fix: SECURITY: Unquoted curl URLs with variables in API calls (#60)

Add URL validation helper to prevent URL injection attacks in API calls.

- Added validate_url() helper in lib/env.sh to validate URL format
- Added validation to forge_api() to prevent URL injection
- Added validation to woodpecker_api() to prevent URL injection
- Added validation to ci-debug.sh api() function
- All URLs are already properly quoted with "${VAR}/..." patterns
- This adds defense-in-depth by validating URL variables before use

lib/env.sh

@@ -232,6 +232,33 @@ forge_api_all() {
   printf '%s' "$all_items"
 }
 
+# =============================================================================
+# DIRECT CURL API CALLS WITH URL VALIDATION
+# =============================================================================
+# These helpers provide a consistent way to make authenticated API calls
+# with URL validation to prevent injection attacks.
+# =============================================================================
+
+# forge_api_call - Direct curl call with URL validation
+# Usage: forge_api_call "GET /issues" [extra_args...]
+forge_api_call() {
+  local url="$1"
+  shift
+
+  # Validate FORGE_API to prevent URL injection
+  if ! validate_url "$FORGE_API"; then
+    echo "ERROR: FORGE_API validation failed - possible URL injection attempt" >&2
+    return 1
+  fi
+
+  curl -sf -X "${url%% *}" \
+    -H "Authorization: token ${FORGE_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${FORGE_API}${url#* }" "$@"
+}
+# Backwards-compat alias
+codeberg_api_all() { forge_api_all "$@"; }
+
 # =============================================================================
 # WOODPECKER API HELPER
 # =============================================================================