fix: Prevent command injection via env var values in Koyeb and Hyperstack scripts (#196)

Koyeb's inject_env_vars used sed escaping that didn't handle single quotes,
allowing API key values containing ' to break out of the shell command string
passed to `koyeb instances exec`. Replace with file-based injection using
generate_env_config + upload_file, matching the safe pattern in shared/common.sh.

Hyperstack goose/gemini/interpreter/codex scripts embedded $OPENROUTER_API_KEY
directly in double-quoted command strings passed to run_server (SSH). Values
containing double quotes, backticks, or $() could execute arbitrary commands
on the remote VM. Replace with inject_env_vars_ssh which writes env vars to a
temp file, uploads via SCP, and appends to shell config without interpolation.

Also hardens Koyeb upload_file to reject remote paths containing shell
metacharacters (', $, `, newline).

Agent: security-auditor

Co-authored-by: A <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

hyperstack/codex.sh

@@ -34,11 +34,10 @@ else
 fi
 
 log_warn "Setting up environment variables..."
-run_server "$HYPERSTACK_VM_IP" "cat >> ~/.bashrc << 'EOF'
-export OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
-export OPENAI_API_KEY=${OPENROUTER_API_KEY}
-export OPENAI_BASE_URL=https://openrouter.ai/api/v1
-EOF"
+inject_env_vars_ssh "$HYPERSTACK_VM_IP" upload_file run_server \
+    "OPENROUTER_API_KEY=${OPENROUTER_API_KEY}" \
+    "OPENAI_API_KEY=${OPENROUTER_API_KEY}" \
+    "OPENAI_BASE_URL=https://openrouter.ai/api/v1"
 
 echo ""
 log_info "Hyperstack VM setup completed successfully!"
@@ -47,4 +46,4 @@ echo ""
 log_warn "Starting Codex..."
 sleep 1
 clear
-interactive_session "$HYPERSTACK_VM_IP" "bash -c 'source ~/.bashrc && codex'"
+interactive_session "$HYPERSTACK_VM_IP" "source ~/.zshrc && codex"