fix(security): prevent command injection in setup wizard

The handleInstallDependency endpoint was vulnerable to command injection
attacks. User-provided commands were split and executed directly without
validation, allowing attackers to run arbitrary commands.

Changes:
- Add whitelist of allowed commands (package managers only)
- Validate commands against whitelist before execution
- Handle privilege escalation commands (sudo/pkexec/doas) by also
  validating the elevated command
- Reject any command not in the whitelist with a clear error message

The whitelist includes common package managers across platforms:
- Linux: apt, dnf, pacman, zypper, emerge, eopkg, nix-env
- macOS: brew, port
- Windows: winget, choco, scoop

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>