fix: quote $ARGUMENTS in shell invocations

[xiaolai]

Automated audit: This PR was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the diff on its merits.

Security Finding (Low)

Two commands embed $ARGUMENTS unquoted in shell code blocks:

.claude/commands/pr-review.md

gh pr view $ARGUMENTS
gh pr diff $ARGUMENTS

.claude/commands/code-quality.md

npm run lint -- $ARGUMENTS

When the shell (or AI-generated shell invocation) expands an unquoted variable, any whitespace or metacharacters in the value cause word-splitting. This means $ARGUMENTS containing spaces produces multiple tokens instead of one argument, which can:

• Bypass the Bash(gh:*) restriction intent (extra tokens are separate arguments)
• Inject unintended flags into npm run lint

Fix

Wrap the variable in double quotes in both files:

-   - Run `gh pr view $ARGUMENTS` to get PR details
-   - Run `gh pr diff $ARGUMENTS` to see changes
+   - Run `gh pr view "$ARGUMENTS"` to get PR details
+   - Run `gh pr diff "$ARGUMENTS"` to see changes

-   npm run lint -- $ARGUMENTS
+   npm run lint -- "$ARGUMENTS"

This is a minimal, targeted fix with no change to command behavior for well-formed input.