Replace shell=True with shell=False throughout

- _host_cmd(str) -> _host_prefix() -> list[str]: returns
  ["flatpak-spawn", "--host"] inside Flatpak, [] outside
- _run() now takes list[str] args, passes _host_prefix() + args
  to subprocess.run with shell=False
- _has_command() uses shutil.which() outside Flatpak (no subprocess),
  falls back to _run(["which", name]) inside Flatpak
- launch() uses shlex.split() to tokenise the command string before
  passing to Popen with shell=False
- Update all tests to assert list args; add Flatpak launch test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: tyvsmith

lan_mouse.py

@@ -4,6 +4,8 @@
 
 import functools
 import re
+import shlex
+import shutil
 import subprocess
 import time
 from pathlib import Path
@@ -28,18 +30,16 @@ class Client(TypedDict):
     ips: list[str]
 
 
-def _host_cmd(command: str) -> str:
-    """Prefix a command with flatpak-spawn --host when running inside flatpak."""
-    if _IN_FLATPAK:
-        return f"flatpak-spawn --host {command}"
-    return command
+def _host_prefix() -> list[str]:
+    """Return the flatpak-spawn --host prefix when running inside the Flatpak sandbox."""
+    return ["flatpak-spawn", "--host"] if _IN_FLATPAK else []
 
 
-def _run(command: str, timeout: float = 5.0) -> subprocess.CompletedProcess[str]:
+def _run(args: list[str], timeout: float = 5.0) -> subprocess.CompletedProcess[str]:
     """Run a host command and return the CompletedProcess."""
     return subprocess.run(
-        _host_cmd(command),
-        shell=True,
+        _host_prefix() + args,
+        shell=False,
         capture_output=True,
         text=True,
         timeout=timeout,
@@ -55,8 +55,10 @@ def _bin(bin_path: str = "") -> str:
 
 def _has_command(name: str) -> bool:
     """Check if a command exists on the host."""
+    if not _IN_FLATPAK:
+        return shutil.which(name) is not None
     try:
-        result = _run(f"command -v {name}")
+        result = _run(["which", name])
         return result.returncode == 0
     except (subprocess.TimeoutExpired, OSError):
         return False
@@ -66,7 +68,7 @@ def is_running(bin_path: str = "") -> bool:
     """Check if the lan-mouse process is running."""
     try:
         name = Path(_bin(bin_path)).name
-        result = _run(f"pgrep -x {name}")
+        result = _run(["pgrep", "-x", name])
         return result.returncode == 0
     except (subprocess.TimeoutExpired, OSError):
         return False
@@ -108,7 +110,7 @@ def list_clients(bin_path: str = "") -> list[Client]:
     Returns an empty list if lan-mouse is not running or the command fails.
     """
     try:
-        result = _run(f"{_bin(bin_path)} cli list")
+        result = _run([_bin(bin_path), "cli", "list"])
         if result.returncode != 0:
             return []
     except (subprocess.TimeoutExpired, OSError):
@@ -132,7 +134,7 @@ def get_status(bin_path: str = "") -> Status:
     distinguish "not running" from "running but no clients".
     """
     try:
-        result = _run(f"{_bin(bin_path)} cli list")
+        result = _run([_bin(bin_path), "cli", "list"])
         if result.returncode == 0:
             return Status(running=True, clients=_parse_clients(result.stdout))
     except (subprocess.TimeoutExpired, OSError):
@@ -145,7 +147,7 @@ def get_status(bin_path: str = "") -> Status:
 def activate(client_id: int, bin_path: str = "") -> bool:
     """Activate a client connection. Returns True on success."""
     try:
-        result = _run(f"{_bin(bin_path)} cli activate {client_id}")
+        result = _run([_bin(bin_path), "cli", "activate", str(client_id)])
         return result.returncode == 0
     except (subprocess.TimeoutExpired, OSError):
         return False
@@ -154,7 +156,7 @@ def activate(client_id: int, bin_path: str = "") -> bool:
 def deactivate(client_id: int, bin_path: str = "") -> bool:
     """Deactivate a client connection. Returns True on success."""
     try:
-        result = _run(f"{_bin(bin_path)} cli deactivate {client_id}")
+        result = _run([_bin(bin_path), "cli", "deactivate", str(client_id)])
         return result.returncode == 0
     except (subprocess.TimeoutExpired, OSError):
         return False
@@ -181,10 +183,12 @@ def launch(command: str = "", bin_path: str = "") -> None:
         command: Custom launch command. If empty, auto-detects the best method.
         bin_path: Custom path to the lan-mouse binary.
     """
-    cmd = _host_cmd(command.strip() or _resolve_launch_cmd(bin_path))
+    args = _host_prefix() + shlex.split(
+        command.strip() or _resolve_launch_cmd(bin_path)
+    )
     subprocess.Popen(
-        cmd,
-        shell=True,
+        args,
+        shell=False,
         start_new_session=True,
         stdin=subprocess.DEVNULL,
         stdout=subprocess.DEVNULL,
@@ -199,7 +203,7 @@ def wait_for_ready(bin_path: str = "", timeout: float = 5.0) -> bool:
     while time.monotonic() < deadline:
         if is_running(bin_path):
             try:
-                result = _run(f"{_bin(bin_path)} cli list")
+                result = _run([_bin(bin_path), "cli", "list"])
                 if result.returncode == 0:
                     return True
             except (subprocess.TimeoutExpired, OSError):
@@ -212,7 +216,7 @@ def kill(bin_path: str = "") -> bool:
     """Kill the lan-mouse daemon and wait for it to exit. Returns True on success."""
     try:
         name = Path(_bin(bin_path)).name
-        result = _run(f"pkill -x {name}")
+        result = _run(["pkill", "-x", name])
         if result.returncode != 0:
             return False
         for _ in range(20):

tests/test_lan_mouse.py

@@ -26,21 +26,18 @@ def test_custom_path_stripped(self):
 
 
 # ---------------------------------------------------------------------------
-# _host_cmd()
+# _host_prefix()
 # ---------------------------------------------------------------------------
 
 
-class TestHostCmd:
+class TestHostPrefix:
     @patch("lan_mouse._IN_FLATPAK", False)
     def test_outside_flatpak(self):
-        assert lan_mouse._host_cmd("pgrep -x lan-mouse") == "pgrep -x lan-mouse"
+        assert lan_mouse._host_prefix() == []
 
     @patch("lan_mouse._IN_FLATPAK", True)
     def test_inside_flatpak(self):
-        assert (
-            lan_mouse._host_cmd("pgrep -x lan-mouse")
-            == "flatpak-spawn --host pgrep -x lan-mouse"
-        )
+        assert lan_mouse._host_prefix() == ["flatpak-spawn", "--host"]
 
 
 # ---------------------------------------------------------------------------
@@ -185,7 +182,7 @@ def test_skips_malformed_lines(self, mock_run):
     def test_custom_bin_path(self, mock_run):
         mock_run.return_value = _make_run_result("")
         lan_mouse.list_clients("/custom/lan-mouse")
-        mock_run.assert_called_once_with("/custom/lan-mouse cli list")
+        mock_run.assert_called_once_with(["/custom/lan-mouse", "cli", "list"])
 
 
 # ---------------------------------------------------------------------------
@@ -275,7 +272,7 @@ def test_oserror(self, mock_run):
     def test_uses_basename_of_custom_path(self, mock_run):
         mock_run.return_value = _make_run_result("", returncode=0)
         lan_mouse.is_running("/usr/local/bin/lan-mouse")
-        mock_run.assert_called_once_with("pgrep -x lan-mouse")
+        mock_run.assert_called_once_with(["pgrep", "-x", "lan-mouse"])
 
 
 # ---------------------------------------------------------------------------
@@ -288,7 +285,7 @@ class TestActivate:
     def test_success(self, mock_run):
         mock_run.return_value = _make_run_result("", returncode=0)
         assert lan_mouse.activate(0) is True
-        mock_run.assert_called_once_with("lan-mouse cli activate 0")
+        mock_run.assert_called_once_with(["lan-mouse", "cli", "activate", "0"])
 
     @patch("lan_mouse._run")
     def test_failure(self, mock_run):
@@ -304,15 +301,15 @@ def test_timeout(self, mock_run):
     def test_custom_bin_path(self, mock_run):
         mock_run.return_value = _make_run_result("", returncode=0)
         lan_mouse.activate(3, "/opt/lm")
-        mock_run.assert_called_once_with("/opt/lm cli activate 3")
+        mock_run.assert_called_once_with(["/opt/lm", "cli", "activate", "3"])
 
 
 class TestDeactivate:
     @patch("lan_mouse._run")
     def test_success(self, mock_run):
         mock_run.return_value = _make_run_result("", returncode=0)
         assert lan_mouse.deactivate(1) is True
-        mock_run.assert_called_once_with("lan-mouse cli deactivate 1")
+        mock_run.assert_called_once_with(["lan-mouse", "cli", "deactivate", "1"])
 
     @patch("lan_mouse._run")
     def test_failure(self, mock_run):
@@ -361,26 +358,33 @@ def test_custom_bin_without_uwsm(self, _mock):
 
 class TestLaunch:
     @patch("subprocess.Popen")
-    @patch("lan_mouse._host_cmd", side_effect=lambda c: c)
+    @patch("lan_mouse._IN_FLATPAK", False)
     @patch("lan_mouse._resolve_launch_cmd", return_value="uwsm-app -- lan-mouse")
-    def test_auto_detect(self, _resolve, _host, mock_popen):
+    def test_auto_detect(self, _resolve, mock_popen):
         lan_mouse.launch()
         mock_popen.assert_called_once()
-        assert mock_popen.call_args[0][0] == "uwsm-app -- lan-mouse"
+        assert mock_popen.call_args[0][0] == ["uwsm-app", "--", "lan-mouse"]
 
     @patch("subprocess.Popen")
-    @patch("lan_mouse._host_cmd", side_effect=lambda c: c)
-    def test_custom_command(self, _host, mock_popen):
+    @patch("lan_mouse._IN_FLATPAK", False)
+    def test_custom_command(self, mock_popen):
         lan_mouse.launch("my-custom-launcher")
         mock_popen.assert_called_once()
-        assert mock_popen.call_args[0][0] == "my-custom-launcher"
+        assert mock_popen.call_args[0][0] == ["my-custom-launcher"]
 
     @patch("subprocess.Popen")
-    @patch("lan_mouse._host_cmd", side_effect=lambda c: c)
+    @patch("lan_mouse._IN_FLATPAK", False)
     @patch("lan_mouse._resolve_launch_cmd", return_value="lan-mouse")
-    def test_whitespace_command_uses_auto(self, _resolve, _host, mock_popen):
+    def test_whitespace_command_uses_auto(self, _resolve, mock_popen):
         lan_mouse.launch("   ")
-        assert mock_popen.call_args[0][0] == "lan-mouse"
+        assert mock_popen.call_args[0][0] == ["lan-mouse"]
+
+    @patch("subprocess.Popen")
+    @patch("lan_mouse._IN_FLATPAK", True)
+    @patch("lan_mouse._resolve_launch_cmd", return_value="lan-mouse")
+    def test_flatpak_prepends_host_prefix(self, _resolve, mock_popen):
+        lan_mouse.launch()
+        assert mock_popen.call_args[0][0] == ["flatpak-spawn", "--host", "lan-mouse"]
 
 
 # ---------------------------------------------------------------------------
@@ -395,7 +399,7 @@ class TestKill:
     def test_kill_success_immediate(self, mock_run, mock_sleep, mock_running):
         mock_run.return_value = _make_run_result("", returncode=0)
         assert lan_mouse.kill() is True
-        mock_run.assert_called_once_with("pkill -x lan-mouse")
+        mock_run.assert_called_once_with(["pkill", "-x", "lan-mouse"])
         mock_sleep.assert_not_called()
 
     @patch("time.sleep")
@@ -433,7 +437,7 @@ def test_kill_process_never_exits(self, mock_run, mock_sleep, mock_running):
     def test_kill_custom_bin_path(self, mock_run, mock_sleep, mock_running):
         mock_run.return_value = _make_run_result("", returncode=0)
         lan_mouse.kill("/usr/local/bin/lan-mouse")
-        mock_run.assert_called_once_with("pkill -x lan-mouse")
+        mock_run.assert_called_once_with(["pkill", "-x", "lan-mouse"])
 
 
 # ---------------------------------------------------------------------------