Improve pull request flow, add branch selection for worktree creation, fix auto-mode concurrency count (#787)

* Changes from fix/fetch-before-pull-fetch

* feat: Improve pull request flow, add branch selection for worktree creation, fix for automode concurrency count

* feat: Add validation for remote names and improve error handling

* Address PR comments and mobile layout fixes

* ```
refactor: Extract PR target resolution logic into dedicated service
```

* feat: Add app shell UI and improve service imports. Address PR comments

* fix: Improve security validation and cache handling in git operations

* feat: Add GET /list endpoint and improve parameter handling

* chore: Improve validation, accessibility, and error handling across apps

* chore: Format vite server port configuration

* fix: Add error handling for gh pr list command and improve offline fallbacks

* fix: Preserve existing PR creation time and improve remote handling

libs/types/src/settings.ts

@@ -1444,6 +1444,21 @@ export interface ProjectSettings {
    */
   defaultFeatureModel?: PhaseModelEntry;
 
+  // Terminal Quick Scripts (per-project)
+  /**
+   * Quick-access terminal scripts shown in the terminal header dropdown.
+   * Each script is a command that can be run with one click.
+   * Examples: "npm run dev", "npm run test", "npm run lint", "npm run format"
+   */
+  terminalScripts?: Array<{
+    /** Unique identifier for this script */
+    id: string;
+    /** Display name shown in the dropdown menu */
+    name: string;
+    /** The command to execute in the terminal */
+    command: string;
+  }>;
+
   // Terminal Configuration Override (per-project)
   /** Project-specific terminal config overrides */
   terminalConfig?: {
@@ -1514,8 +1529,8 @@ export const DEFAULT_PHASE_MODELS: PhaseModelConfig = {
 export const SETTINGS_VERSION = 6;
 /** Current version of the credentials schema */
 export const CREDENTIALS_VERSION = 1;
-/** Current version of the project settings schema */
-export const PROJECT_SETTINGS_VERSION = 1;
+/** Current version of the project settings schema (bumped for terminalScripts field) */
+export const PROJECT_SETTINGS_VERSION = 2;
 
 /** Default maximum concurrent agents for auto mode */
 export const DEFAULT_MAX_CONCURRENCY = 1;

libs/utils/src/git-validation.ts

@@ -41,3 +41,33 @@ export function isValidBranchName(name: string): boolean {
   // Must be within the length limit.
   return /^[a-zA-Z0-9._/][a-zA-Z0-9._\-/]*$/.test(name) && name.length < MAX_BRANCH_NAME_LENGTH;
 }
+
+/**
+ * Validate git remote name to prevent command injection.
+ * Matches the strict validation used in add-remote.ts:
+ * - Rejects empty strings and names that are too long
+ * - Disallows names that start with '-' or '.'
+ * - Forbids the substring '..'
+ * - Rejects '/' characters
+ * - Rejects NUL bytes
+ * - Must consist only of alphanumerics, hyphens, underscores, and dots
+ *
+ * @param name - The remote name to validate
+ * @returns `true` when the name is safe to pass to git commands
+ *
+ * @example
+ * ```typescript
+ * isValidRemoteName('origin');       // true
+ * isValidRemoteName('upstream');     // true
+ * isValidRemoteName('-flag');        // false (starts with dash)
+ * isValidRemoteName('a/b');         // false (contains slash)
+ * ```
+ */
+export function isValidRemoteName(name: string): boolean {
+  if (!name || name.length >= MAX_BRANCH_NAME_LENGTH) return false;
+  if (name.startsWith('-') || name.startsWith('.')) return false;
+  if (name.includes('..')) return false;
+  if (name.includes('/')) return false;
+  if (name.includes('\0')) return false;
+  return /^[a-zA-Z0-9._-]+$/.test(name);
+}

libs/utils/src/index.ts

@@ -119,4 +119,4 @@ export {
 } from './debounce.js';
 
 // Git validation utilities
-export { isValidBranchName, MAX_BRANCH_NAME_LENGTH } from './git-validation.js';
+export { isValidBranchName, isValidRemoteName, MAX_BRANCH_NAME_LENGTH } from './git-validation.js';