security: add shell_escape to HPC modules building commands with user input

## Summary

Several HPC modules build shell commands using format!() with user-provided parameters but don't use shell_escape() for injection prevention. Risk is LOW (parameters come from playbook YAML, not untrusted input) but should be hardened before GA.

## Affected modules

- `src/modules/hpc/gpu.rs` — gpu_selector_arg() doesn't validate GPU ID before use in commands
- `src/modules/hpc/ipmi.rs` — hostname/IP passed to curl without validation
- `src/modules/hpc/redfish.rs` — credentials passed to curl without escaping

## Recommended fix

Add `use crate::utils::shell_escape;` and wrap user-provided values:

```rust
// Before
let cmd = format!("nvidia-smi -i {} --query-gpu=...", gpu_id);
// After  
let cmd = format!("nvidia-smi -i {} --query-gpu=...", shell_escape(&gpu_id));
```

## Acceptance criteria

- All user-provided parameters in shell commands are escaped or validated
- No regressions in existing tests
- Consider creating a command-building helper with automatic escaping for future modules

## Priority

Medium — low risk currently but important for defense-in-depth

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: add shell_escape to HPC modules building commands with user input #807

Summary

Affected modules

Recommended fix

Acceptance criteria

Priority

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

security: add shell_escape to HPC modules building commands with user input #807

Description

Summary

Affected modules

Recommended fix

Acceptance criteria

Priority

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions