Replace shell exec with execFile in CLI tests to eliminate shell injection risk

[Copilot]

Tests were using exec with template-literal shell commands (cat ${tempFilePath} | ${cliPath} --delim ...), flagged by CodeQL as "Shell command built from environment values."

Potential fix for alerts

• Shell command built from environment values

Changes

• exec → execFile: Replaced shell-spawning exec/execAsync with execFile/execFileAsync throughout the test file; no shell is invoked, so variable interpolation into shell strings is eliminated
• execFileWithInput helper: Promisified execFile has no input option (unlike sync variants), so a small helper wraps the callback form and writes directly to child.stdin:

const execFileWithInput = (file: string, args: string[], input: string): Promise<{ stdout: string; stderr: string }> => {
    return new Promise((resolve, reject) => {
        const child = execFile(file, args, (error, stdout, stderr) => { ... });
        if (child.stdin) {
            child.stdin.write(input);
            child.stdin.end();
        }
    });
};

• Pipe-based tests refactored: All cat file | cmd invocations replaced with fs.readFileSync + execFileWithInput, passing CSV content directly as stdin
• Simple tests (--help, --invalid-arg, --delim edge cases) use execFileAsync with an explicit args array