🔴 Red Team Audit: High-Severity Heredoc Injection in Agent Markdown Allows Arbitrary Bash Execution

A critical security vulnerability has been identified in the agent compilation pipeline, allowing for arbitrary bash command execution. The flaw stems from the unsanitized injection of the `{{ agent_content }}` variable directly into a bash heredoc within generated pipeline YAML files. Because the markdown body is never checked for the heredoc terminator string `AGENT_PROMPT_EOF`, an attacker can inject this string on its own line to prematurely close the heredoc block. This action effectively escapes the intended script context, enabling the execution of any subsequent bash commands with the same elevated privileges as the pipeline agent.

The vulnerability is exploitable and carries a high severity rating. It is present in multiple core code files, including `src/data/base.yml`, `src/data/1es-base.yml`, `src/compile/common.rs`, and `src/compile/mod.rs`. Successful exploitation grants an attacker full network access and the ability to access secrets available to the agent process, posing a direct threat to system integrity and data confidentiality.

This finding, categorized under Input Sanitization & Injection, highlights a fundamental failure in input validation for a critical templating component. The absence of sanitization for a known delimiter in a code-generation context creates a straightforward injection path. It places any deployment using this agent compilation system at immediate risk of compromise, demanding urgent remediation to prevent potential command execution and secret exfiltration.