Prevent command injection in CLI docs build script

[fnando]

What

Replaces every execSync shell-string call in scripts/stellar_cli.mjs with execFileSync using argument arrays, and moves the latest-tag filtering out of a shell pipe (git tag | grep | tail) into JavaScript.

Why

The previous code interpolated the cliRef value (sourced from the --cli-ref flag / stellar-cli-ref workflow input) directly into a shell string passed to execSync, a command-injection anti-pattern. Passing arguments as an array treats them as data, not shell instructions, so a ref value can no longer break out of the intended git command. This is defense-in-depth hardening — the input is not externally controllable in current upstream workflows, but the fix protects future dispatch wiring and local runs with untrusted refs.

Notes

No behavior change for the normal build path: git clone/fetch/checkout and pnpm format:mdx run as before; the tag selection now filters out rc/preview tags in JS instead of via shell.

[Copilot]

Pull request overview

This PR hardens the docs build helper script by removing shell-string command execution and replacing it with argument-based process execution to prevent command injection when using --cli-ref.

Changes:

• Replace execSync(<shell string>) with execFileSync(<cmd>, <args>, { cwd }) for all git/pnpm invocations.
• Move git tag | grep | tail logic into JavaScript filtering to avoid shell pipelines.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[stellar-jenkins-ci]

Preview is available here:
http://developers-pr2536.previews.kube001.services.stellar-ops.com

[stellar-jenkins-ci]

Preview is available here:
http://developers-pr2536.previews.kube001.services.stellar-ops.com