osWatchProcess interpolated searchTerm into a shell `pgrep -f "..."` via
execSync, allowing command injection from a @payload-bound process name.
Switch to execFileSync('pgrep', ['-f', searchTerm]) (no shell) + a charset
guard on the search term.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>