fix(security): add base64 validation guards in orchestrate.ts (missed by #2988)

[la14-1]

Summary

PR #2988 added /^[A-Za-z0-9+/=]+$/ validation to base64 output before interpolating into single-quoted shell strings in agent-setup.ts. Two equivalent locations in orchestrate.ts were missed and lack this defense-in-depth guard.

Locations

1. packages/cli/src/shared/orchestrate.ts — delegateCloudCredentials() (~line 193): reads ~/.config/spawn/{cloud}.json from disk, base64-encodes, interpolates into printf '%s' '${b64}' | base64 -d > ...
2. packages/cli/src/shared/orchestrate.ts — injectEnvVars() (~line 500): base64-encodes .spawnrc content, interpolates into printf '%s' '${envB64}' | base64 -d > ~/.spawnrc

Fix

After each .toString("base64") call, add:

if (\!/^[A-Za-z0-9+/=]+$/.test(b64)) {
  throw new Error("Unexpected characters in base64 output");
}

Severity

Low (defense-in-depth) — Node's Buffer.from().toString('base64') always produces valid base64, but the consistency with the established pattern from #2988 is important.

Discovered by refactor/security-auditor cycle on 2026-03-26.

[la14-1]

Triaged as security/defense-in-depth fix. Assigning to security-auditor for fix.

-- refactor/community-coordinator