From 5390775ff9fd97d2dd1b681155765a8a669dd81c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 28 Jun 2026 23:26:07 +0000
Subject: [PATCH 1/3] Initial plan


From b0e4dadec18c33515fbecd67b984da86fd60206c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 28 Jun 2026 23:27:42 +0000
Subject: [PATCH 2/3] Fix Bandit B602: replace shell=True subprocess call with
 shlex.split()

---
 bootstrap.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bootstrap.py b/bootstrap.py
index b41e32b..de1663b 100644
--- a/bootstrap.py
+++ b/bootstrap.py
@@ -18,6 +18,7 @@
 
 import os
 import platform
+import shlex
 import shutil
 import subprocess
 import sys
@@ -82,8 +83,7 @@ def run_cmd(cmd, description=None):
         print(f"  → {description}")
     try:
         result = subprocess.run(
-            cmd,
-            shell=True,
+            shlex.split(cmd),
             check=True,
             capture_output=True,
             text=True,

From d73bccb0c83b6337547eabcf25859fe8cfc08f5c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 28 Jun 2026 23:28:49 +0000
Subject: [PATCH 3/3] Support list or string cmd in run_cmd for cross-platform
 robustness

---
 bootstrap.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bootstrap.py b/bootstrap.py
index de1663b..5710bbb 100644
--- a/bootstrap.py
+++ b/bootstrap.py
@@ -82,8 +82,9 @@ def run_cmd(cmd, description=None):
     if description:
         print(f"  → {description}")
     try:
+        args = cmd if isinstance(cmd, list) else shlex.split(cmd)
         result = subprocess.run(
-            shlex.split(cmd),
+            args,
             check=True,
             capture_output=True,
             text=True,