline — line number and timestamp update. Standard project tooling.
amplifier-bundle/recipes/default-workflow.yaml	Configuration	Core workflow recipe — condition syntax fix (not in [...] → != … and …). Durable tooling.
tests/recipes/test_default_workflow_no_unsafe_conditions.py	Test	Regression tests for parser-safe condition expressions (issue #4206). Durable test code.
tests/recipes/test_step03_bash_quoting.py	Test	Regression tests for step-03 shell quoting safety (issue #4206). Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 · ◷

[github-actions]

Repo Guardian - Passed

All 3 changed files are durable project artifacts. No ephemeral content detected.

File	Type	Assessment
amplifier-bundle/recipes/default-workflow.yaml	Configuration	Core workflow recipe — condition syntax fix (not in [...] → != … and …) for Rust runner compatibility. Durable tooling.
tests/recipes/test_default_workflow_no_unsafe_conditions.py	Test	Regression tests (222 lines) guarding parser-safe condition expressions (issue #4206). Properly structured in tests/. Durable test code.
tests/recipes/test_step03_bash_quoting.py	Test	Regression tests (369 lines) for step-03 shell quoting safety and SQL injection prevention (issue #4206). Properly structured in tests/. Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 · ◷

[github-actions]

Repo Guardian - Passed

All 4 changed files are durable project artifacts. No ephemeral content detected.

File	Type	Assessment
amplifier-bundle/recipes/default-workflow.yaml	Configuration	Core workflow recipe — condition syntax fix (not in [...] → != … and …) for Rust runner compatibility, and bash quoting fix. Durable tooling.
docs/atlas/ast-lsp-bindings/index.md	Generated Docs	Auto-generated code atlas metrics, intentionally refreshed as part of this PR (docs(atlas): refresh commit). Part of a formal docs/atlas/ documentation system — durable by design.
tests/recipes/test_default_workflow_no_unsafe_conditions.py	Test	Regression tests (222 lines) guarding parser-safe condition expressions (issue #4206). Properly structured in tests/. Durable test code.
tests/recipes/test_step03_bash_quoting.py	Test	Regression tests (369 lines) for step-03 shell quoting safety and SQL injection prevention (issue #4206). Properly structured in tests/. Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 · ◷

[github-actions]

Repo Guardian - Passed

All 5 changed files are durable project artifacts. No ephemeral content detected.

File	Type	Assessment
amplifier-bundle/recipes/default-workflow.yaml	Configuration	Core workflow recipe — bash quoting fix and condition syntax rewrite (not in [...] → != … and …) for Rust runner compatibility. Durable tooling.
docs/atlas/ast-lsp-bindings/index.md	Generated Docs	Auto-generated code atlas metrics, refreshed as part of this PR. Part of the formal docs/atlas/ documentation system — durable by design.
tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml	Test	Regression test verifying durable behavioral invariants (no not in [...] conditions, 2-char SQL-safe quoting). The pr-4207 prefix in the filename is a naming convention note only — the test content is permanent and won't become stale. Structured with version, steps, cleanup, and metadata consistent with the project's permanent test infrastructure.
tests/recipes/test_default_workflow_no_unsafe_conditions.py	Test	Regression tests (222 lines) guarding parser-safe condition expressions (issue #4206). Properly structured in tests/. Durable test code.
tests/recipes/test_step03_bash_quoting.py	Test	Regression tests (369 lines) for step-03 shell quoting safety and SQL injection prevention (issue #4206). Properly structured in tests/. Durable test code.

No violations found. This PR is clear to merge from a repository hygiene perspective.

Generated by Repo Guardian for issue #4207 · ◷

[github-actions]

PR Triage Report

Risk: Low | Priority: High | Verdict: Needs Review | CI: All green

Summary

Targeted fix for broken SEARCH_TITLE quoting and unsafe not in [...] conditions in default-workflow. Fixes issue #4206.

Scope Assessment

Area	Files	Notes
Core recipe	amplifier-bundle/recipes/default-workflow.yaml	Fix SEARCH_TITLE single-quote escaping; rewrite 4 unsafe not in [...] conditions to != ... and ... != ...
Atlas	docs/atlas/ast-lsp-bindings/index.md	Generated metadata refresh
Tests	2 new regression test files	test_step03_bash_quoting.py, test_default_workflow_no_unsafe_conditions.py
Outside-in	tests/gadugi/pr-4207-default-workflow-quoting-and-conditions.yaml	Gadugi scenario validates and passes

Risk Factors

• Workflow control-flow condition changes (fixing unsafe constructs → strictly an improvement)
• Quality audit: 3 cycles, converged on no medium+ findings
• GitGuardian: passed (no secret exposure)

CI Status

All checks passed: Validate Code, Check Version Bump, MkDocs Navigation, Documentation Policy, Link Validation (Local), Code Examples, GitGuardian Security — all green.

Recommendation

Low-risk, high-priority. Fixes real behavioral issues (broken WIQL search titles causing ADO failures, unsafe not in conditions). All checks pass, quality audit complete. Expedited review recommended — this unblocks ADO-dependent workflows.

Generated by PR Triage Agent · ◷

[rysweet]

Superseded by PRs #4367-4370 (merged) which fixed SEARCH_TITLE quoting and conditions in default-workflow.