Add automated template validation script and CI workflow

[thisrohangupta]

• Create scripts/validate-templates.py to validate templates against
  claude.md rules (metadata.json, pipeline.yaml, wiki.MD)
• Add .github/workflows/validate-templates.yml to run validation on PRs
  and pushes to main branch
• Workflow detects changed templates and validates only those for efficiency
• Posts helpful comments on PRs when validation fails

https://claude.ai/code/session_01CNXP5sGoJZxN8EjKxQT6Ew

[github-actions]

Template Validation Failed

The template validation check has failed. Please review the workflow logs for details.

Common Issues

• metadata.json: Ensure name is lowercase with spaces only (e.g., code review)
• metadata.json: Ensure version follows semver format (e.g., 1.0.0)
• pipeline.yaml: Ensure version: 1 is present at top level
• pipeline.yaml: Ensure all stages have unique names

View workflow logs

---

This comment was automatically generated by the template validation workflow.

[claude]

Command Injection Vulnerability

The workflow_dispatch input template is directly interpolated into a shell command without proper sanitization. An attacker with permission to trigger the workflow could inject arbitrary shell commands through the template input parameter.

Issue: The expression is evaluated by GitHub Actions before the shell command runs, meaning shell metacharacters in the input are not escaped.

Fix: Pass the input through an environment variable instead of direct interpolation.

Reference:

agents/.github/workflows/validate-templates.yml

Lines 47 to 52 in b15d782

	run: |
	chmod +x scripts/validate-templates.py
	if [ -n "${{ github.event.inputs.template }}" ]; then
	python scripts/validate-templates.py "templates/${{ github.event.inputs.template }}"
	else
	python scripts/validate-templates.py