Address code quality and security issues

Security Fixes:
- Replace backticks with Open3.capture2 in detect_default_branch
- Eliminates command injection risk while maintaining safety
- Follows existing codebase pattern (already using Open3)

Code Quality Improvements:
- Document nil ref behavior in process_gem_value
- Refactor --github option to use shared parse_github_spec_without_shorthand
- Eliminates code duplication between --github and gem-specific flags
- Add detailed comment explaining network call during validation

Design Notes:
- Auto-detection during validation is intentional for fail-fast behavior
- git ls-remote is lightweight and happens once per unique repo
- Repo validation occurs before any network calls

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: justin808

lib/demo_scripts/gem_swapper.rb

@@ -627,13 +627,21 @@ def validate_github_repos(repos)
     end
     # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
 
+    # Auto-detect the default branch for a GitHub repository
+    # Called during initialization/validation phase for repos without explicit branch
+    # Note: This makes a network call during object construction, but it's intentional because:
+    # 1. The call is fast (git ls-remote with --symref is lightweight)
+    # 2. The repo is already validated before calling this
+    # 3. It happens once per unique repo, not per demo
+    # 4. Failing early during validation is better than failing later during clone
     def detect_default_branch(repo)
       puts "  🔍 Detecting default branch for #{repo}..."
 
       # Use git ls-remote to find the default branch without cloning
-      output = `git ls-remote --symref https://github.com/#{repo}.git HEAD 2>/dev/null`
+      # Use array form to avoid shell injection (repo is already validated by validate_github_repo)
+      output, status = Open3.capture2('git', 'ls-remote', '--symref', "https://github.com/#{repo}.git", 'HEAD')
 
-      if $CHILD_STATUS.success? && output =~ %r{ref: refs/heads/(\S+)\s+HEAD}
+      if status.success? && output =~ %r{ref: refs/heads/(\S+)\s+HEAD}
         branch = ::Regexp.last_match(1)
         puts "     Detected: #{branch}"
         branch

lib/demo_scripts/swap_deps_cli.rb

@@ -93,6 +93,7 @@ def process_gem_value(gem_name, value)
       elsif value.start_with?('#', '@') || value.include?('/')
         # It's a GitHub spec
         repo, ref, ref_type = parse_github_spec(gem_name, value)
+        # NOTE: ref can be nil for auto-detection; validate_github_repos will detect default branch later
         @github_repos[gem_name] = { repo: repo, branch: ref, ref_type: ref_type }
       else
         # Default to local path (for simple names without paths or GitHub markers)
@@ -101,7 +102,27 @@ def process_gem_value(gem_name, value)
     end
     # rubocop:enable Lint/DuplicateBranch
 
-    # rubocop:disable Metrics/MethodLength
+    # Parse GitHub spec without shorthand expansion (for --github flag)
+    # Returns: [repo, ref, ref_type]
+    def parse_github_spec_without_shorthand(spec)
+      if spec.include?('@')
+        # Full: user/repo@tag
+        repo, ref = spec.split('@', 2)
+        ref_type = :tag
+      elsif spec.include?('#')
+        # Full: user/repo#branch
+        repo, ref = spec.split('#', 2)
+        ref_type = :branch
+      else
+        # Just repo name: user/repo
+        repo = spec
+        ref = nil # Will auto-detect default branch
+        ref_type = :branch
+      end
+
+      [repo, ref, ref_type]
+    end
+
     def parse_github_spec(gem_name, spec)
       # Handle shorthand formats:
       # - #branch -> shakacode/gem#branch
@@ -124,24 +145,13 @@ def parse_github_spec(gem_name, spec)
 
         ref = spec[1..]
         ref_type = :tag
-      elsif spec.include?('@')
-        # Full: user/repo@tag
-        repo, ref = spec.split('@', 2)
-        ref_type = :tag
-      elsif spec.include?('#')
-        # Full: user/repo#branch
-        repo, ref = spec.split('#', 2)
-        ref_type = :branch
       else
-        # Just repo name: user/repo
-        repo = spec
-        ref = nil # Will auto-detect default branch
-        ref_type = :branch
+        # Delegate to shared parser for full specs (user/repo, user/repo#branch, user/repo@tag)
+        repo, ref, ref_type = parse_github_spec_without_shorthand(spec)
       end
 
       [repo, ref, ref_type]
     end
-    # rubocop:enable Metrics/MethodLength
 
     def detect_context!
       # Check if we're in a demo directory by looking for Gemfile and presence of ../../.swap-deps.yml
@@ -194,17 +204,8 @@ def parse_options!
         opts.on('--github REPO[#BRANCH|@TAG]',
                 'GitHub repository (e.g., user/repo, user/repo#branch, or user/repo@tag)',
                 'Note: In zsh, quote values with # or @ (e.g., \'user/repo#main\')') do |value|
-          if value.include?('@')
-            repo, ref = value.split('@', 2)
-            ref_type = :tag
-          elsif value.include?('#')
-            repo, ref = value.split('#', 2)
-            ref_type = :branch
-          else
-            repo = value
-            ref = nil # Auto-detect default branch
-            ref_type = :branch
-          end
+          # Parse GitHub spec and infer gem name from repo
+          repo, ref, ref_type = parse_github_spec_without_shorthand(value)
           gem_name = infer_gem_from_repo(repo)
           @github_repos[gem_name] = { repo: repo, branch: ref, ref_type: ref_type }
         end