stata-mcp: Command injection via log_file_name parameter

The `log_file_name` parameter in `stata_do` API and CLI is directly interpolated into a Stata command string without sanitization, allowing command injection and path traversal.

All users of the `stata-mcp` package who accept user-supplied `log_file_name` values.

Update to the latest commit that fixes the vulnerability, or apply strict allowlist validation to `log_name` (only alphanumeric, underscore, dot, hyphen; max 128 chars) and verify the constructed log path remains within the intended log directory.