fix(security): block " < > in cbm_validate_shell_arg

The Windows search path landed in 82a9052 wraps shell args in cmd.exe-
level "powershell -Command \"...'%s'...\"".  PowerShell's single quotes
hold the inner '%s' interpolation, but a literal " inside the user-
supplied value can close the cmd.exe outer quote.  With ' ; | & $ `
already blocked, that wouldn't reach RCE on its own — but < and > were
unblocked, so a quote-break followed by cmd.exe redirection (e.g.
*">C:\evil.txt") would expose a file-write primitive.

Block " < > unconditionally.  The validator's contract is "safe inside
single quotes for shell interpolation"; on POSIX these aren't strictly
necessary (single quotes hold), but on Windows the cmd.exe→powershell
wrapping makes them load-bearing, and unconditional blocking keeps the
validator simple — no ifdef-laddered policy and no surprises if a future
caller invokes it from a different shell context.

Three tests added to tests/test_security.c covering each new char.

Author: DeusData

src/foundation/str_util.c

@@ -249,11 +249,14 @@ bool cbm_validate_shell_arg(const char *s) {
     for (const char *p = s; *p; p++) {
         switch (*p) {
         case '\'':
+        case '"':
         case ';':
         case '|':
         case '&':
         case '$':
         case '`':
+        case '<':
+        case '>':
         case '\n':
         case '\r':
 #ifndef _WIN32

src/foundation/str_util.h

@@ -49,7 +49,11 @@ char *cbm_str_strip_ext(CBMArena *a, const char *path);
 char **cbm_str_split(CBMArena *a, const char *s, char delim, int *out_count);
 
 /* Validate a string is safe for shell interpolation inside single quotes.
- * Rejects: ' ; | & $ ` \n \r \0 (embedded NULs via len check).
+ * Rejects: ' " ; | & $ ` < > \n \r \0 (embedded NULs via len check).
+ * The Windows search path wraps shell args in cmd.exe-level "powershell -Command
+ * \"...'%s'...\"", so " can close the cmd.exe outer quote even if PowerShell's
+ * single quotes hold; < > would then become cmd.exe redirection (file-write
+ * primitive). Blocking these unconditionally hardens both POSIX and Windows.
  * Returns true if safe, false if the string contains shell metacharacters. */
 bool cbm_validate_shell_arg(const char *s);
 

tests/test_security.c

@@ -75,6 +75,24 @@ TEST(shell_rejects_null) {
     PASS();
 }
 
+TEST(shell_rejects_double_quote) {
+    /* On Windows, the search code path wraps args in cmd.exe-level
+     * "powershell -Command \"...'%s'...\"". A " in the input would close
+     * the cmd.exe outer quote. Block unconditionally. */
+    ASSERT_FALSE(cbm_validate_shell_arg("foo\"bar"));
+    PASS();
+}
+
+TEST(shell_rejects_redirect_out) {
+    ASSERT_FALSE(cbm_validate_shell_arg("foo>out.txt"));
+    PASS();
+}
+
+TEST(shell_rejects_redirect_in) {
+    ASSERT_FALSE(cbm_validate_shell_arg("foo<in.txt"));
+    PASS();
+}
+
 TEST(shell_accepts_clean_path) {
     ASSERT_TRUE(cbm_validate_shell_arg("/home/user/.local/bin/codebase-memory-mcp"));
     PASS();
@@ -364,6 +382,9 @@ SUITE(security) {
     RUN_TEST(shell_rejects_newline);
     RUN_TEST(shell_rejects_carriage_return);
     RUN_TEST(shell_rejects_null);
+    RUN_TEST(shell_rejects_double_quote);
+    RUN_TEST(shell_rejects_redirect_out);
+    RUN_TEST(shell_rejects_redirect_in);
     RUN_TEST(shell_accepts_clean_path);
     RUN_TEST(shell_accepts_spaces);
     RUN_TEST(shell_accepts_dots_dashes);