bmad-testarch-ci

No explicit malicious payload is visible in the fragment itself, but it contains a high-impact supply-chain design pattern: it conditionally executes a dynamically returned `workflow.on_complete` value from a resolver script as a terminal command. If resolver outputs or their inputs can be influenced (directly or indirectly) by untrusted data, this can enable arbitrary command execution in CI. The file-writing to `{outputFile}` is comparatively lower risk, but path/control of `{outputFile}` should still be validated in the larger workflow.