#19016: fix(daemon): sanitize CRLF in schtasks batch script to prevent command injection

## Problem The `buildTaskScript` function in `src/daemon/schtasks.ts` generates Windows `.cmd` batch scripts with `set KEY=VALUE` and `rem` statements without sanitizing line breaks. In cmd.exe, CRLF terminates the current statement, so a `\r\n` sequence in an environment variable value or description breaks out of the `set`/`rem` command and injects arbitrary commands into the batch script. This is a command injection vulnerability (CWE-78) with CVSS 7.8 (High). Closes #18943 ## Solution - Added `sanitizeCmdLine()` function that strips `\r` and `\n` characters (replacing with a space) before interpolating values into batch script lines - Applied sanitization to both `rem` (description) and `set` (environment key/value) statements in `buildTaskScript` - The existing `quoteCmdArg` was already used for `cd /d` and command arguments but was missing from `set` statements — this fix addresses the gap ## Test Plan - Added 5 unit tests for `sanitizeCmdLine()`: - Strips CRLF sequences - Strips lone CR and LF - Collapses multiple line breaks into a single space - Returns clean strings unchanged - Prevents command injection via CRLF in environment values - All 17 tests in `schtasks.test.ts` pass - Verified with `npx vitest run src/daemon/schtasks.test.ts` <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR fixes a CRLF command injection vulnerability (CWE-78) in the Windows `schtasks` batch script generator. The `buildTaskScript` function in `src/daemon/schtasks.ts` interpolates user-controlled values into `.cmd` batch scripts without sanitizing line breaks. Since `cmd.exe` treats CRLF as a statement terminator, a `\r\n` in an environment variable value, description, working directory, or program argument could inject arbitrary commands. - Adds `sanitizeCmdLine()` which replaces `\r`/`\n` sequences with a single space - Applies sanitization to all interpolation points in `buildTaskScript`: `rem` (description), `set` (env key/value), `cd /d` (working directory), and program arguments - Sanitization is applied before `quoteCmdArg` so that line breaks are stripped before quoting logic runs - Adds 5 unit tests covering CRLF, lone CR/LF, collapse behavior, clean string passthrough, and injection prevention <h3>Confidence Score: 4/5</h3> - This PR is a well-scoped security fix that is safe to merge. - The change is narrowly focused on a real CRLF injection vector. The sanitization function is simple and correct (regex replacing newline characters with spaces). All interpolation points in buildTaskScript are now covered. Unit tests validate the sanitizer's behavior. The fix does not alter control flow or introduce regressions — it only strips characters that should never appear in these values. - No files require special attention. _{Last reviewed commit: 9259183} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->