fix(compile): guard runtime-import marker paths against whitespace and ##vso injection

Addresses three findings from the 2026-05-19 Rust PR review on #625:

1. Reject whitespace in agent source paths at compile time when
   inlined-imports is false. The runtime resolver
   (scripts/ado-script/src/import/index.ts) matches marker bodies with
   [^\s}]+, so a space silently truncated the path and produced either
   a misleading runtime `file not found` or, for optional markers, an
   unexpanded marker visible to the LLM. Mirrors the existing
   resolve_imports_inline guard.

2. Aggregate all import errors instead of reporting only the first.
   Previously hadError ??= captured one failure and silently swallowed
   subsequent ones. Now every missing/unreadable required marker emits
   its own ##vso[task.logissue type=error] line before exit(1).

3. Sanitize rawPath in ##vso error output. Strips `]`, CR, and LF
   from path strings embedded in diagnostic lines so an unusual
   path can no longer break the ##vso command framing.

Tests:
* tests/compiler_tests.rs::test_runtime_imports_default_rejects_source_path_with_whitespace
* scripts/ado-script/src/import/__tests__/error-reporting.test.ts (2 cases)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

scripts/ado-script/src/import/__tests__/error-reporting.test.ts

@@ -0,0 +1,53 @@
+import { describe, expect, it } from "vitest";
+import { readText, runImportSource, withScratchDir, writeFixture } from "./helpers.js";
+
+describe("runtime-import error reporting", () => {
+  it("reports every missing required marker, not just the first", () => {
+    withScratchDir("multiple-missing", (dir) => {
+      const original = [
+        "head",
+        "{{#runtime-import ./missing-one.md}}",
+        "{{#runtime-import ./missing-two.md}}",
+        "tail",
+        "",
+      ].join("\n");
+      const target = writeFixture(dir, "prompt.md", original);
+
+      const result = runImportSource(target);
+
+      expect(result.status).toBe(1);
+      expect(result.stderr).toBe("");
+      expect(result.stdout).toBe(
+        [
+          "##vso[task.logissue type=error]runtime-import: file not found: ./missing-one.md",
+          "##vso[task.logissue type=error]runtime-import: file not found: ./missing-two.md",
+          "",
+        ].join("\n"),
+      );
+      // Target file must NOT be overwritten on error.
+      expect(readText(target)).toBe(original);
+    });
+  });
+
+  it("strips characters that would break the ##vso command framing", () => {
+    withScratchDir("vso-injection", (dir) => {
+      // The path contains `]` which would close the ##vso bracket
+      // prematurely, and the marker is the only one in the file so the
+      // diagnostic line is deterministic.
+      const target = writeFixture(
+        dir,
+        "prompt.md",
+        "{{#runtime-import ./bad]type=warning]injected.md}}\n",
+      );
+
+      const result = runImportSource(target);
+
+      expect(result.status).toBe(1);
+      expect(result.stderr).toBe("");
+      // `]` characters are stripped from the path in the error message.
+      expect(result.stdout).toBe(
+        "##vso[task.logissue type=error]runtime-import: file not found: ./badtype=warninginjected.md\n",
+      );
+    });
+  });
+});

scripts/ado-script/src/import/index.ts

@@ -3,23 +3,37 @@ import { dirname, isAbsolute, resolve } from "node:path";
 
 const MARKER = /\{\{#runtime-import(\?)?\s+([^\s}]+)\s*\}\}/g;
 
-function fail(msg: string): never {
-  process.stdout.write(`##vso[task.logissue type=error]runtime-import: ${msg}\n`);
+// Strip characters that would let an attacker-controlled `rawPath` break
+// out of the `##vso[task.logissue type=error]…` framing:
+//   * `]`  — closes the VSO command bracket prematurely.
+//   * `\r`, `\n` — split the diagnostic line so subsequent text would be
+//      parsed as a new ADO logging command.
+// Marker paths normally come from a compile-time-generated location, but
+// `import.js` is also invoked against arbitrary author-written markers in
+// the agent body, so this is a defence-in-depth guard.
+function sanitizeForVsoMessage(value: string): string {
+  return value.replace(/[\]\r\n]/g, "");
+}
+
+function fail(messages: string[]): never {
+  for (const msg of messages) {
+    process.stdout.write(`##vso[task.logissue type=error]runtime-import: ${msg}\n`);
+  }
   process.exit(1);
 }
 
 function main(): void {
   const target = process.argv[2];
   if (!target) {
-    fail("missing target file argument");
+    fail(["missing target file argument"]);
   }
   if (!existsSync(target)) {
-    fail(`target file not found: ${target}`);
+    fail([`target file not found: ${sanitizeForVsoMessage(target)}`]);
   }
 
   const base = process.env.ADO_AW_IMPORT_BASE ?? dirname(target);
   const original = readFileSync(target, "utf8");
-  let hadError: string | null = null;
+  const errors: string[] = [];
 
   // Single-pass by design: imported snippets are inserted verbatim and any
   // nested runtime-import markers inside them are not expanded. This matches
@@ -31,20 +45,22 @@ function main(): void {
       if (optional === "?") {
         return "";
       }
-      hadError ??= `file not found: ${rawPath}`;
+      errors.push(`file not found: ${sanitizeForVsoMessage(rawPath)}`);
       return "";
     }
 
     try {
       return readFileSync(absPath, "utf8");
     } catch (error) {
-      hadError ??= `failed to read ${rawPath}: ${(error as Error).message}`;
+      errors.push(
+        `failed to read ${sanitizeForVsoMessage(rawPath)}: ${sanitizeForVsoMessage((error as Error).message)}`,
+      );
       return "";
     }
   });
 
-  if (hadError) {
-    fail(hadError);
+  if (errors.length > 0) {
+    fail(errors);
   }
   writeFileSync(target, expanded, "utf8");
 }

src/compile/common.rs

@@ -3218,6 +3218,21 @@ pub async fn compile_shared(
     } else {
         let agent_marker_path =
             source_path.replace("{{ trigger_repo_directory }}", &trigger_repo_directory);
+        // The runtime resolver (`scripts/ado-script/src/import/index.ts`)
+        // matches marker bodies with `[^\s}]+`, which truncates at the
+        // first whitespace character. If the agent's source path contains
+        // a space (e.g. `my agents/pipeline.md`), the resolver would
+        // silently parse a truncated path, fail the existence check, and
+        // surface a misleading error — or, worse, leave the marker
+        // unexpanded if optional. Reject at compile time so the failure
+        // mode is a clear compile error, not a confusing runtime one.
+        // This mirrors the same guard in `resolve_imports_inline` for the
+        // inlined-imports path.
+        anyhow::ensure!(
+            !agent_marker_path.chars().any(char::is_whitespace),
+            "runtime-import: agent source path '{}' contains whitespace, which is not supported by the runtime resolver (rename the path to remove spaces, or set `inlined-imports: true`)",
+            agent_marker_path
+        );
         format!("{{{{#runtime-import {}}}}}", agent_marker_path)
     };
 

tests/compiler_tests.rs

@@ -3829,6 +3829,69 @@ fn test_stage_inlined_imports_true_resolves_author_markers() {
     assert_runtime_imports_author_marker_output("runtime_imports_author_marker_stage.md");
 }
 
+/// Compile a default-mode (inlined-imports: false) agent whose source path
+/// contains a space. The runtime resolver matches marker bodies with
+/// `[^\s}]+`, so a space would silently truncate the marker at runtime and
+/// surface a confusing "file not found" error (or, for optional markers,
+/// leave the marker unexpanded). Reject at compile time so the failure is
+/// a clear, actionable compile error rather than a runtime data-integrity
+/// bug.
+#[test]
+fn test_runtime_imports_default_rejects_source_path_with_whitespace() {
+    use std::sync::atomic::{AtomicU64, Ordering};
+    static COUNTER: AtomicU64 = AtomicU64::new(0);
+    let unique_id = COUNTER.fetch_add(1, Ordering::Relaxed);
+
+    // Use a top-level temp dir (NOT under the repo) so the compiler can't
+    // discover a git root and rebase the path on it.
+    let temp_dir = std::env::temp_dir().join(format!(
+        "agentic-pipeline-spaced-path-{}-{}",
+        std::process::id(),
+        unique_id,
+    ));
+    let spaced_dir = temp_dir.join("my agents");
+    fs::create_dir_all(&spaced_dir).expect("Failed to create spaced temp dir");
+    // generate_source_path falls back to the filename only when it can't
+    // locate a git root above the input path — which would hide the space
+    // from the marker. Create an empty `.git` marker so the spaced dir is
+    // resolved relative to a discoverable repo root and the space ends up
+    // in the runtime-import marker (i.e. exercises the new guard).
+    fs::create_dir_all(temp_dir.join(".git")).expect("Failed to create .git marker");
+
+    let input = "---\nname: \"Spaced Path Agent\"\ndescription: \"Agent whose source path contains a space\"\n---\n\n## Body\n\nhello\n";
+    let input_path = spaced_dir.join("pipeline.md");
+    let output_path = spaced_dir.join("pipeline.yml");
+    fs::write(&input_path, input).unwrap();
+
+    let binary_path = PathBuf::from(env!("CARGO_BIN_EXE_ado-aw"));
+    let output = std::process::Command::new(&binary_path)
+        .args([
+            "compile",
+            input_path.to_str().unwrap(),
+            "-o",
+            output_path.to_str().unwrap(),
+        ])
+        .output()
+        .expect("Failed to run compiler");
+
+    assert!(
+        !output.status.success(),
+        "Compiler should fail when source path contains whitespace and inlined-imports is false"
+    );
+
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    assert!(
+        stderr.contains("contains whitespace"),
+        "Error message should mention whitespace: {stderr}"
+    );
+    assert!(
+        stderr.contains("inlined-imports: true"),
+        "Error message should suggest inlined-imports as an escape hatch: {stderr}"
+    );
+
+    let _ = fs::remove_dir_all(&temp_dir);
+}
+
 /// Test that the 1ES fixture produces valid YAML with correct structure
 #[test]
 fn test_1es_compiled_output_is_valid_yaml() {