H11: PackCommand.swift (597 lines) has zero test coverage

[bguidolim]

Severity: HIGH

`PackCommand.swift` is the primary entry point for `mcs pack add/remove/update/list`. It contains security-critical URL validation (lines 37-49) that is the first defense against git argument injection. Zero test lines.

Must-test scenarios:

• URLs starting with `-` (argument injection)
• URLs with disallowed protocols
• Ref validation (`--flag` injection, `..` traversal)
• AddPack argument parsing
• RemovePack with non-existent pack
• ListPacks with empty registry

[bguidolim]

Addressed in PR #204. Added 41 tests across PackFetcherTests.swift and PackCommandTests.swift covering security-critical ref/identifier validation, argument parsing for all subcommands, and ListPacks.packStatus logic. Remaining gaps (end-to-end perform() testing, PackUpdater) are tracked as deferred items in the decision memory.