[REFACTOR] Replace source with value parsing for .vig-os config loading

[c-vigo]

Description

initialize.sh and version-check.sh both load .vig-os using source "$config_file", which executes the file as shell code. Since .vig-os is a simple key-value config (DEVCONTAINER_VERSION=X.Y.Z), it should be parsed as data rather than executed.

This reduces the attack surface if .vig-os is ever modified by an untrusted source (e.g. a compromised installer or user-edited workspace).

Flagged by Copilot review: vig-os/devcontainer-smoke-test#25

Files / Modules in Scope

• assets/workspace/.devcontainer/scripts/initialize.sh (function load_vig_os_config)
• assets/workspace/.devcontainer/scripts/version-check.sh (function get_current_version)

Out of Scope

• .vig-os file format (keep as-is: KEY=VALUE)
• CI workflows
• Smoke-test assets

Invariants / Constraints

• All existing tests must pass without modification
• Behavior must remain identical: DEVCONTAINER_VERSION is read from .vig-os and used the same way
• Both macOS and Linux sed paths in initialize.sh must still work

Acceptance Criteria

• Both scripts parse .vig-os with grep/cut (or equivalent) instead of source
• Invalid or unexpected content in .vig-os does not execute
• All existing tests pass
• TDD compliance (see .cursor/rules/tdd.mdc)

Changelog Category

No changelog needed

Additional Context

Pattern appears in two files with identical structure. Both were flagged independently by Copilot on vig-os/devcontainer-smoke-test#25.