fix(init): run commands without shell to eliminate injection surface

[betegon]

Summary

• Replace spawn({ shell: true }) with direct executable invocation — command strings are split into [executable, ...args] and passed to spawn without a shell
• Eliminates shell injection as an attack vector entirely: metacharacters become harmless literal arguments when no shell interprets them
• The existing validateCommand() blocklist (metachar, env var, blocked executable checks) is retained as defense-in-depth

Addresses this review comment.

Test plan

• Updated tests to use /bin/echo and /usr/bin/false instead of shell builtins
• All existing run-commands tests pass (stdout capture, error handling, blocked commands, dry-run, batch validation)
• tsc --noEmit passes
• biome check passes

🤖 Generated with Claude Code

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

• (init) Add detect-sentry local-op for cross-language Sentry detection by betegon in #657
• (issue) Add sentry issue events command (feat: add sentry issue events command to list events for an issue #632) by BYK in #654

Bug Fixes 🐛

Init

• Run commands without shell to eliminate injection surface by betegon in #665

• Use opendir for listDir and validate symlinks during traversal by betegon in #663
• Rename 'Custom Metrics' feature label to 'Metrics' by MathurAditya724 in #659
• Add reactFeatures to feature display info by MathurAditya724 in #658
• Generate spinner messages from payload params instead of server detail by MathurAditya724 in #655

Other

• (errors) Separate informational notes from actionable alternatives in ContextError by BYK in #651
• Fix set-commits --auto, document release workflow pitfalls by BYK in #650

Internal Changes 🔧

• (init) Use mdKvTable and renderMarkdown for wizard summary by betegon in #661
• Regenerate skill files and command docs by github-actions[bot] in eb1b19e7

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

Codecov Results 📊

✅ 134 passed | Total: 134 | Pass Rate: 100% | Execution Time: 0ms

📊 Comparison with Base Branch

Metric	Change
Total Tests	—
Passed Tests	—
Failed Tests	—
Skipped Tests	—

✨ No test changes detected

All tests are passing successfully.

✅ Patch coverage is 100.00%. Project has 1428 uncovered lines.
✅ Project coverage is 95.54%. Comparing base (base) to head (head).

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    95.53%    95.54%    +0.01%
==========================================
  Files          220       220         —
  Lines        31986     31986         —
  Branches         0         0         —
==========================================
+ Hits         30555     30558        +3
- Misses        1431      1428        -3
- Partials         0         0         —

---

Generated by Codecov Action