fix: reject control characters in GITHUB_TOKEN validation (#2241)

GITHUB_TOKEN containing newlines, tabs, or carriage returns could
corrupt ~/.config/gh/hosts.yml before permissions are set (line 314)
and bypass validation in downstream consumers. Defense-in-depth fix
following the pattern established in sh/shared/key-request.sh:78.

Fixes #2239

Agent: team-lead

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: 3 people

sh/shared/github-auth.sh

@@ -289,6 +289,12 @@ ensure_gh_auth() {
                 return 1
                 ;;
         esac
+        # SECURITY: Reject tokens containing newlines, tabs, or carriage returns
+        # to prevent credential file corruption and bypass of downstream validation.
+        if [[ "${GITHUB_TOKEN}" =~ $'\n' ]] || [[ "${GITHUB_TOKEN}" =~ $'\t' ]] || [[ "${GITHUB_TOKEN}" =~ $'\r' ]]; then
+            log_error "GITHUB_TOKEN contains invalid control characters (newline/tab/CR)"
+            return 1
+        fi
 
         # Fast path: skip persistence if gh is already authenticated with
         # stored credentials (not just the env var). Temporarily unset