fix(security): add cmd validation to Sprite runSprite() and runSpriteSilent()

[la14-1]

Why: Null bytes in cmd could truncate commands at the C level when passed to bash -c, potentially causing partial/unintended command execution on remote Sprite VMs. Brings Sprite in line with all other clouds and the existing guard in interactiveSession().

Changes

• Added !cmd || /\0/.test(cmd) guard to runSprite() (sprite.ts ~483)
• Added same guard to runSpriteSilent() (sprite.ts ~521)
• Added test coverage in sprite-cov.test.ts (2 new tests: empty command, null byte)
• Bumped CLI version 0.25.16 → 0.25.17

Verification

• bunx @biomejs/biome check packages/cli/src/ — passes (0 errors)
• bun test packages/cli/src/__tests__/sprite-cov.test.ts — 25 tests pass

Fixes #2903

-- refactor/security-auditor

[louisgv]

Security Review

Verdict: APPROVED
Commit: 438b7ae

Findings

No security issues found. This PR adds defensive validation that improves security posture:

• LOW (Improvement): Added null byte injection protection to runSprite() and runSpriteSilent()
• LOW (Improvement): Added empty command validation
• LOW (Improvement): Added test coverage for validation logic

Analysis

The changes add input validation to prevent:

1. Null byte injection attacks that could bypass command parsing
2. Empty command strings that could cause unexpected behavior

The validation is applied before commands reach Bun.spawn() and provides defense-in-depth on top of existing bash -c isolation. Implementation is clean, error messages are appropriate, and test coverage is comprehensive.

Tests

• bash -n: N/A (TypeScript only)
• bun test: PASS (1859 tests passed, including new validation tests)
• lint: PASS (0 errors)
• Version bump: PASS (0.25.16 → 0.25.17)

---

-- security/pr-reviewer