fix: remove unsafe eval usage in WebSocket connection script

Replace eval-based command construction with direct conditional execution
to prevent potential command injection if auth tokens contain special characters.
This addresses the security concern raised by Copilot review.

Change-Id: Ie1fbef35efd122502fa1d946fbd1bc268a3badb6
Signed-off-by: Thomas Kosiewski <tk@coder.com>

Author: ThomasK33

scripts/lib_ws_persistent.sh

@@ -41,18 +41,15 @@ ws_connect() {
   # 1. Reads JSON requests from request_file
   # 2. Writes all server responses to response_file
   (
-    # Build websocat command with optional auth header
-    local websocat_cmd="websocat -t"
-
+    # Note: The -E flag makes websocat exit when the file is closed
     if [ -n "$auth_token" ]; then
-      websocat_cmd="$websocat_cmd --header 'x-claude-code-ide-authorization: $auth_token'"
+      # Use websocat with auth header - avoid eval by constructing command safely
+      tail -f "$request_file" | websocat -t --header "x-claude-code-ide-authorization: $auth_token" "$url" | tee -a "$response_file" >"$log_file" &
+    else
+      # Use websocat without auth header
+      tail -f "$request_file" | websocat -t "$url" | tee -a "$response_file" >"$log_file" &
     fi
 
-    websocat_cmd="$websocat_cmd '$url'"
-
-    # Note: The -E flag makes websocat exit when the file is closed
-    tail -f "$request_file" | eval "$websocat_cmd" | tee -a "$response_file" >"$log_file" &
-
     # Save PID
     echo $! >"$pid_file"