fix(process): use shlex to safely quote commands in bg_command for improved security

tools/process_registry.py

@@ -32,6 +32,7 @@ Usage:
 import json
 import logging
 import os
+import shlex
 import shutil
 import signal
 import subprocess
@@ -247,9 +248,9 @@ class ProcessRegistry:
         # Run the command in the sandbox with output capture
         log_path = f"/tmp/hermes_bg_{session.id}.log"
         pid_path = f"/tmp/hermes_bg_{session.id}.pid"
-        safe_command = command.replace("'", "'\''")
+        quoted_command = shlex.quote(command)
         bg_command = (
-            f"nohup bash -c '{safe_command}' > {log_path} 2>&1 & "
+            f"nohup bash -c {quoted_command} > {log_path} 2>&1 & "
             f"echo $! > {pid_path} && cat {pid_path}"
         )