fix: address code review findings for plugin commands

- Add registry lock during command execution to prevent race conditions
- Add input sanitization for command arguments (defense in depth)
- Validate handler is a function during registration
- Remove redundant case-insensitive regex flag
- Add success logging for command execution
- Simplify handler return type (always returns result now)
- Remove dead code branch in commands-plugin.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/auto-reply/reply/commands-plugin.ts

@@ -23,7 +23,7 @@ export const handlePluginCommand: CommandHandler = async (
   const match = matchPluginCommand(command.commandBodyNormalized);
   if (!match) return null;
 
-  // Execute the plugin command
+  // Execute the plugin command (always returns a result)
   const result = await executePluginCommand({
     command: match.command,
     args: match.args,
@@ -34,13 +34,8 @@ export const handlePluginCommand: CommandHandler = async (
     config: cfg,
   });
 
-  if (result) {
-    return {
-      shouldContinue: false,
-      reply: { text: result.text },
-    };
-  }
-
-  // Command was blocked (e.g., unauthorized) - don't continue to agent
-  return { shouldContinue: false };
+  return {
+    shouldContinue: false,
+    reply: { text: result.text },
+  };
 };