🛡️ Sentinel: [CRITICAL] Fix command injection in VS Code extension

[raccioly]

🚨 Severity: CRITICAL
💡 Vulnerability: The VS Code extension used execSync with concatenated string arguments, which allowed command injection if the workspaceDir path contained shell metacharacters like ;, &&, or ||.
🎯 Impact: If a user opened a maliciously crafted folder name in VS Code, an attacker could achieve arbitrary Remote Code Execution (RCE) on the developer's machine with their permissions.
🔧 Fix:

• Replaced execSync with execFileSync.
• Implemented a robust parseArgs function to correctly tokenize the command string arguments into an array.
• Directly executed the .mjs script via node where possible, avoiding Windows .cmd wrappers which fall back to shell execution.
• Added a fallback to npx.cmd explicitly on Windows if the node_modules script wasn't found.
  ✅ Verification:
• Checked the extension using node -c.
• Ensured all 61 tests across 30 suites pass successfully (node --test tests/*.test.mjs).

---

PR created automatically by Jules for task 9493210260264761375 started by @raccioly

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.