Fix shell injection vulnerability in env_updater

[Copilot]

Addresses security issue where environment variable values were written to shell config files without escaping special characters, enabling command injection.

Changes:

• Added escape_shell_value() to escape backslash, double quotes, dollar signs, backticks, and newlines
• Applied escaping in update_in_file() and append_to_file() before writing values to .bashrc, .zshrc, etc.
• Added tests for individual special characters, combined edge cases, and injection attempts

Example:

// Before: vulnerable to injection
updater.update_env_var("SECRET", r#""; rm -rf /"#)?;
// Writes: export SECRET=""; rm -rf /"  ← executes command!

// After: properly escaped
updater.update_env_var("SECRET", r#""; rm -rf /"#)?;
// Writes: export SECRET="\"; rm -rf /"  ← safely stored as literal

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.