fix(scaffold): quote token_env with yamlEscape; advance workflow to tui

token_env was missed in the PR #10 review-fix pass. Applies the same
double-quote + yamlEscape treatment as name/description to close the
remaining YAML injection vector in the token auth block.

Also advances Specwright workflow state: scaffold shipped, tui building.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: MacAttak

.specwright/state/workflow.json

@@ -3,7 +3,7 @@
   "currentWork": {
     "id": "toolwright-completions",
     "description": "Implement remaining design vision: init scaffolding, TUI wizard, AI manifest generation, infrastructure wiring",
-    "status": "shipped",
+    "status": "building",
     "workDir": ".specwright/work/toolwright-completions/units/tui",
     "unitId": "tui",
     "tasksTotal": null,
@@ -19,5 +19,5 @@
     { "id": "wiring", "description": "JSON Schema, exit codes, debug logging, wire.go production wiring, cleanup", "status": "planned", "order": 4, "workDir": ".specwright/work/toolwright-completions/units/wiring" }
   ],
   "lock": null,
-  "lastUpdated": "2026-03-05T12:00:00Z"
+  "lastUpdated": "2026-03-06T00:00:00Z"
 }

internal/scaffold/scaffold_test.go

@@ -41,7 +41,7 @@ tools:
 {{- if eq .Auth "token"}}
 auth:
   type: token
-  token_env: {{.Name | upper}}_TOKEN
+  token_env: "{{.Name | upper | yamlEscape}}_TOKEN"
   token_flag: --token
 {{- else if eq .Auth "oauth2"}}
 auth:

templates/init/toolwright.yaml.tmpl

@@ -14,7 +14,7 @@ tools:
 {{- if eq .Auth "token"}}
 auth:
   type: token
-  token_env: {{.Name | upper}}_TOKEN
+  token_env: "{{.Name | upper | yamlEscape}}_TOKEN"
   token_flag: --token
 {{- else if eq .Auth "oauth2"}}
 auth: