feat: refactor process argument handling to use ArgumentList for improved security and clarity across multiple commands

Author: liphvf

CLAUDE.md

@@ -259,7 +259,7 @@ FurLab settings db-servers set-password <name>
 - **No business logic in commands**: Commands parse input via `Settings`, then call the service method. Never put logic inside the `Execute` or `ExecuteAsync` method.
 - **One file per type**: Each `.cs` file should contain only one class, record, struct, or enum.
 - **Result pattern**: Return `OperationResult` / `OperationResult<T>` records — use `SuccessResult(...)` / `FailureResult(...)` factory methods
-- **External processes**: Always `UseShellExecute = false`, capture stdout/stderr via redirect — never shell out to `cmd.exe` or `powershell.exe`
+- **External processes**: Always `UseShellExecute = false`, capture stdout/stderr via redirect — never shell out to `cmd.exe` or `powershell.exe`. Pass arguments as `List<string>` (via `ProcessExecutionOptions.Arguments` or `ProcessStartInfo.ArgumentList`) — never as a single concatenated string and never via string interpolation (`$"..."`) to avoid command injection.
 - **Test naming**: `<MethodName>_<StateUnderTest>_<ExpectedBehavior>`
 - **Unit test attributes**: Use `[TestMethod(DisplayName = "<short description>")]` and `[Description("<detailed description>")]` on all test methods
 - **XML doc comments**: Required on all public members (enforced by `GenerateDocumentationFile true`)
@@ -285,14 +285,6 @@ O projeto usa o workflow **OpenSpec** para gerenciar features e mudanças:
 - **`openspec/changes/`** — mudanças em andamento
 - **`openspec/changes/archive/`** — mudanças implementadas e arquivadas
 
-## Recent Changes
-
-- migrate-cli-to-spectre-console-cli (2026-04-18): Migrated from `System.CommandLine` to `Spectre.Console.Cli` for better TUI support and cleaner command structure.
-- secure-credential-storage (2026-04-13): Implemented `ICredentialService` for encrypted storage of database passwords.
-- query-run-multi-server (2026-04-13): `query run` now supports executing scripts across multiple servers defined in settings.
-- docker-postgres (2026-04-05): Added `docker postgres` command.
-- opencode-default-model (2026-04-07): Define default model for OpenCode.
-
 ## Guard Rails (Agent Safety Protocol)
 
 > **Mandatory Rule:** This repository enforces a strict **Manual Confirmation Policy** for all state-changing Git operations.

FurLab.CLI/Commands/Claude/Install/ClaudeInstallCommand.cs

@@ -10,7 +10,10 @@ namespace FurLab.CLI.Commands.Claude.Install;
 /// </summary>
 public sealed class ClaudeInstallCommand : AsyncCommand<ClaudeInstallSettings>
 {
-    private const string WingetInstallArguments = "install --id Anthropic.ClaudeCode -e --accept-package-agreements --accept-source-agreements";
+    private static readonly List<string> WingetInstallArguments =
+    [
+        "install", "--id", "Anthropic.ClaudeCode", "-e", "--accept-package-agreements", "--accept-source-agreements"
+    ];
 
     /// <inheritdoc/>
     protected override Task<int> ExecuteAsync(CommandContext context, ClaudeInstallSettings settings, CancellationToken cancellation)
@@ -29,20 +32,23 @@ protected override Task<int> ExecuteAsync(CommandContext context, ClaudeInstallS
         return Task.FromResult(0);
     }
 
-    private static (int ExitCode, string Output, string Error) RunProcess(string fileName, string arguments)
+    private static (int ExitCode, string Output, string Error) RunProcess(string fileName, List<string> arguments)
     {
         try
         {
             using var process = new Process();
             process.StartInfo = new ProcessStartInfo
             {
                 FileName = fileName,
-                Arguments = arguments,
                 RedirectStandardOutput = true,
                 RedirectStandardError = true,
                 UseShellExecute = false,
                 CreateNoWindow = true
             };
+            foreach (var arg in arguments)
+            {
+                process.StartInfo.ArgumentList.Add(arg);
+            }
 
             process.Start();
             var output = process.StandardOutput.ReadToEnd();

FurLab.CLI/Commands/Claude/Settings/McpDatabase/ClaudeSettingsMcpDatabaseCommand.cs

@@ -10,7 +10,10 @@ namespace FurLab.CLI.Commands.Claude.Settings.McpDatabase;
 /// </summary>
 public sealed class ClaudeSettingsMcpDatabaseCommand : AsyncCommand<ClaudeSettingsMcpDatabaseSettings>
 {
-    private const string McpDatabaseArguments = "mcp add --transport sse toolbox http://127.0.0.1:5000/mcp/sse --scope user";
+    private static readonly List<string> McpDatabaseArguments =
+    [
+        "mcp", "add", "--transport", "sse", "toolbox", "http://127.0.0.1:5000/mcp/sse", "--scope", "user"
+    ];
 
     /// <inheritdoc/>
     protected override Task<int> ExecuteAsync(CommandContext context, ClaudeSettingsMcpDatabaseSettings settings, CancellationToken cancellation)
@@ -19,20 +22,23 @@ protected override Task<int> ExecuteAsync(CommandContext context, ClaudeSettings
         return Task.FromResult(result.ExitCode);
     }
 
-    private static (int ExitCode, string Output, string Error) RunProcess(string fileName, string arguments)
+    private static (int ExitCode, string Output, string Error) RunProcess(string fileName, List<string> arguments)
     {
         try
         {
             using var process = new Process();
             process.StartInfo = new ProcessStartInfo
             {
                 FileName = fileName,
-                Arguments = arguments,
                 RedirectStandardOutput = true,
                 RedirectStandardError = true,
                 UseShellExecute = false,
                 CreateNoWindow = true
             };
+            foreach (var arg in arguments)
+            {
+                process.StartInfo.ArgumentList.Add(arg);
+            }
 
             process.Start();
             var output = process.StandardOutput.ReadToEnd();

FurLab.CLI/Commands/Database/Backup/DatabaseBackupCommand.cs

@@ -181,7 +181,7 @@ private void BackupSingleDatabase(DatabaseBackupConfig config, DatabaseBackupSet
             throw new PostgresBinaryNotFoundException(FurLabConstants.PgDumpExecutable);
         }
 
-        var argumentList = BuildPgDumpArgumentList(config, settings, outputPath ?? string.Empty);
+        var arguments = BuildPgDumpArguments(config, settings, outputPath ?? string.Empty);
 
         var startInfo = new ProcessStartInfo
         {
@@ -191,7 +191,7 @@ private void BackupSingleDatabase(DatabaseBackupConfig config, DatabaseBackupSet
             UseShellExecute = false,
             CreateNoWindow = true
         };
-        foreach (var arg in argumentList)
+        foreach (var arg in arguments)
         {
             startInfo.ArgumentList.Add(arg);
         }
@@ -327,7 +327,7 @@ private void BackupSingleDatabaseInternal(DatabaseBackupConfig config, DatabaseB
             throw new PostgresBinaryNotFoundException(FurLabConstants.PgDumpExecutable);
         }
 
-        var argumentList = BuildPgDumpArgumentList(config, settings, config.OutputPath ?? string.Empty);
+        var arguments = BuildPgDumpArguments(config, settings, config.OutputPath ?? string.Empty);
 
         var startInfo = new ProcessStartInfo
         {
@@ -337,7 +337,7 @@ private void BackupSingleDatabaseInternal(DatabaseBackupConfig config, DatabaseB
             UseShellExecute = false,
             CreateNoWindow = true
         };
-        foreach (var arg in argumentList)
+        foreach (var arg in arguments)
         {
             startInfo.ArgumentList.Add(arg);
         }
@@ -373,7 +373,7 @@ private void BackupSingleDatabaseInternal(DatabaseBackupConfig config, DatabaseB
         }
     }
 
-    private List<string> BuildPgDumpArgumentList(DatabaseBackupConfig config, DatabaseBackupSettings settings, string outputPath)
+    private List<string> BuildPgDumpArguments(DatabaseBackupConfig config, DatabaseBackupSettings settings, string outputPath)
     {
         var format = settings.Format ?? "c";
         var arguments = new List<string>

FurLab.CLI/Commands/Database/Restore/DatabaseRestoreCommand.cs

@@ -252,7 +252,7 @@ private void RestoreSingleDatabase(DatabaseRestoreConfig config, DatabaseRestore
 
         CreateDatabaseIfNeeded(config.Host, config.Port, config.Username ?? string.Empty, password, config.DatabaseName);
 
-        var argumentList = BuildPgRestoreArgumentList(config, settings, fullPath);
+        var arguments = BuildPgRestoreArguments(config, settings, fullPath);
 
         var startInfo = new ProcessStartInfo
         {
@@ -262,7 +262,7 @@ private void RestoreSingleDatabase(DatabaseRestoreConfig config, DatabaseRestore
             UseShellExecute = false,
             CreateNoWindow = true
         };
-        foreach (var arg in argumentList)
+        foreach (var arg in arguments)
         {
             startInfo.ArgumentList.Add(arg);
         }
@@ -410,7 +410,7 @@ private void RestoreSingleDatabaseInternal(DatabaseRestoreConfig config, Databas
 
         CreateDatabaseIfNeeded(config.Host, config.Port, config.Username ?? string.Empty, config.Password ?? string.Empty, config.DatabaseName);
 
-        var argumentList = BuildPgRestoreArgumentList(config, settings, config.InputFile ?? string.Empty);
+        var arguments = BuildPgRestoreArguments(config, settings, config.InputFile ?? string.Empty);
 
         var startInfo = new ProcessStartInfo
         {
@@ -420,7 +420,7 @@ private void RestoreSingleDatabaseInternal(DatabaseRestoreConfig config, Databas
             UseShellExecute = false,
             CreateNoWindow = true
         };
-        foreach (var arg in argumentList)
+        foreach (var arg in arguments)
         {
             startInfo.ArgumentList.Add(arg);
         }
@@ -578,7 +578,7 @@ private void CreateDatabaseIfNeeded(string host, string port, string username, s
     /// <param name="settings">The command settings.</param>
     /// <param name="filePath">The path to the dump file.</param>
     /// <returns>The formatted argument string for pg_restore.</returns>
-    private List<string> BuildPgRestoreArgumentList(DatabaseRestoreConfig config, DatabaseRestoreSettings settings, string filePath)
+    private List<string> BuildPgRestoreArguments(DatabaseRestoreConfig config, DatabaseRestoreSettings settings, string filePath)
     {
         var arguments = new List<string>
         {

FurLab.CLI/Commands/OpenCode/Settings/DefaultModel/OpenCodeSettingsDefaultModelCommand.cs

@@ -152,25 +152,34 @@ public static IReadOnlyList<string> GetAvailableModels()
         try
         {
             using var process = new Process();
-            process.StartInfo = executable.EndsWith(".ps1", StringComparison.OrdinalIgnoreCase)
-                ? new ProcessStartInfo
+            if (executable.EndsWith(".ps1", StringComparison.OrdinalIgnoreCase))
+            {
+                process.StartInfo = new ProcessStartInfo
                 {
                     FileName = "pwsh.exe",
-                    Arguments = $"-NonInteractive -NoProfile -File \"{executable}\" models",
                     RedirectStandardOutput = true,
                     RedirectStandardError = true,
                     UseShellExecute = false,
                     CreateNoWindow = true
-                }
-                : new ProcessStartInfo
+                };
+                process.StartInfo.ArgumentList.Add("-NonInteractive");
+                process.StartInfo.ArgumentList.Add("-NoProfile");
+                process.StartInfo.ArgumentList.Add("-File");
+                process.StartInfo.ArgumentList.Add(executable);
+                process.StartInfo.ArgumentList.Add("models");
+            }
+            else
+            {
+                process.StartInfo = new ProcessStartInfo
                 {
                     FileName = executable,
-                    Arguments = "models",
                     RedirectStandardOutput = true,
                     RedirectStandardError = true,
                     UseShellExecute = false,
                     CreateNoWindow = true
                 };
+                process.StartInfo.ArgumentList.Add("models");
+            }
 
             process.Start();
             var output = process.StandardOutput.ReadToEnd();

FurLab.CLI/Commands/WindowsFeatures/Export/WindowsFeaturesExportCommand.cs

@@ -43,13 +43,15 @@ private static List<string> GetEnabledFeatures()
             StartInfo = new ProcessStartInfo
             {
                 FileName = "dism.exe",
-                Arguments = "/online /get-features /format:list",
                 UseShellExecute = false,
                 RedirectStandardOutput = true,
                 RedirectStandardError = true,
                 CreateNoWindow = true
             }
         };
+        process.StartInfo.ArgumentList.Add("/online");
+        process.StartInfo.ArgumentList.Add("/get-features");
+        process.StartInfo.ArgumentList.Add("/format:list");
 
         process.Start();
         var output = process.StandardOutput.ReadToEnd();

FurLab.CLI/Commands/WindowsFeatures/Import/WindowsFeaturesImportCommand.cs

@@ -35,7 +35,7 @@ protected override Task<int> ExecuteAsync(CommandContext context, WindowsFeature
         foreach (var feature in exportData.Features)
         {
             Console.Write($"Enabling {feature}... ");
-            var result = RunDismCommand($"/online /enable-feature /featurename:{feature} /All");
+            var result = RunDismCommand(["/online", "/enable-feature", $"/featurename:{feature}", "/All"]);
             if (result == 0)
             {
                 Console.WriteLine("OK");
@@ -57,20 +57,23 @@ protected override Task<int> ExecuteAsync(CommandContext context, WindowsFeature
         return Task.FromResult(failCount > 0 ? 1 : 0);
     }
 
-    private static int RunDismCommand(string arguments)
+    private static int RunDismCommand(List<string> arguments)
     {
         var process = new Process
         {
             StartInfo = new ProcessStartInfo
             {
                 FileName = "dism.exe",
-                Arguments = arguments,
                 UseShellExecute = true,
                 RedirectStandardOutput = false,
                 RedirectStandardError = false,
                 CreateNoWindow = false
             }
         };
+        foreach (var arg in arguments)
+        {
+            process.StartInfo.ArgumentList.Add(arg);
+        }
 
         process.Start();
         process.WaitForExit();

FurLab.CLI/Commands/WindowsFeatures/List/WindowsFeaturesListCommand.cs

@@ -19,13 +19,15 @@ protected override Task<int> ExecuteAsync(CommandContext context, WindowsFeature
             StartInfo = new ProcessStartInfo
             {
                 FileName = "dism.exe",
-                Arguments = "/online /get-features /format:table",
                 UseShellExecute = false,
                 RedirectStandardOutput = true,
                 RedirectStandardError = true,
                 CreateNoWindow = true
             }
         };
+        process.StartInfo.ArgumentList.Add("/online");
+        process.StartInfo.ArgumentList.Add("/get-features");
+        process.StartInfo.ArgumentList.Add("/format:table");
 
         process.Start();
 

FurLab.CLI/Commands/Winget/Backup/WingetBackupCommand.cs

@@ -23,14 +23,18 @@ protected override Task<int> ExecuteAsync(CommandContext context, WingetBackupSe
             StartInfo = new ProcessStartInfo
             {
                 FileName = "winget",
-                Arguments = $"export -o \"{backupPath}\" --source winget",
                 UseShellExecute = false,
                 RedirectStandardOutput = true,
                 RedirectStandardError = true,
                 CreateNoWindow = true,
                 StandardOutputEncoding = Encoding.UTF8
             }
         };
+        process.StartInfo.ArgumentList.Add("export");
+        process.StartInfo.ArgumentList.Add("-o");
+        process.StartInfo.ArgumentList.Add(backupPath);
+        process.StartInfo.ArgumentList.Add("--source");
+        process.StartInfo.ArgumentList.Add("winget");
 
         process.Start();