🛡️ Sentinel: [CRITICAL] Fix arbitrary command execution via profile.bitcoin_cli

[bitcoiner-dev]

🚨 Severity: CRITICAL
💡 Vulnerability: The application was sourcing the bitcoin_cli executable path from the user's Profile configuration and passing it directly to std::process::Command::new without any validation. While Command::new mitigates shell injection (e.g., ; rm -rf /), it still allows execution of arbitrary system binaries if a malicious or tampered user profile specifies an absolute path like /bin/sh or /usr/bin/python with arbitrary arguments.
🎯 Impact: If a user runs the application with a malicious, compromised, or mistakenly configured user profile, the application could be hijacked to execute arbitrary system binaries and commands with the privileges of the user running the application.
🔧 Fix: Implemented a strict validation function crate::utils::validate_bitcoin_cli_path that enforces the path only targets exactly bitcoin-cli or bitcoin-cli.exe and rejects any other binaries or directory traversal attempts. In addition, an insecure, duplicate implementation of run_bitcoin_cli in src/wallet_service.rs was removed to ensure all code paths utilize the secure implementation.
✅ Verification: Verified that cargo test --bin zinc-cli passes without regressions.

---

PR created automatically by Jules for task 15174604806940241753 started by @bitcoiner-dev

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.