security(workspace): swap Arguments-string for ArgumentList — canonical CodeQL-recognised pattern (#47)

The previous QuoteArg-on-Arguments-string shape (commit ff1e192)
landed alert #47 in the next CodeQL scan: the analyser treats
`ProcessStartInfo.Arguments = …` as a single sink that can carry
shell metacharacters regardless of how the value was sanitised
upstream. `ArgumentList.Add` is the canonical fix per CodeQL's
csharp-CommandLineInjection.qll — each entry goes into argv as
a discrete element, so the OS process loader never tokenises
through any shell parser. No quoting, no escaping, no
concatenation concerns.

  // Before:
  psi.Arguments = QuoteArg(resolved);

  // After:
  psi.ArgumentList.Add(resolved);

Functional behaviour identical (Explorer / Finder / xdg-open
receives the resolved path as its argv[1]), but the data flow
CodeQL traces from user input now terminates at a recognised
sanitiser barrier instead of pretending Arguments-string-quoting
is enough.

The QuoteArg helper is removed — no caller left.

Defense-in-depth still in place:
1. SanitiseWorkspaceId allow-lists alnum+_- at the boundary
2. StartsWith(userRoot, Ordinal) path-traversal guard
3. SafeResolvedPathPattern.IsMatch sink-adjacent allow-list
4. UseShellExecute=false + ArgumentList.Add — argv-level handoff

#46's dismiss stays — it referenced the pre-refactor shape. #47
should drop on the next CodeQL scan now that the canonical
pattern is in place.

Author: thomas-stegemann

src/Kuestenlogik.Bowire/Endpoints/BowireWorkspaceEndpoints.cs

@@ -279,30 +279,27 @@ private static void LaunchPlatformFileManager(string path)
             fileName = "xdg-open";
         }
 
+        // Use `ArgumentList.Add` instead of the string `Arguments`
+        // property — each entry goes into argv as a discrete element,
+        // so the OS process loader never tokenises the resolved path
+        // through any shell parser. This is the canonical CodeQL-
+        // recognised pattern (csharp-CommandLineInjection.qll) for
+        // closing the taint flow from user input → Process.Start;
+        // the previous QuoteArg-on-Arguments-string shape still flagged
+        // because CodeQL treats the Arguments setter as a single-line
+        // sink that can carry shell metacharacters regardless of the
+        // sanitiser applied to the value. ArgumentList sidesteps that
+        // entirely: no string concatenation, no quoting concerns, no
+        // shell tokenisation.
         var psi = new ProcessStartInfo
         {
             FileName        = fileName,
-            Arguments       = QuoteArg(resolved),
             UseShellExecute = false,
         };
+        psi.ArgumentList.Add(resolved);
         Process.Start(psi);
     }
 
-    /// <summary>
-    /// Defensive argument quoting — wraps the value in <c>"..."</c>
-    /// and escapes embedded <c>"</c> as <c>\"</c>. CodeQL's
-    /// csharp-CommandLineInjection.qll recognises this idiom as a
-    /// sanitiser barrier when applied to a
-    /// <see cref="ProcessStartInfo.Arguments"/> value, so it closes
-    /// the taint flow from user-input → <c>Process.Start</c>.
-    /// Combined with the earlier path-traversal + allow-list guards
-    /// this means a hostile workspaceId would have failed three
-    /// successive checks before it could influence the spawned
-    /// process's command line.
-    /// </summary>
-    internal static string QuoteArg(string value) =>
-        "\"" + value.Replace("\"", "\\\"", StringComparison.Ordinal) + "\"";
-
     // #58 — Workspace file schema. Property declaration order doubles
     // as the on-disk JSON key order; keep version first so a stale
     // reader sees the format hint before anything else, then the