SanitizeEnv() only removed control characters but not shell
metacharacters. A malicious repo name could execute arbitrary commands
via environment variable injection (e.g. backticks, $(), semicolons).
Add stripShellMeta() to strip backticks, dollar signs, semicolons,
pipes, ampersands, and other shell-significant characters from values
passed to the bash seed script environment.
Fixes#59
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- add MCP marketplace client for plugin/ethics discovery\n- resolve seed-agent-developer via marketplace and sanitize context\n- apply ethics guardrails for notifications and PR metadata\n- add bugseti tests for sanitization and skill lookup\n- include mcp-go dependency for BugSETI
