fix: address PR review comments for alias system

Use yq strenv() for safe variable passing instead of string interpolation
to prevent injection via alias names/values. Validate alias names against
^[a-zA-Z0-9_-]+$. Use (.value | tostring) for robust alias listing. Fix
glob expansion in alias resolution with read -r -a. Add e2e test coverage
for alias set, list, remove, and invalid name rejection.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Ebonsignori

src/crabcode

@@ -309,7 +309,7 @@ resolve_command_aliases() {
   fi
 
   local resolved
-  resolved=$(yq -r ".aliases.\"$cmd\" // \"\"" "$GLOBAL_CONFIG" 2>/dev/null)
+  resolved=$(cmd="$cmd" yq -r '.aliases.[strenv(cmd)] // ""' "$GLOBAL_CONFIG" 2>/dev/null)
   if [ -n "$resolved" ] && [ "$resolved" != "null" ]; then
     echo "$resolved"
     return 0
@@ -8047,7 +8047,7 @@ handle_alias_command() {
       fi
 
       local aliases
-      aliases=$(yq -r '.aliases // {} | to_entries[] | .key + " → " + .value' "$GLOBAL_CONFIG" 2>/dev/null)
+      aliases=$(yq -r '.aliases // {} | to_entries[] | .key + " → " + (.value | tostring)' "$GLOBAL_CONFIG" 2>/dev/null)
       if [ -z "$aliases" ]; then
         echo -e "${YELLOW}No aliases configured.${NC}"
         echo ""
@@ -8071,6 +8071,12 @@ handle_alias_command() {
         error "Usage: crab alias set <name> <command...>"
         exit 1
       fi
+      # Validate alias name
+      if ! [[ "$name" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+        error "Invalid alias name '$name'. Use only letters, numbers, hyphens, and underscores."
+        exit 1
+      fi
+
       shift 2
       local value="$*"
       if [ -z "$value" ]; then
@@ -8084,7 +8090,7 @@ handle_alias_command() {
         echo "{}" > "$GLOBAL_CONFIG"
       fi
 
-      yq -i ".aliases.\"$name\" = \"$value\"" "$GLOBAL_CONFIG"
+      NAME="$name" VALUE="$value" yq -i '.aliases.[strenv(NAME)] = strenv(VALUE)' "$GLOBAL_CONFIG"
       echo -e "${GREEN}Alias set:${NC} $name → $value"
       ;;
     "rm"|"remove"|"delete")
@@ -8100,13 +8106,13 @@ handle_alias_command() {
       fi
 
       local existing
-      existing=$(yq -r ".aliases.\"$name\" // \"\"" "$GLOBAL_CONFIG" 2>/dev/null)
+      existing=$(NAME="$name" yq -r '.aliases.[strenv(NAME)] // ""' "$GLOBAL_CONFIG" 2>/dev/null)
       if [ -z "$existing" ] || [ "$existing" = "null" ]; then
         error "Alias '$name' not found"
         exit 1
       fi
 
-      yq -i "del(.aliases.\"$name\")" "$GLOBAL_CONFIG"
+      NAME="$name" yq -i 'del(.aliases.[strenv(NAME)])' "$GLOBAL_CONFIG"
 
       # Clean up empty aliases map
       local remaining
@@ -8144,9 +8150,9 @@ main() {
   # Resolve user-configured command aliases (before project + command dispatch)
   if resolved=$(resolve_command_aliases "${1:-}"); then
     shift
-    # Split resolved alias into words and prepend to remaining args
-    # shellcheck disable=SC2086
-    set -- $resolved "$@"
+    # Split resolved alias into words without glob expansion
+    read -r -a resolved_parts <<<"$resolved"
+    set -- "${resolved_parts[@]}" "$@"
   fi
 
   # For project-aware commands, resolve project (cwd-first, then default)

tests/e2e/run_e2e.sh

@@ -423,6 +423,57 @@ rm -rf test-share-dir
 
 echo ""
 
+# =============================================================================
+# Test 12: Command Aliases
+# =============================================================================
+
+log "Testing command aliases..."
+
+# List aliases (should be empty initially)
+run_test "crab alias (empty)" \
+  "crab alias" \
+  "No aliases configured"
+
+# Set a single-word alias
+run_test "crab alias set (single word)" \
+  "crab alias set cu cleanup" \
+  "Alias set.*cu.*cleanup"
+
+# List aliases (should show the alias)
+run_test "crab alias (lists alias)" \
+  "crab alias" \
+  "cu.*cleanup"
+
+# Set a multi-word alias
+run_test "crab alias set (multi-word)" \
+  "crab alias set wn 'ws new'" \
+  "Alias set.*wn.*ws new"
+
+# List aliases (should show both)
+run_test "crab alias (lists multiple)" \
+  "crab alias" \
+  "cu.*cleanup"
+
+# Remove an alias
+run_test "crab alias rm" \
+  "crab alias rm cu" \
+  "Removed alias.*cu"
+
+# Verify removed alias is gone
+run_test "crab alias rm (alias removed)" \
+  "crab alias rm cu 2>&1" \
+  "not found"
+
+# Invalid alias name rejected
+run_test "crab alias set (invalid name rejected)" \
+  "crab alias set 'bad name!' cleanup 2>&1" \
+  "Invalid alias name"
+
+# Clean up remaining test alias
+crab alias rm wn 2>/dev/null || true
+
+echo ""
+
 # =============================================================================
 # Summary
 # =============================================================================