bug(dashboard): keep Windows terminal launch paths out of the cmd.exe command string

[shaun0927]

Summary

build_terminal_launch() still embeds the selected project path into the Windows cmd.exe argument string on current main.

That means a path containing cmd metacharacters can surface directly in the serialized command line even though the launcher already passes the same path via cwd.

Current code

scripts/lib/ecc_dashboard_runtime.py

if resolved_os_name == 'nt':
    creationflags = getattr(subprocess, 'CREATE_NEW_CONSOLE', 0)
    return (
        ['cmd.exe', '/k', 'cd', '/d', path],
        {
            'cwd': path,
            'creationflags': creationflags,
        },
    )

Reproduction

From the current helper on main:

argv, kwargs = build_terminal_launch(r'C:\\tmp\\proj&del', os_name='nt', system_name='Windows')
subprocess.list2cmdline(argv)

This produces a command line equivalent to:

cmd.exe /k cd /d C:\tmp\proj&del

The path is now part of the cmd.exe command string even though the launcher does not need shell parsing to enter the target directory.

Why this still matters after #1424 / #1440

• #1424 focused on the earlier Linux injection path and the non-Windows zoomed crash.
• #1440 improved the dashboard helper surface, but the current Windows branch still keeps the selected path inside the cmd.exe argument string.
• This issue is specifically about the remaining Windows launcher behavior on current main.

Expected behavior

The selected path should stay out of the Windows shell command string entirely.

A minimal fix is to launch cmd.exe with CREATE_NEW_CONSOLE and rely on cwd=path for directory selection:

return (
    ['cmd.exe'],
    {
        'cwd': path,
        'creationflags': creationflags,
    },
)

Validation target

A regression test can assert that a Windows metachar path does not appear in subprocess.list2cmdline(argv) and is passed only through cwd.