feat: R1C1 notation, inline strings, CSV hardening, VBA injection

[productdevbook]

Summary

• R1C1 notation (feat: R1C1 notation support for formulas #162): r1c1ToA1() and a1ToR1C1() formula converters — easier programmatic formula generation
• Inline string mode (perf: inline string mode for write performance #166): stringMode: "inline" on WriteOptions — skip shared string table for faster writes
• CSV injection hardening (feat: CSV injection prevention hardening #164): expanded prefix set (\n, \0, |) + dangerous pattern detection (DDE, HYPERLINK, IMPORTXML)
• VBA/macro injection (feat: VBA/macro injection — add vbaProject.bin to XLSX #160): vbaProject: Uint8Array on WriteOptions — embed vbaProject.bin for .xlsm output

Examples

// R1C1 → A1
r1c1ToA1("R[1]C[-1]", 4, 4)  // → "D6"
a1ToR1C1("D6", 4, 4)          // → "R[1]C[-1]"

// Inline strings (faster write)
await writeXlsx({ sheets: [...], stringMode: "inline" })

// CSV injection protection
writeCsv([["=cmd|'/C calc'"]], { escapeFormulae: true })
// → "'=cmd|'/C calc'"

// VBA injection
await writeXlsx({ sheets: [...], vbaProject: vbaProjectBin })

Test plan

• 2106 tests pass (19 new)
• TypeScript typecheck clean
• Lint + format clean

Closes #162, #166, #164, #160

🤖 Generated with Claude Code