From a54bcd706dcabc13ec072325f8d4c5d977ff2d4b Mon Sep 17 00:00:00 2001
From: root <root@DESKTOP-V9DGVF3.localdomain>
Date: Wed, 21 Jan 2026 02:59:24 +0400
Subject: [PATCH] fix: use array-based command execution to prevent injection

---
 src/cli/install.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/cli/install.rs b/src/cli/install.rs
index ba03e5b..9bb02e4 100644
--- a/src/cli/install.rs
+++ b/src/cli/install.rs
@@ -380,7 +380,7 @@ if __name__ == "__main__":
             "matcher": "startup|resume",
             "hooks": [{
                 "type": "command",
-                "command": format!("python3 \"{}\"", watch_py.display()),
+                "command": ["python3", watch_py.to_string_lossy()],
                 "timeout": 10
             }]
         });
@@ -399,7 +399,7 @@ if __name__ == "__main__":
         let hook_entry = serde_json::json!({
             "hooks": [{
                 "type": "command",
-                "command": format!("python3 \"{}\"", kill_py.display()),
+                "command": ["python3", kill_py.to_string_lossy()],
                 "timeout": 10
             }]
         });