refactor: use subprocess.run instead of shell for process invocation

[deepsource-autofix]

This PR refactors the code to eliminate the use of shell-based process execution and improve security by switching to the subprocess module. All instances of os.system and shell-constructed commands have been replaced with subprocess.run using explicit argument lists and check=True for robust error handling.

• Starting a process with a shell detected: Detected use of os.system and shell interpolation leading to potential command injection. The fix adds imports for subprocess, replaces os.system calls with subprocess.run calls that accept a list of arguments, and refactors echo, touch, sam validate, sam build, and sam package commands into list-based invocations. Dynamic option handling (e.g., --debug, --force-upload, --s3-repo) has been moved into Python logic rather than shell concatenation to ensure no untrusted input enters a shell interpreter.

This Autofix was generated by AI. Please review the change before merging.

[deepsource-io]

Here's the code health analysis summary for commits 19561e9..6dff4c8. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
Secrets	✅ Success		View Check ↗
Python	❌ Failure	❗ 8 occurences introduced 🎯 14 occurences resolved	View Check ↗
JavaScript	✅ Success		View Check ↗

DeepSource Report Card: C

Dimension	Grade	Issues
Security	D	6 ⚠️
Reliability	A	0
Complexity	A	1
Hygiene	D	5

Focus area: Security — Fix unsanitized S3 object key in `backend/functions/processing/feedback_uploads.py`.

Grade capped at C due to critical security issue

View full report →

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.