Potential fix for code scanning alert no. 2: Uncontrolled command line

[Rootless-Ghost]

Potential fix for https://github.com/Rootless-Ghost/AtomicLoop/security/code-scanning/2

The safest fix without changing intended functionality is to strictly validate substituted argument values using a positive allowlist before building shell command strings. The existing blacklist is too weak and shell-specific bypasses remain.
Best approach in this codebase:

• In core/engine.py (inside run_test, where input_args is validated), replace the current metacharacter blacklist with:
  • same type checks,
  • length check for string inputs,
  • strict allowlist regex for permitted characters (letters, digits, space, underscore, dot, colon, slash, backslash, plus, equals, comma, at, percent, and hyphen),
  • reject control characters.
• Keep behavior otherwise unchanged (still supports variable substitution and existing execution paths), but fail closed on unsafe input.

No other files need modification for this specific CodeQL path because the taint source is neutralized before command construction.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.