ABNF $steps does it need to access through outputs?

[adamaltman]

1. Should ABNF restrict references to outputs for runtime expressions using $steps?
   • Current Situation: The ABNF allows any name after $steps., enabling references like $steps.myGreatStep.response.body.foo.
   • Intended restriction: To promote consistency and prevent unintended data access, should the ABNF be modified to restrict references exclusively to outputs (e.g., $steps.myGreatStep.outputs.foo)?
2. Is the spec example correct?
   • Issue: The example $steps.someStep.pets does not include outputs, which seems inconsistent with the intended pattern. (And it also doesn't include a reference to body, header, etc...)
   • Clarification needed: Should the example be updated to include outputs, making it $steps.someStep.outputs.pets to align with the intended usage?
3. Implications of not restricting to outputs
   • Potential risks: Allowing flexible references might lead to accessing sensitive or unintended data from other parts of the step’s data structure.
   • Best practices: Is it advisable to enforce a stricter ABNF definition to ensure that all necessary data is funneled through outputs for better control and security?

Supporting info

From the spec:

Step output value	$steps.someStep.pets	In situations where the output named property return payloads, references may be made to portions of the response body or the entire body.

From an issue comment

what ever you have to back must be returned via the workflow outputs

Comment by: @frankkilcommins