fix(security): gateguard classifier bypasses (GHSA-4v57) + Windows CI + claw ReDoS

- gateguard (GHSA-4v57-ph3x-gf55): add a quote-aware detection pass that
  dequotes command words and splits on UNQUOTED separators incl. newlines, so
  newline-separated commands, quoted command words ('rm'/"rm"), quoted
  find -exec, and sh/bash -c wrappers are all classified destructive. Additive —
  existing 133 cases still pass; +7 bypass regressions + a false-positive guard
  (rm inside a quoted echo arg stays allowed). 140/140.
- Windows CI: format-code.ts emitted backslash paths via path.normalize, breaking
  forward-slash assertions on all Windows matrix cells — force forward slashes.
- claw.js (CodeQL #1 js/polynomial-redos): bound parseTurns input so the lazy
  [\s\S]*? body can't drive O(n^2) scanning on adversarial history files.

Full suite 2852/2852; lint green.

.opencode/tools/format-code.ts

@@ -104,9 +104,11 @@ function detectFormatter(cwd: string, ext: string): Formatter | null {
 }
 
 function buildFormatterCommand(formatter: Formatter, filePath: string, cwd?: string): string {
-  // Normalize path for cross-platform compatibility
-  const normalizedPath = path.normalize(filePath)
-  
+  // Normalize to forward slashes so the emitted command is identical on every
+  // platform. `path.normalize` yields backslashes on Windows, which broke the
+  // command string (and Windows CI); all formatter CLIs accept `/` on Windows.
+  const normalizedPath = path.normalize(filePath).split(path.sep).join("/")
+
   // Build command based on formatter and platform
   const commands: Record<Formatter, string> = {
     biome: `npx @biomejs/biome format --write ${normalizedPath}`,