fix: escape single quotes and backticks in vault secret values

[stack72]

Closes #394

Summary

• Add single quote (') and backtick (`) escaping to the vault secret value escape chain in model_resolver.ts
• Add dedicated test cases for both characters and update existing tests that contain them

Problem

The vault.get() regex accepts three quote styles as argument delimiters (', ", `), but the escaping logic only handled double quotes, backslashes, and whitespace characters (\n, \r, \t). While the current double-quote wrapping ("${escapedValue}") means unescaped single quotes and backticks can't break out of the string today, this is an incomplete defense-in-depth.

Plan vs Implementation

The plan called for:

1. Adding .replace(/'/g, "\\'") and .replace(//g, "\") after the double-quote escape — implemented exactly as planned
2. Adding two new test cases for single quotes and backticks — implemented as planned

One aspect not anticipated in the plan: three existing tests ($' pattern, $` pattern, and multi-dollar pattern) contained single quotes or backticks in their secret values and needed their expected outputs updated to reflect the new escaping. This was a straightforward consequence of the change.

Changes

src/domain/expressions/model_resolver.ts

Added two .replace() calls to the escape chain:

.replace(/'/g, "\\'")   // NEW — escape single quotes
.replace(/`/g, "\\`")   // NEW — escape backticks

src/domain/vaults/vault_expression_test.ts

• Added: "should escape single quotes in secret values" — p@ss'w0rd → "p@ss\\'w0rd"
• Added: "should escape backticks in secret values" — value`with`backticks → "value\`with\`backticks"
• Updated: 3 existing dollar-pattern tests to expect escaped single quotes/backticks

Verification

• deno check — passes
• deno lint — passes
• deno fmt — passes
• deno run test src/domain/vaults/vault_expression_test.ts — all 24 steps pass

Note on user impact

The practical user impact today is none — the double-quote wrapping already prevents these characters from causing issues. This is a defense-in-depth fix that ensures safety if the quoting strategy is ever changed. Confirmed that cel-js v7.3.1 supports both \' and \` as valid escape sequences.

🤖 Generated with Claude Code

[github-actions]

Review Summary

This PR adds defense-in-depth escaping for single quotes and backticks in vault secret values. The changes are well-crafted and focused.

Blocking Issues

None - This PR is ready to merge.

Review Details

Code Quality & TypeScript Strict Mode ✅

• No any types introduced
• Simple, correct regex replacements
• Proper escaping order (backslashes first, then quotes/special chars)

CLAUDE.md Compliance ✅

• Named exports used throughout
• AGPLv3 copyright headers present
• CI confirms: deno check, deno lint, deno fmt all pass

Domain-Driven Design ✅

• ModelResolver is appropriately placed in src/domain/expressions/
• Escaping logic is a valid domain service responsibility
• No DDD violations

Test Coverage ✅

• Two new dedicated test cases for single quotes and backticks
• Three existing tests updated to reflect new escaping behavior
• Tests use @std/assert as required
• All 24 test steps pass per CI

Security ✅

• This PR improves security with defense-in-depth escaping
• Even though double-quote wrapping already prevents breakout today, escaping these characters ensures safety if the quoting strategy changes
• Confirmed cel-js v7.3.1 supports both \' and \` escape sequences

Suggestions (non-blocking)

None - this is a clean, focused fix.

🤖 Reviewed by Claude Code