feat(wfe-yaml): add log streaming to shell executor + security hardening

Shell step streaming: when LogSink is present, uses cmd.spawn() with
tokio::select! to interleave stdout/stderr line-by-line. Respects
timeout_ms with child.kill() on timeout. Falls back to buffered mode
when no LogSink.

Security: block sensitive env var overrides (PATH, LD_PRELOAD, etc.)
from workflow data injection. Proper error handling for pipe capture.

4 LogSink regression tests + 2 env var security regression tests.

wfe-yaml/tests/compiler.rs

@@ -1082,6 +1082,7 @@ workflows:
         workflow: &workflow,
         cancellation_token: tokio_util::sync::CancellationToken::new(),
         host_context: Some(&host),
+        log_sink: None,
     };
 
     let result = step.run(&ctx).await.unwrap();