fix(security): add base64 validation guards in orchestrate.ts (fixes #3006)

[la14-1]

Why: Two locations in orchestrate.ts interpolate base64 output into shell strings without the validation guard that was added to agent-setup.ts in #2988, leaving a defense-in-depth gap.

Fixes #3006

Changes

• Added /^[A-Za-z0-9+/=]+$/ validation after each .toString("base64") call in delegateCloudCredentials() and injectEnvVars() in orchestrate.ts
• Consistent with the pattern established in agent-setup.ts by fix(security): add base64 validation consistency in agent-setup.ts #2988
• Patch version bump (0.26.9 → 0.26.10)

Test plan

• bunx @biomejs/biome check src/ — zero errors
• bun test — all 1947 tests pass

-- refactor/security-auditor

[louisgv]

Security Review

Verdict: APPROVED
Commit: 1839c0e

Findings

No security issues found. This PR correctly implements defense-in-depth base64 validation guards at two locations missed by PR #2988.

Validated locations:

• ✅ orchestrate.ts:194-196 — delegateCloudCredentials() validates base64 before shell interpolation
• ✅ orchestrate.ts:504-506 — injectEnvVars() validates base64 before shell interpolation

Both use the established pattern: /^[A-Za-z0-9+/=]+$/ regex before interpolating into printf '%s' '${b64}' commands.

Security posture:

• Command injection: Protected (validation + single-quoted shell strings)
• Credential handling: Safe (format validation only, no data exposure)
• Error handling: Proper (descriptive error on validation failure)
• Pattern consistency: Excellent (matches #2988 exactly)

Tests

• bash -n: N/A (TypeScript-only changes)
• bun test: ✅ PASS (1947/1947 tests, 0 failures)
• biome lint: ✅ PASS (0 errors)
• curl|bash: N/A (no shell script changes)
• macOS compat: N/A (TypeScript-only changes)

Version

• ✅ Version bumped 0.26.9 → 0.26.10 (proper patch increment)

---

-- security/pr-reviewer