feat(launcher): thin primitive architecture + run_osascript hardening

- file_handlers: add script_template param to native:launch-from-cache
  (AppleScript or shell: prefix; falls back to hardcoded defaults when null)
- file_handlers: add native:copy-from-cache-to-temp as composable primitive
  (copies cached file to temp, returns path — caller handles launch logic)
- shell_handlers: harden native:run-osascript with temp .scpt file approach
  (replaces -e flag; handles multi-line scripts and paths with special chars)
- README: rewrite Native Bridge section — full method table, composable
  pattern example, configurable launch scripts note
- deploy/devices.conf: update IPs for devices 03-06, uncomment entries

src/main/shell_handlers.ts

@@ -1,6 +1,7 @@
 import { ipcMain, shell } from 'electron';
 import { exec, execSync } from 'child_process';
 import * as fs from 'fs';
+import * as path from 'path';
 import * as os from 'os';
 import { expandPath } from './file_utils';
 
@@ -32,10 +33,27 @@ export function registerShellHandlers() {
 
   ipcMain.handle('native:run-osascript', async (event, script: string) => {
     if (os.platform() !== 'darwin') return { success: false, error: 'AppleScript is only available on macOS' };
-    const escapedScript = script.replace(/"/g, '\"');
-    const cmd = `osascript -e "${escapedScript}"`;
+
+    // HARDENED: Write script to a temp .scpt file rather than passing inline via -e.
+    // The old -e approach (`osascript -e "..."`) has two fatal flaws:
+    //   1. It breaks on multi-line scripts.
+    //   2. It breaks on paths containing spaces or special characters (quotes, parens, etc.)
+    // Writing to a file sidesteps both — no shell escaping needed at all.
+    // The .scpt file is deleted immediately after execution (success or failure).
+    // Worst case on crash: a stale .scpt in /tmp, cleared on next OS reboot.
+    //
+    // LEGACY (removed): const cmd = `osascript -e "${script.replace(/"/g, '\\"')}"`;
+
+    const tmp_script_path = path.join(os.tmpdir(), `ae_osa_${Date.now()}.scpt`);
     return new Promise((resolve) => {
-      exec(cmd, (error, stdout, stderr) => {
+      try {
+        fs.writeFileSync(tmp_script_path, script.trim());
+      } catch (e: any) {
+        resolve({ success: false, error: `Failed to write AppleScript temp file: ${e.message}` });
+        return;
+      }
+      exec(`osascript "${tmp_script_path}"`, (error, stdout, stderr) => {
+        try { fs.unlinkSync(tmp_script_path); } catch {}
         resolve({ success: !error, stdout: stdout.trim(), stderr: stderr.trim(), error: error ? error.message : null });
       });
     });
@@ -45,8 +63,8 @@ export function registerShellHandlers() {
     console.log(`Native: Killing processes -> `, process_name_li);
     const results = [];
     for (const name of process_name_li) {
-      const cmd = os.platform() === 'win32' 
-        ? `taskkill /F /IM ${name} /T` 
+      const cmd = os.platform() === 'win32'
+        ? `taskkill /F /IM ${name} /T`
         : `pkill -f ${name}`;
       try {
         execSync(cmd);
@@ -117,7 +135,7 @@ export function registerShellHandlers() {
 
   ipcMain.handle('native:control-presentation', async (event, { app, action }) => {
     if (os.platform() !== 'darwin') return { success: false, error: 'Presentation control is only available on macOS' };
-    
+
     let script = '';
     if (app === 'powerpoint') {
       switch (action) {