diff --git a/core.pf b/core.pf
index a2ecc4e..33980ed 100644
--- a/core.pf
+++ b/core.pf
@@ -162,7 +162,7 @@ end
 # --- MOK (Machine Owner Key) Management ---
 task os-mok-enroll
   describe Enroll host MOK for module signing
-  shell bash -lc 'scripts/mok-management/enroll-mok.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}" ${MOK_DRY_RUN:-0}'
+  shell bash scripts/mok-management/enroll-mok.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}" "${MOK_DRY_RUN:-0}"
 end
 
 task os-mok-list-keys
@@ -172,7 +172,7 @@ end
 
 task secure-mok-new
   describe Generate new PhoenixGuard MOK keypair (use NAME and CN env)
-  shell bash -lc 'scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"'
+  shell bash scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"
 end
 
 # --- Module Signing ---
@@ -276,4 +276,3 @@ task test-cli-tui-all
   describe Run comprehensive CLI and TUI test suite
   shell bash scripts/testing/test-all-cli-tui.sh
 end
-
diff --git a/secure.pf b/secure.pf
index ff7f5b9..2e0c861 100644
--- a/secure.pf
+++ b/secure.pf
@@ -26,7 +26,7 @@ end
 
 task secure-mok-verify
   describe Verify MOK certificate details
-  shell bash -lc 'scripts/mok-management/mok-verify.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}"'
+  shell bash scripts/mok-management/mok-verify.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}"
 end
 
 task secure-mok-find-enrolled
@@ -36,15 +36,15 @@ end
 
 task secure-enroll-mok
   describe Enroll PhoenixGuard MOK certificate
-  shell bash -lc 'scripts/mok-management/enroll-mok.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}" ${MOK_DRY_RUN:-0}'
+  shell bash scripts/mok-management/enroll-mok.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}" "${MOK_DRY_RUN:-0}"
 end
 
 # Note: secure-mok-new moved to core.pf to avoid duplication
 
 task secure-mok-enroll-new
   describe Generate + enroll PhoenixGuard MOK (reboot to complete)
-  shell bash -lc 'scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"'
-  shell bash -lc 'scripts/mok-management/enroll-mok.sh "out/keys/${NAME:-PGMOK}.crt" "out/keys/${NAME:-PGMOK}.der" ${MOK_DRY_RUN:-0}'
+  shell bash scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"
+  shell bash scripts/mok-management/enroll-mok.sh "out/keys/${NAME:-PGMOK}.crt" "out/keys/${NAME:-PGMOK}.der" "${MOK_DRY_RUN:-0}"
 end
 
 task secure-keys-centralize
@@ -64,10 +64,10 @@ end
 
 task secure-unenroll-mok
   describe Remove PhoenixGuard MOK certificate
-  shell bash -lc 'scripts/mok-management/unenroll-mok.sh "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}"'
+  shell bash scripts/mok-management/unenroll-mok.sh "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}"
 end
 
 task secure-der-extract
   describe Convert DER/PKCS#12 bundle into PEM cert and key (set DER_PATH, OUT_DIR, NAME)
-  shell bash -lc 'scripts/secure-boot/der-extract.sh "${DER_PATH:-}" "${OUT_DIR:-out/keys}" "${NAME:-PGMOK}"'
+  shell bash scripts/secure-boot/der-extract.sh "${DER_PATH:-}" "${OUT_DIR:-out/keys}" "${NAME:-PGMOK}"
 end