fix(wfctl): validate env names in CI gen; fix secret store priority order

- ci_init.go: add safeEnvNameRe guard to skip env names with unsafe
  characters that could inject shell commands or corrupt generated YAML
- secrets_setup.go: reorder resolveSecretStoreForSetup priority so
  per-secret store field takes precedence over environment override,
  matching runtime ResolveSecretStore behavior

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: intel352

cmd/wfctl/ci_init.go

@@ -4,12 +4,18 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"regexp"
 	"strings"
 
 	"github.com/GoCodeAlone/workflow/config"
 	"gopkg.in/yaml.v3"
 )
 
+// safeEnvNameRe matches environment names that are safe to embed in shell run
+// commands and YAML values. Only alphanumerics, hyphens, underscores, and dots
+// are permitted; anything else could inject commands or corrupt the YAML.
+var safeEnvNameRe = regexp.MustCompile(`^[a-zA-Z0-9_.\-]+$`)
+
 func runCIInit(args []string) error {
 	fs := flag.NewFlagSet("ci init", flag.ContinueOnError)
 	platform := fs.String("platform", "github-actions", "CI platform: github-actions, gitlab-ci")
@@ -98,6 +104,11 @@ func generateGHABootstrap(cfg *config.WorkflowConfig) string {
 			if env == nil {
 				continue
 			}
+			if !safeEnvNameRe.MatchString(envName) {
+				// Skip environments whose names would corrupt the generated YAML or
+				// inject shell commands. Names must be [a-zA-Z0-9_.-] only.
+				continue
+			}
 			jobName := "deploy-" + strings.ReplaceAll(envName, ".", "-")
 			sb.WriteString("  " + jobName + ":\n")
 			sb.WriteString("    runs-on: ubuntu-latest\n")
@@ -125,6 +136,9 @@ func generateGitLabCIBootstrap(cfg *config.WorkflowConfig) string {
 	// Add deploy stages for each environment.
 	if cfg != nil && cfg.CI != nil && cfg.CI.Deploy != nil {
 		for envName := range cfg.CI.Deploy.Environments {
+			if !safeEnvNameRe.MatchString(envName) {
+				continue
+			}
 			sb.WriteString("  - deploy-" + strings.ReplaceAll(envName, ".", "-") + "\n")
 		}
 	}
@@ -152,6 +166,9 @@ func generateGitLabCIBootstrap(cfg *config.WorkflowConfig) string {
 			if env == nil {
 				continue
 			}
+			if !safeEnvNameRe.MatchString(envName) {
+				continue
+			}
 			stageID := strings.ReplaceAll(envName, ".", "-")
 			sb.WriteString("\ndeploy-" + stageID + ":\n")
 			sb.WriteString("  stage: deploy-" + stageID + "\n")

cmd/wfctl/secrets_setup.go

@@ -74,6 +74,11 @@ Options:
 		// Auto-generate for key/secret/token names if flag is set.
 		if *autoGenKeys && existing == "" && isAutoGenCandidate(entry.Name) {
 			val := generateSecretValue()
+			if val == "" {
+				fmt.Printf("  %-24s  [ERROR] crypto/rand unavailable; cannot auto-generate\n", entry.Name)
+				skipped++
+				continue
+			}
 			if setErr := provider.Set(ctx, entry.Name, val); setErr != nil {
 				fmt.Printf("  %-24s  [ERROR] %v\n", entry.Name, setErr)
 			} else {
@@ -119,18 +124,19 @@ Options:
 }
 
 // resolveSecretStoreForSetup determines which store to use for a secret in a given environment.
-// Priority: environment override → per-secret store field → defaultStore → legacy provider → "env".
+// Priority: per-secret store field → environment override → defaultStore → legacy provider → "env".
+// This matches the order in ResolveSecretStore so that setup and runtime agree on which store owns a secret.
 func resolveSecretStoreForSetup(entry config.SecretEntry, envName string, cfg *config.WorkflowConfig) string {
-	// 1. Environment-level store override.
+	// 1. Per-secret store field (highest priority).
+	if entry.Store != "" {
+		return entry.Store
+	}
+	// 2. Environment-level store override.
 	if cfg.Environments != nil {
 		if env, ok := cfg.Environments[envName]; ok && env.SecretsProvider != "" {
 			return env.SecretsProvider
 		}
 	}
-	// 2. Per-secret store field.
-	if entry.Store != "" {
-		return entry.Store
-	}
 	// 3. Default store from secretStores config.
 	if cfg.Secrets != nil && cfg.Secrets.DefaultStore != "" {
 		return cfg.Secrets.DefaultStore