fix(dotfiles): sanitize remote branch name before git reset --hard

Branch names resolved from git rev-parse or symbolic-ref (which may
follow the network-supplied remote HEAD) are now rejected when they
start with '-' or contain '..', both of which git would misparse as
flags or path expressions. Falls back to 'main' in those cases.

Author: fullstackjam

internal/dotfiles/dotfiles.go

@@ -90,6 +90,11 @@ func Clone(repoURL string, dryRun bool) error {
 			if branch == "" || branch == "HEAD" {
 				branch = "main"
 			}
+			// Reject branch names that could be misinterpreted as flags or path
+			// expressions by git — the remote HEAD ref comes from the network.
+			if strings.HasPrefix(branch, "-") || strings.Contains(branch, "..") {
+				branch = "main"
+			}
 			// Guard against silently discarding local uncommitted changes.
 			if statusOut, err := exec.Command("git", "-C", dotfilesPath, "status", "--porcelain").Output(); err == nil && len(strings.TrimSpace(string(statusOut))) > 0 {
 				ui.Warn(fmt.Sprintf("Local uncommitted changes detected in %s", dotfilesPath))