fix: MCP server executeCommand claims PROJECT_ROOT restriction not enforced

[mrveiss]

Context

Discovered during code review of PR #3183 (CodeQL fixes for #3164).

Problem

In .mcp/autobot-mcp-server.js, PR #3183 added a comment to executeCommand():

"Utility methods — commands are always hardcoded strings from this server, never from user/environment input. Shell is restricted to PROJECT_ROOT."

And a CodeQL suppression: // codeql-suppress js/shell-command-injection-from-environment

However, executeCommand() does not enforce any cwd restriction. It accepts ...options as a spread parameter, allowing callers to override cwd or any other execSync option. The restriction relies entirely on caller discipline (all ~20 callers currently pass { cwd: PROJECT_ROOT } manually).

Additional issue

The // codeql-suppress comment format is not recognized by GitHub's CodeQL engine. The correct format is // lgtm[js/shell-command-injection-from-environment] (legacy) or SARIF-based suppression via .github/codeql config.

Expected behavior

Either:

1. Enforce cwd: PROJECT_ROOT inside executeCommand() and strip/ignore cwd from the options spread, or
2. Correct the comment to say "callers are expected to pass PROJECT_ROOT" rather than claiming the function restricts it

Also fix the suppression comment to use a valid CodeQL suppression syntax.

Files

• .mcp/autobot-mcp-server.js

Related

• PR fix(security): resolve ~14 JavaScript CodeQL alerts (#3164) #3183, issue Security: Fix remaining ~125 CodeQL alerts (path-injection, JS, ReDoS, SSRF, LDAP) #3164