docs(claude): add critical rule about shell: WIN32 pattern

Author: jdalton

CLAUDE.md

@@ -374,6 +374,18 @@ Decision tree:
 - **Order**: Alphabetical; private first, then exported
 - **Await in loops**: Add `// eslint-disable-next-line no-await-in-loop` when intentional
 - **Process spawning**: Use `@socketsecurity/registry/lib/spawn` not `child_process.spawn`
+- **spawn() with shell: WIN32**: 🚨 NEVER change `shell: WIN32` to `shell: true`
+  - `shell: WIN32` is the correct cross-platform pattern (enables shell on Windows, disables on Unix)
+  - If spawn fails with ENOENT, the issue is NOT the shell parameter
+  - Fix by properly separating command and arguments instead:
+    ```javascript
+    // WRONG - passing full command as string
+    spawn('python3 -m module arg1 arg2', [], { shell: WIN32 })
+
+    // CORRECT - separate command and args
+    spawn('python3', ['-m', 'module', 'arg1', 'arg2'], { shell: WIN32 })
+    ```
+  - This pattern is canonical across all Socket Security codebases
 - **Working directory**: 🚨 NEVER use `process.chdir()` - use `{ cwd }` options and absolute paths instead
   - Breaks tests, worker threads, and causes race conditions
   - Always pass `{ cwd: absolutePath }` to spawn/exec/fs operations