[plan] Fix SC1003 single-quote escape syntax in `--allow-domains` arguments (158 occurrences, 23 workflows)

[github-actions]

Objective

Fix SC1003 (single-quote escape syntax) warnings in 23 workflows — 158 total occurrences — by correcting --allow-domains argument string escaping in the compiler or the affected workflow markdown files.

Context

From Static Analysis Report discussion #17668 (2026-02-22 scan):

• 158 SC1003 occurrences across 23 workflows
• SC1003: "This \' does not look right. Was it supposed to be \' within single-quotes or "'" for concatenation?"
• Concentrated in --allow-domains argument strings in Playwright tool configurations
• Top affected workflows: typist (20), semantic-function-refactor (12), daily-mcp-concurrency-analysis (12), go-logger (10)

Technical Analysis Needed

First, determine whether the issue is:

1. Compiler-generated — the compiler produces incorrect escape sequences in the shell script for --allow-domains arguments
2. Per-workflow markdown — individual workflow frontmatter contains incorrect escaping

Run: grep -n "allow-domains" .github/workflows/typist.lock.yml | head -20 to see the generated shell script.

Steps

1. Inspect the generated shell code in one affected lock file (e.g., typist.lock.yml) to identify the exact SC1003 pattern
2. Trace the escaping logic back to the compiler source in pkg/workflow/ — look for where allow_domains/allowed_domains values are serialized into shell arguments
3. Fix the escaping logic: either use proper quoting (double-quote the argument) or use correct bash escape sequences
4. Run make recompile to regenerate all lock files
5. Verify SC1003 is gone: actionlint .github/workflows/*.lock.yml 2>&1 | grep SC1003 | wc -l should return 0
6. Run make agent-finish to validate

Acceptance Criteria

• SC1003 no longer appears in any affected workflows
• --allow-domains arguments still work correctly at runtime
• make agent-finish passes

Generated by Plan Command for issue #discussion #17668

• expires on Feb 24, 2026, 7:00 AM UTC