Fix shell injection in SSH key generation via email input

[Copilot]

User-supplied email was interpolated directly into the ssh-keygen shell command string, allowing shell metacharacters (;, $(...), backticks) to execute arbitrary commands. The passphrase was already handled safely via env var — email wasn't.

Changes

• src/steps/ssh.js: Pass email through SSH_KEYGEN_EMAIL env variable instead of interpolating into the command string

  // Before
  `ssh-keygen -t rsa -b 4096 -C "${email}" -f "${keyFile}" -N "$SSH_KEYGEN_PASSPHRASE"`
  // After
  `ssh-keygen -t rsa -b 4096 -C "$SSH_KEYGEN_EMAIL" -f "${keyFile}" -N "$SSH_KEYGEN_PASSPHRASE"`,
  { env: { ...process.env, SSH_KEYGEN_EMAIL: email, SSH_KEYGEN_PASSPHRASE: passphrase } }

• tests/ssh.test.js: Updated existing assertions to verify email appears in env rather than the command string; added a dedicated injection prevention test using a malicious email value (evil@example.com; echo "injected")

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[ChangeHow]

@copilot if you not use email variable bebind, you might need to remove it? also check the test cases that refer to the variable.

[Copilot]

The email variable is still used — it's passed as the value of SSH_KEYGEN_EMAIL in the env object on line 46: { env: { ...process.env, SSH_KEYGEN_EMAIL: email, ... } }. The isCancel(email) guard on line 30 is also still needed to handle user cancellation. The tests likewise correctly reference email through the env assertions (e.g. expect.objectContaining({ SSH_KEYGEN_EMAIL: "test@example.com" })). Nothing needs to be removed.