fix(tools): use execFile instead of exec to avoid shell injection

[marcoscaceres]

Potential fix for https://github.com/speced/respec/security/code-scanning/47

Use child_process.execFile() (or spawn) with an explicit executable and argument array, instead of exec() with a single interpolated shell command string.

Best minimal fix in this file:

1. Replace exec import with execFile.
2. Refactor commandRunner(program) so it tokenizes the static program once (e.g., "java -jar <path>"), then combines those tokens with parsed cmd tokens, and calls a new toExecFilePromise(file, args, options).
3. Replace toExecPromise(cmd, ...) with toExecFilePromise(file, args, ...) that calls execFile(file, args, ...).
4. Keep behavior (logging, timeout, output piping) equivalent.

This removes shell interpretation while preserving current functionality in tools/release.cjs.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[marcoscaceres]

@copilot see the CI error about the commit message. Can you fix that please?

[Copilot]

@copilot see the CI error about the commit message. Can you fix that please?

Fixed in commits 593763c and c81e958.

Two issues were addressed:

1. The commits now use conventional commit format (fix(tools): ...)
2. The splitArgs function had a Prettier formatting violation that was causing the lint CI to fail — fixed that too

Note: the PR title still shows the original non-conventional text. Since I can't update the PR title directly, you may need to edit it manually to something like fix(tools): use execFile instead of exec to avoid shell injection so the "Check PR title" CI check passes.