fix: SECURITY: Replace eval usage with safer alternatives (#59)

lib/env.sh

@@ -29,8 +29,21 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
   set -a
   _saved_forge_url="${FORGE_URL:-}"
   _saved_forge_token="${FORGE_TOKEN:-}"
-  eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" \
-    || echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
+  # Use temp file + validate dotenv format before sourcing (avoids eval injection)
+  _tmpenv=$(mktemp) || { echo "Warning: failed to create temp file for .env.enc" >&2; }
+  if sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
+    # Validate: each non-empty, non-comment line must match KEY=value pattern
+    if grep -qE '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null && \
+       ! grep -qE '^[^A-Za-z_]' "$_tmpenv" 2>/dev/null; then
+      # shellcheck source=/dev/null
+      source "$_tmpenv"
+    else
+      echo "Warning: .env.enc decryption output failed format validation" >&2
+    fi
+  else
+    echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
+  fi
+  rm -f "$_tmpenv"
   set +a
   [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
   [ -n "$_saved_forge_token" ] && export FORGE_TOKEN="$_saved_forge_token"