feat(workflow-scanner): E11 part 1 — core file-walk + 23-field blacklist + sink-restriction

Adds a deterministic GitHub Actions / Forgejo Actions injection
scanner. Detects \${{ <dangerous-field> }} interpolations inside
\`run:\` step blocks under privileged or semi-privileged triggers.
Sink-restricted: \`if:\` / \`with:\` / \`env:\` (block-level) are
evaluated by the runner expression engine, not the shell, so they
are NOT injection sinks and are suppressed at parser level.

Why: workflow expression injection is the most prevalent SAST class
on GitHub (CodeQL preview: 800K+ findings across 158K repos). The
graduated severity matrix (HIGH for pull_request_target / discussion
/ workflow_run; MEDIUM for pull_request / workflow_dispatch) is the
community-converged calibration target — uniform HIGH causes alert
fatigue.

Components:
- scanners/lib/workflow-yaml-state.mjs — line-based YAML state
  machine. Tracks indentation, parent-context stack, and
  \`run: |\` / \`run: >\` block-scalar entry/exit. Zero deps.
- scanners/workflow-scanner.mjs — discoverWorkflows() probes
  .github/workflows/ and .forgejo/workflows/ directly (file-discovery
  has no glob include). 23-field blacklist (GHSL 17 + 6 GlueStack-
  class additions). Platform encoded via file path; no schema
  extension to finding(). Forgejo-specific: workflow_run advisory
  emitted to stderr; recommendation text mentions Forgejo's
  server-level token scoping (job-level permissions: is ignored).
- knowledge/workflow-injection-patterns.md — 23-field blacklist,
  trigger taxonomy, severity matrix, Forgejo divergences, NVD CVE
  corpus.

Tests (47 new):
- tests/lib/workflow-yaml-state.test.mjs (15): trigger forms
  (string / inline-list / block-list / block-mapping), single-line
  run, block-scalar | and > tracking, env/with sink-mismatch,
  multi-line, comment stripping, line-number accuracy.
- tests/scanners/workflow-scanner.test.mjs (14): TP head_ref
  pull_request_target, TP discussion.title gluestack pattern,
  TP comment.body pull_request, TP issue.body block-scalar,
  FP if-context, FP env-block, INFO numeric, Forgejo TP, Forgejo
  workflow_run advisory, envelope shape, WFL prefix.
- 9 fixtures in tests/fixtures/workflows/{.github,.forgejo}/workflows/.

Out of scope (B4 / Batch D):
- Re-interpolation detection (env.VAR after env: from blacklisted source)
- github.actor authorization-bypass category
- WFL prefix in severity.mjs OWASP maps + scan-orchestrator
  registration (B4)
- Composite-action input tracing, GITHUB_ENV poisoning (Batch D)

Test count: 1685 → 1732 (+47). Pre-compact-scan flake unchanged
(passes in isolation).

plugins/llm-security/tests/fixtures/workflows/.forgejo/workflows/forgejo-tp.yml

@@ -0,0 +1,11 @@
+name: forgejo head_ref echo (TP — Forgejo + pull_request)
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  echo-ref:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Echo head ref
+        run: echo "Forgejo head_ref ${{ forgejo.head_ref }}"

plugins/llm-security/tests/fixtures/workflows/.forgejo/workflows/forgejo-workflow-run.yml

@@ -0,0 +1,12 @@
+name: forgejo workflow_run divergence (advisory)
+on:
+  workflow_run:
+    workflows: ["build"]
+    types: [completed]
+
+jobs:
+  echo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Echo title
+        run: echo "Title was ${{ forgejo.event.pull_request.title }}"

plugins/llm-security/tests/fixtures/workflows/.github/workflows/fp-env-block.yml

@@ -0,0 +1,14 @@
+name: env block-level mapping (FP — bind, not exec)
+on:
+  pull_request_target:
+    branches: [main]
+
+env:
+  PR_TITLE: ${{ github.event.pull_request.title }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Use env safely
+        run: echo "$PR_TITLE"

plugins/llm-security/tests/fixtures/workflows/.github/workflows/fp-if-context.yml

@@ -0,0 +1,12 @@
+name: if-context evaluation (FP — engine, not shell)
+on:
+  pull_request_target:
+    branches: [main]
+
+jobs:
+  conditional:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.head_ref, 'release/') }}
+    steps:
+      - name: Run only on release branches
+        run: echo "release branch detected"

plugins/llm-security/tests/fixtures/workflows/.github/workflows/fp-numeric-field.yml

@@ -0,0 +1,11 @@
+name: numeric-field run: (FP/INFO — character-set guarantees no shell metas)
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  log-pr-number:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Echo PR number
+        run: echo "PR ${{ github.event.pull_request.number }}"

plugins/llm-security/tests/fixtures/workflows/.github/workflows/tp-block-scalar-run.yml

@@ -0,0 +1,14 @@
+name: multi-line run scalar (TP — block-scalar tracking)
+on:
+  pull_request_target:
+    branches: [main]
+
+jobs:
+  log:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Multi-line script
+        run: |
+          echo "Issue title:"
+          echo "${{ github.event.issue.body }}"
+          echo "----"

plugins/llm-security/tests/fixtures/workflows/.github/workflows/tp-discussion-title.yml

@@ -0,0 +1,11 @@
+name: discussion welcome (TP — gluestack CVE-2025-53104 pattern)
+on:
+  discussion:
+    types: [created]
+
+jobs:
+  greet:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Welcome
+        run: echo "New discussion: ${{ github.event.discussion.title }}"

plugins/llm-security/tests/fixtures/workflows/.github/workflows/tp-prtarget-head-ref.yml

@@ -0,0 +1,11 @@
+name: pwn-request demo (TP)
+on:
+  pull_request_target:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Echo head ref
+        run: echo "Building branch ${{ github.head_ref }}"

plugins/llm-security/tests/fixtures/workflows/.github/workflows/tp-pull-request-comment.yml

@@ -0,0 +1,11 @@
+name: comment echo (TP — pull_request, MEDIUM)
+on:
+  pull_request:
+    types: [opened, edited]
+
+jobs:
+  echo-comment:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Echo body
+        run: echo "Comment said ${{ github.event.comment.body }}"