Input validation
Defense against untrusted input beyond the flag-value checks already in byob-errors.1: path traversal, config-shape validation, shell injection, SQL injection, and enum/range checks at the Options boundary.
Decisions
byob-input-validation.1— Resolve and containment-check every user-supplied pathbyob-input-validation.2— Validate parsed config shape explicitly before trusting itbyob-input-validation.3— Never shell out through `sh -c`; always `exec.CommandContext` with fixed argvbyob-input-validation.4— Every SQL statement uses placeholders; never string-concatenated valuesbyob-input-validation.5— Validate at the Options boundary; fail with FlagErrorf before side effects