Fix command injection in claude-supermemory openBrowser() (#19)

## Summary

This PR fixes a command injection vulnerability in `openBrowser()` by replacing
`exec()` with `execFile()` and passing arguments as an array.

## Details

The previous implementation used string concatenation when invoking external
commands, allowing shell metacharacters in a crafted URL to execute arbitrary
commands.

Using `execFile()` avoids shell interpolation and eliminates this attack vector.

## Related Issue

Closes #868

Author: jayvenn21

src/lib/auth.js

@@ -2,7 +2,7 @@ const http = require('node:http');
 const fs = require('node:fs');
 const path = require('node:path');
 const os = require('node:os');
-const { exec } = require('node:child_process');
+const { execFile } = require('node:child_process');
 
 const authSuccessHtml = require('../templates/auth-success.html');
 const authErrorHtml = require('../templates/auth-error.html');
@@ -50,13 +50,16 @@ function clearCredentials() {
 }
 
 function openBrowser(url) {
-  const cmd =
-    process.platform === 'darwin'
-      ? 'open'
-      : process.platform === 'win32'
-        ? 'start'
-        : 'xdg-open';
-  exec(`${cmd} "${url}"`);
+  const onError = (err) => {
+    if (err) console.warn('Failed to open browser:', err.message);
+  };
+  if (process.platform === 'win32') {
+    execFile('explorer.exe', [url], onError);
+  } else if (process.platform === 'darwin') {
+    execFile('open', [url], onError);
+  } else {
+    execFile('xdg-open', [url], onError);
+  }
 }
 
 function startAuthFlow() {