fix(security): add base64 validation guards in orchestrate.ts (fixes #3006) (#3007)

Add /^[A-Za-z0-9+/=]+$/ validation after each .toString("base64") call
in delegateCloudCredentials() and injectEnvVars(), consistent with the
pattern established in agent-setup.ts by #2988.

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/cli/src/shared/orchestrate.ts

@@ -191,6 +191,9 @@ export async function delegateCloudCredentials(runner: CloudRunner, _cloudName:
   for (const file of filesToDelegate) {
     const content = readFileSync(file.localPath, "utf-8");
     const b64 = Buffer.from(content).toString("base64");
+    if (!/^[A-Za-z0-9+/=]+$/.test(b64)) {
+      throw new Error("Unexpected characters in base64 output");
+    }
     const writeResult = await asyncTryCatch(() =>
       runner.runServer(`printf '%s' '${b64}' | base64 -d > ${file.remotePath} && chmod 600 ${file.remotePath}`),
     );
@@ -498,6 +501,9 @@ export async function runOrchestration(
 async function injectEnvVars(cloud: CloudOrchestrator, envContent: string): Promise<void> {
   logStep("Setting up environment variables...");
   const envB64 = Buffer.from(envContent).toString("base64");
+  if (!/^[A-Za-z0-9+/=]+$/.test(envB64)) {
+    throw new Error("Unexpected characters in base64 output");
+  }
 
   const isLocalWindows = cloud.cloudName === "local" && isWindows();
   const envSetupCmd = isLocalWindows