fix(security): resolve remaining oxlint findings

[YogliB]

Summary

Fix the remaining real security findings in src/, suppress the intentional false positives with narrow inline comments, and keep the broad test/** security override so test-only filesystem and mock patterns stay quiet.

Changes

• Replaced the shell-based command wrapper in src/utils.js with execFile-based execution.
• Simplified repository parsing in src/index.js to remove the unsafe regex while preserving supported URL forms.
• Restored directive loading and cache behavior in src/index.js after the parser cleanup.
• Added narrow security-rule suppressions for the remaining false positives in src/index.js, src/bin.js, and src/utils.js.
• Kept the test/** security override in .oxlintrc.json and updated test helpers to match the new command-execution shape.

Acknowledgments

• This PR references #404 and builds on the work and disclosure discussed there.
• Thanks to Jaeyoung Yun (@JAE0Y2N) for opening PR Switch _cloneWithGit + fetchRefs from child_process.exec to execFile (CWE-78 shell-injection fix) #404.
• Thanks to badp3te for the related disclosure and notes.

Testing

How you verified this (commands, scenarios, or N/A):

• Automated tests (bun run test)
• Manual / CLI check if user-facing behavior changed
• CI passes

Review notes

Breaking changes: none

Risks / rollout: The parser and command wrapper changes were validated with the focused test files and the full suite. The remaining lint suppressions are intentionally narrow and limited to known false positives.

Focus areas for reviewers: src/index.js parser and directive handling, src/utils.js command wrapper, and the test/** lint override in .oxlintrc.json.

Checklist

• Error paths and exit codes considered where relevant
• Help text, completions, or docs updated if user-facing strings changed
• Squashed to a single commit
• No unrelated drive-by changes