@ohzw/worktree-command-tui 0.1.2 → 0.1.3

package/README.md

@@ -1,20 +1,27 @@
 # worktree-command-tui
 
-`worktree-command-tui` is a terminal UI (TUI) tool for operating multiple Git worktrees from one repository.
-It helps you inspect, start, and stop per-worktree processes with quick keyboard-driven workflows.
+`worktree-command-tui` is a terminal UI for managing Git worktrees from inside a repository.
+It keeps one active runtime session per namespace, lets you switch worktrees with the keyboard, and keeps logs/process cleanup tied to the repo's shared Git state.
 
 ## Features
 
-- List and monitor worktrees for the current repository
-- Start/stop worktree-specific commands
-- Keep process handling centralized for each session
-- Persist namespace-aware runtime state
-- Support JSONC config (with comments and trailing commas)
+- Discover worktrees from the current repository even when launched from a subdirectory
+- Start or switch the active worktree session with `Enter`
+- Stop the active session and clean up recorded orphan processes with `s`
+- Run an optional per-worktree setup command with `i`
+- Open the selected worktree in your editor with `e`
+- Open the selected branch's pull request in a browser with `o`
+- Delete a non-root worktree from the TUI with `d`, then confirm
+- Inspect branch, upstream, working tree, and pull request metadata in the detail pane
+- Tail ANSI-colored logs inline or in a full-screen log view
+- Generate and load JSONC config with comments and trailing commas
 
 ## Requirements
 
 - Node.js `>=20`
-- A Git repository in the target working directory
+- Git
+- A Git repository (additional linked worktrees optional)
+- Optional: GitHub CLI (`gh`) and a GitHub origin remote for pull request metadata and `o` / Open PR
 
 ## Installation
 
@@ -22,19 +29,24 @@ It helps you inspect, start, and stop per-worktree processes with quick keyboard
 npm install -g @ohzw/worktree-command-tui
 ```
 
-## Usage
+Installed binaries:
 
-### 1) Initialize configuration
+- `wctui`
+- `worktree-command-tui` (compatibility alias)
 
-Run this once in a repository root (or any subdirectory of the repository):
+## Quick start
+
+### 1) Initialize config
+
+Run this from the repo root or any subdirectory inside the repo:
 
 ```bash
 wctui init
 ```
 
-This creates `.worktree-command-tui.jsonc` with a sensible default configuration.
+This writes `.worktree-command-tui.jsonc` at the repository root.
 
-To regenerate an existing configuration:
+To overwrite an existing config:
 
 ```bash
 wctui init --force
@@ -46,46 +58,94 @@ wctui init --force
 wctui
 ```
 
-`worktree-command-tui` is still available as a compatibility alias.
+If config is missing, the CLI exits with a message telling you to run `wctui init`.
+
+## Keyboard shortcuts
+
+Primary shortcuts in the footer:
+
+- `↑↓` / `j` `k` — move selection
+- `Enter` — start or switch to selected worktree
+- `i` — run `setupCommand` when configured
+- `e` — open the selected worktree in the configured editor when `editorCommand` is configured
+- `o` — open the selected worktree's pull request when GitHub metadata is available
+- `d` — arm worktree deletion
+- `L` — open full-screen logs
+- `s` — stop active session
+- `r` — refresh worktree metadata
+- `?` — show help
+- `q` — quit
+
+Additional shortcuts from the help window:
+
+- `g` / `G` — jump to first / last worktree
+- `[` / `]` — scroll logs
+- `PageUp` / `PageDn` — page the selection list
+- Mouse wheel — scroll the pane under the cursor
+- `d` / `y` — confirm delete after arming it
+- `Esc` / `n` / `q` — cancel delete confirmation
+
+## Security and network behavior
+
+`wctui` executes the argv commands stored in `.worktree-command-tui.jsonc` when you press the matching keys. Treat repository config as trusted code:
 
-If no configuration file is found, the CLI will prompt you to run `wctui init`.
+- `Enter` starts `command` in the selected worktree.
+- `i` runs `setupCommand`; package-manager install commands may run dependency lifecycle scripts.
+- `e` runs `editorCommand` with the selected worktree path appended.
+
+Review config before using those actions in an untrusted repository or worktree.
+
+The TUI also reads pull request metadata with the GitHub CLI when `remote.origin.url` points at `github.com`. This uses `gh api`, your existing `gh` authentication, and a short timeout. Non-GitHub remote hosts are ignored by default.
 
 ## Configuration
 
-The tool reads these files in this order:
+The tool looks for config in this order:
 
 1. `.worktree-command-tui.jsonc`
 2. `.worktree-command-tui.json`
 
-A minimal example of the generated config:
+Example config:
 
 ```jsonc
 {
-  // Session namespace used for logs/state
+  // Session namespace used for git-common-dir state files and logs.
   "namespace": "worktree-command-tui",
-  // Command executed in each selected worktree
-  "command": ["npm", "run", "start"],
-  // Optional setup command run manually in the selected worktree
+
+  // Command launched in the selected worktree.
+  "command": ["npm", "run", "dev"],
+
+  // Optional command run manually with the setup key in the selected worktree.
   "setupCommand": ["npm", "install"],
-  // Port used for cleanup/monitoring
+
+  // Optional command that opens the selected worktree path in an editor.
+  // The selected worktree path is appended as the final argv entry.
+  "editorCommand": ["code"],
+
+  // TCP port owned by the command, used when stopping stale/orphaned processes.
   "port": 3000,
-  // Required files that must exist in a worktree
+
+  // Files that must exist in a worktree before the command can be started there.
   "requiredFiles": ["package.json"],
-  // Optional command substrings considered orphaned processes
+
+  // Extra process command-line substrings treated as orphans for cleanup.
   "orphanMatchers": []
 }
 ```
 
-When `setupCommand` is configured, press `i` in the TUI to run it for the selected worktree.
-It is never run automatically when switching worktrees.
+Notes:
+
+- `setupCommand` is optional and never runs automatically; `i` only appears when it is configured
+- `editorCommand` is optional; when set, the selected worktree path is appended to the argv and `e` becomes available
+- The generated default config auto-detects package manager hints from `packageManager` or common lockfiles and chooses a default script such as `dev`, `start`, or `serve`
+- Session records and logs are stored under the repository's Git common dir, so they are shared across worktrees in the same repo
 
 ## Development
 
 ```bash
 npm install
-npm run test          # Run test suite
-npm run typecheck     # Run TypeScript type-check
-npm run build         # Build distributable output to dist/
+npm test
+npm run typecheck
+npm run build
 ```
 
 ## License

package/dist/app.js

@@ -10,6 +10,7 @@ import { FloatingLogWindow } from './components/FloatingLogWindow.js';
 import { LogPanel, buildLogLines } from './components/LogPanel.js';
 import { WorktreeList } from './components/WorktreeList.js';
 import { clampSelectionIndex, decideEnterInteraction, decideSetupInteraction, getNextSelectedPath, getSelectedIndex } from './core/tui-interaction.js';
+import { sanitizeInlineText } from './core/worktree-projection.js';
 const ENABLE_MOUSE_TRACKING = '\u001B[?1000h\u001B[?1006h';
 const DISABLE_MOUSE_TRACKING = '\u001B[?1000l\u001B[?1006l';
 function parseMouseWheelEvents(input) {
@@ -536,20 +537,25 @@ export function App({ initialModel, actions, windowSizeOverride, }) {
     if (isHelpOverlayOpen) {
         return (_jsx(HelpWindow, { setupAvailable: model.setupAvailable, editorAvailable: model.editorAvailable, width: Math.max(1, rootWidth - 1), height: rootHeight }));
     }
+    const safeActiveBranch = model.activeBranch === null ? '-' : sanitizeInlineText(model.activeBranch);
+    const safeSelectedBranch = selected === undefined ? '-' : sanitizeInlineText(selected.branch);
+    const safeVisibleStatusMessage = sanitizeInlineText(visibleStatus.message);
+    const safeModelStatusMessage = sanitizeInlineText(model.status.message);
+    const safeCompletedAlert = completedAlert === null ? null : sanitizeInlineText(completedAlert);
     if (isLogOverlayOpen) {
         return (_jsx(FloatingLogWindow, { logs: model.logs, width: Math.max(1, rootWidth - 1), height: rootHeight, scrollOffset: logScrollOffset }));
     }
     if (minimalLayout) {
-        return (_jsxs(Box, { width: rootWidth, height: rootHeight, flexDirection: "column", children: [_jsxs(Text, { bold: true, color: "green", wrap: "truncate-end", children: ["A:", model.activeBranch ?? '-'] }), rootHeight >= 2 ? _jsxs(Text, { wrap: "truncate-end", children: ["S:", selected?.branch ?? '-'] }) : null, rootHeight >= 3 ? _jsx(Text, { wrap: "truncate-end", children: confirmationOpen ? `D:${visibleStatus.message}` : `T:${model.status.kind}` }) : null, rootHeight >= 4 ? (confirmationOpen
+        return (_jsxs(Box, { width: rootWidth, height: rootHeight, flexDirection: "column", children: [_jsxs(Text, { bold: true, color: "green", wrap: "truncate-end", children: ["A:", safeActiveBranch] }), rootHeight >= 2 ? _jsxs(Text, { wrap: "truncate-end", children: ["S:", safeSelectedBranch] }) : null, rootHeight >= 3 ? _jsx(Text, { wrap: "truncate-end", children: confirmationOpen ? `D:${safeVisibleStatusMessage}` : `T:${model.status.kind}` }) : null, rootHeight >= 4 ? (confirmationOpen
                     ? _jsx(Text, { dimColor: true, wrap: "truncate-end", children: "d/y confirm \u00B7 Esc/n/q cancel" })
                     : _jsxs(Text, { dimColor: true, wrap: "truncate-end", children: ["\u2191\u2193jk\u21B5", model.setupAvailable ? 'i' : '', model.editorAvailable ? 'e' : '', "odLq"] })) : null] }));
     }
     if (compactLayout) {
-        return (_jsxs(Box, { width: rootWidth, height: rootHeight, flexDirection: "column", children: [_jsxs(Text, { bold: true, color: "green", wrap: "truncate-end", children: ["Active: ", model.activeBranch ?? '-'] }), _jsxs(Text, { wrap: "truncate-end", children: ["Selected: ", selected?.branch ?? '-'] }), completedAlert
-                    ? _jsxs(Text, { color: "green", wrap: "truncate-end", children: ["\u2714 ", completedAlert] })
-                    : model.status.kind === 'setting-up' || model.status.kind === 'starting' || model.status.kind === 'stopping' ? (_jsx(Spinner, { label: `Status: ${model.status.kind} — ${model.status.message}` })) : (_jsxs(Text, { wrap: "truncate-end", children: ["Status: ", visibleStatus.kind, " \u2014 ", visibleStatus.message] })), _jsx(Text, { dimColor: true, wrap: "truncate-end", children: confirmationOpen
+        return (_jsxs(Box, { width: rootWidth, height: rootHeight, flexDirection: "column", children: [_jsxs(Text, { bold: true, color: "green", wrap: "truncate-end", children: ["Active: ", safeActiveBranch] }), _jsxs(Text, { wrap: "truncate-end", children: ["Selected: ", safeSelectedBranch] }), safeCompletedAlert
+                    ? _jsxs(Text, { color: "green", wrap: "truncate-end", children: ["\u2714 ", safeCompletedAlert] })
+                    : model.status.kind === 'setting-up' || model.status.kind === 'starting' || model.status.kind === 'stopping' ? (_jsx(Spinner, { label: `Status: ${model.status.kind} — ${safeModelStatusMessage}` })) : (_jsxs(Text, { wrap: "truncate-end", children: ["Status: ", visibleStatus.kind, " \u2014 ", safeVisibleStatusMessage] })), _jsx(Text, { dimColor: true, wrap: "truncate-end", children: confirmationOpen
                         ? 'Keys: d/y confirm | Esc/n/q cancel'
                         : `Keys: ↑↓/jk g/G ↵${model.setupAvailable ? ' i' : ''}${model.editorAvailable ? ' e' : ''} o d L s r q · Resize terminal for split view` })] }));
     }
-    return (_jsxs(Box, { width: rootWidth, height: rootHeight, flexDirection: "column", children: [_jsx(Header, { repoName: model.repoName, namespace: model.namespace, activeBranch: model.activeBranch }), _jsxs(Box, { flexDirection: stackedLayout ? 'column' : 'row', flexGrow: stackedLayout ? 0 : 1, flexShrink: 1, children: [_jsx(WorktreeList, { rows: model.rows, selectedIndex: selectedIndex, width: stackedLayout ? bodyWidth : listWidth, height: paneHeight, stacked: stackedLayout, scrollOffset: worktreeScrollOffset }), _jsx(ActionPanel, { selectedRow: selected, activePath: model.activePath, setupAvailable: model.setupAvailable, stacked: stackedLayout, width: stackedLayout ? bodyWidth : actionWidth, height: paneHeight, compactDetails: compactDetailPane, scrollOffset: selectionScrollOffset })] }), showLogPanel ? _jsx(LogPanel, { logs: model.logs, width: bodyWidth, height: logPaneHeight, scrollOffset: logScrollOffset }) : null, _jsx(ContextBar, { status: visibleStatus, setupAvailable: model.setupAvailable, editorAvailable: model.editorAvailable, confirmationOpen: confirmationOpen }), completedAlert ? (_jsx(Box, { position: "absolute", top: 1, right: 2, children: _jsx(Alert, { variant: "success", children: completedAlert }) })) : null] }));
+    return (_jsxs(Box, { width: rootWidth, height: rootHeight, flexDirection: "column", children: [_jsx(Header, { repoName: model.repoName, namespace: model.namespace, activeBranch: model.activeBranch }), _jsxs(Box, { flexDirection: stackedLayout ? 'column' : 'row', flexGrow: stackedLayout ? 0 : 1, flexShrink: 1, children: [_jsx(WorktreeList, { rows: model.rows, selectedIndex: selectedIndex, width: stackedLayout ? bodyWidth : listWidth, height: paneHeight, stacked: stackedLayout, scrollOffset: worktreeScrollOffset }), _jsx(ActionPanel, { selectedRow: selected, activePath: model.activePath, setupAvailable: model.setupAvailable, stacked: stackedLayout, width: stackedLayout ? bodyWidth : actionWidth, height: paneHeight, compactDetails: compactDetailPane, scrollOffset: selectionScrollOffset })] }), showLogPanel ? _jsx(LogPanel, { logs: model.logs, width: bodyWidth, height: logPaneHeight, scrollOffset: logScrollOffset }) : null, _jsx(ContextBar, { status: visibleStatus, setupAvailable: model.setupAvailable, editorAvailable: model.editorAvailable, confirmationOpen: confirmationOpen }), safeCompletedAlert ? (_jsx(Box, { position: "absolute", top: 1, right: 2, children: _jsx(Alert, { variant: "success", children: safeCompletedAlert }) })) : null] }));
 }

package/dist/components/ContextBar.js

@@ -2,6 +2,7 @@ import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
 import React from 'react';
 import { Box, Text } from 'ink';
 import { Spinner } from '@inkjs/ui';
+import { sanitizeInlineText } from '../core/worktree-projection.js';
 const KIND_TO_ICON = {
     idle: 'ℹ',
     starting: '⚠',
@@ -41,5 +42,6 @@ function buildKeyHints(setupAvailable, editorAvailable, confirmationOpen) {
 export function ContextBar({ status, setupAvailable, editorAvailable, confirmationOpen, }) {
     const isBusy = status.kind === 'setting-up' || status.kind === 'starting' || status.kind === 'stopping';
     const keyHints = buildKeyHints(setupAvailable, editorAvailable, confirmationOpen);
-    return (_jsxs(Box, { borderStyle: "round", borderColor: KIND_TO_COLOR[status.kind], flexDirection: "column", paddingX: 1, children: [isBusy ? (_jsx(Spinner, { label: `Status: ${status.kind} — ${status.message}` })) : (_jsxs(Text, { color: KIND_TO_COLOR[status.kind], wrap: "truncate-end", children: [KIND_TO_ICON[status.kind], " Status: ", status.kind, " \u2014 ", status.message] })), _jsx(Text, { wrap: "truncate-end", children: keyHints.map((hint, hintIndex) => (_jsxs(React.Fragment, { children: [hintIndex === 0 ? null : _jsx(Text, { dimColor: true, children: " | " }), _jsx(Text, { color: "white", children: hint.binding }), _jsxs(Text, { dimColor: true, children: [" ", hint.label] })] }, hint.binding))) })] }));
+    const statusMessage = sanitizeInlineText(status.message);
+    return (_jsxs(Box, { borderStyle: "round", borderColor: KIND_TO_COLOR[status.kind], flexDirection: "column", paddingX: 1, children: [isBusy ? (_jsx(Spinner, { label: `Status: ${status.kind} — ${statusMessage}` })) : (_jsxs(Text, { color: KIND_TO_COLOR[status.kind], wrap: "truncate-end", children: [KIND_TO_ICON[status.kind], " Status: ", status.kind, " \u2014 ", statusMessage] })), _jsx(Text, { wrap: "truncate-end", children: keyHints.map((hint, hintIndex) => (_jsxs(React.Fragment, { children: [hintIndex === 0 ? null : _jsx(Text, { dimColor: true, children: " | " }), _jsx(Text, { color: "white", children: hint.binding }), _jsxs(Text, { dimColor: true, children: [" ", hint.label] })] }, hint.binding))) })] }));
 }

package/dist/components/Header.js

@@ -1,5 +1,9 @@
 import { jsxs as _jsxs } from "react/jsx-runtime";
 import { Box, Text } from 'ink';
+import { sanitizeInlineText } from '../core/worktree-projection.js';
 export function Header({ repoName, namespace, activeBranch, }) {
-    return (_jsxs(Box, { borderStyle: "round", borderColor: "blue", flexDirection: "column", paddingX: 1, children: [_jsxs(Text, { bold: true, color: "blue", wrap: "truncate-end", children: ["Worktree Command TUI \u00B7 Repo: ", repoName] }), _jsxs(Text, { color: "green", wrap: "truncate-end", children: ["Active: ", activeBranch ?? '-'] }), _jsxs(Text, { dimColor: true, wrap: "truncate-end", children: ["Namespace: ", namespace] })] }));
+    const safeRepoName = sanitizeInlineText(repoName);
+    const safeNamespace = sanitizeInlineText(namespace);
+    const safeActiveBranch = activeBranch === null ? '-' : sanitizeInlineText(activeBranch);
+    return (_jsxs(Box, { borderStyle: "round", borderColor: "blue", flexDirection: "column", paddingX: 1, children: [_jsxs(Text, { bold: true, color: "blue", wrap: "truncate-end", children: ["Worktree Command TUI \u00B7 Repo: ", safeRepoName] }), _jsxs(Text, { color: "green", wrap: "truncate-end", children: ["Active: ", safeActiveBranch] }), _jsxs(Text, { dimColor: true, wrap: "truncate-end", children: ["Namespace: ", safeNamespace] })] }));
 }

package/dist/components/LogPanel.js

@@ -1,5 +1,6 @@
 import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
 import { Box, Text } from 'ink';
+import { sanitizeInlineText } from '../core/worktree-projection.js';
 import { getScrollbarThumbRows, sliceTailViewport } from '../terminal/viewport.js';
 const ESCAPE = '\u001B';
 const CSI = '\u009B';
@@ -241,7 +242,7 @@ export function buildLogLines(logs) {
         if (index > 0) {
             lines.push(plainLine(' ', { dimColor: true }));
         }
-        lines.push(plainLine(`[${log.name}]`, { color: 'cyan' }));
+        lines.push(plainLine(`[${sanitizeInlineText(log.name)}]`, { color: 'cyan' }));
         lines.push(...parseLogContent(log.content.length > 0 ? log.content : '(empty)'));
     }
     return lines;

package/dist/core/command-runner.js

@@ -16,10 +16,11 @@ export function runCommandToLog({ command, cwd, logsDir, logFileBase, errorLabel
     let settled = false;
     const finalize = () => {
         if (settled) {
-            return;
+            return false;
         }
         settled = true;
         closeSync(fd);
+        return true;
     };
     const child = spawn(command[0], command.slice(1), {
         cwd,
@@ -27,11 +28,14 @@ export function runCommandToLog({ command, cwd, logsDir, logFileBase, errorLabel
         stdio: ['ignore', fd, fd],
     });
     child.once('error', error => {
-        finalize();
-        reject(error);
+        if (finalize()) {
+            reject(error);
+        }
     });
     child.once('exit', (code, signal) => {
-        finalize();
+        if (!finalize()) {
+            return;
+        }
         if (code === 0) {
             resolve({ logPath });
             return;
@@ -58,25 +62,29 @@ export function startDetachedCommand({ command, cwd, logsDir, logFileBase, }) {
     });
     const finalize = () => {
         if (settled) {
-            return;
+            return false;
         }
         settled = true;
         closeSync(fd);
+        return true;
     };
     child.once('error', error => {
-        finalize();
-        reject(error);
+        if (finalize()) {
+            reject(error);
+        }
     });
     child.once('spawn', () => {
         const pid = child.pid;
         if (pid === undefined) {
-            finalize();
-            reject(new Error('spawn succeeded without pid'));
+            if (finalize()) {
+                reject(new Error('spawn succeeded without pid'));
+            }
             return;
         }
         child.unref();
-        finalize();
-        resolve({ pid, pgid: pid, logPath });
+        if (finalize()) {
+            resolve({ pid, pgid: pid, logPath });
+        }
     });
     return promise;
 }

package/dist/core/config-lifecycle.js

@@ -1,4 +1,4 @@
-import { readFile, writeFile } from 'node:fs/promises';
+import { readFile, stat, writeFile } from 'node:fs/promises';
 import path from 'node:path';
 import { CONFIG_FILE_NAME, CONFIG_FILE_NAMES, parseJsonc } from './config.js';
 const SAFE_NAMESPACE_PATTERN = /^[A-Za-z0-9._-]+$/u;
@@ -7,6 +7,7 @@ const LEADING_NAMESPACE_HYPHENS_PATTERN = /^-+/u;
 const TRAILING_NAMESPACE_HYPHENS_PATTERN = /-+$/u;
 const SAFE_NAMESPACE_DESCRIPTION = '[A-Za-z0-9._-]+';
 const DEFAULT_NAMESPACE = 'worktree-command-tui';
+const MAX_CONFIG_BYTES = 64 * 1024;
 function isNonEmptyString(value) {
     return typeof value === 'string' && value.length > 0;
 }
@@ -27,6 +28,15 @@ function readStringList(value, fieldName) {
     }
     return value;
 }
+function readOrphanMatchers(value) {
+    const matchers = readStringList(value, 'orphanMatchers');
+    for (const matcher of matchers) {
+        if (!/\S+\s+\S+/u.test(matcher)) {
+            throw new Error('orphanMatchers entries must include a command plus argument fragment');
+        }
+    }
+    return matchers;
+}
 function readRequiredCommand(value, fieldName) {
     if (!Array.isArray(value) || value.length === 0 || value.some(part => !isNonEmptyString(part))) {
         throw new Error(`${fieldName} must be a non-empty string array`);
@@ -61,7 +71,7 @@ export function validateToolConfig(raw) {
         editorCommand: readOptionalCommand(config.editorCommand, 'editorCommand'),
         port: readPort(config.port),
         requiredFiles: readStringList(config.requiredFiles, 'requiredFiles'),
-        orphanMatchers: readStringList(config.orphanMatchers, 'orphanMatchers'),
+        orphanMatchers: readOrphanMatchers(config.orphanMatchers),
     };
 }
 export function createDefaultToolConfig(options) {
@@ -75,11 +85,17 @@ export function createDefaultToolConfig(options) {
         orphanMatchers: [],
     });
 }
+async function readConfigFile(configPath) {
+    if ((await stat(configPath)).size > MAX_CONFIG_BYTES) {
+        throw new Error('config file is too large');
+    }
+    return readFile(configPath, 'utf8');
+}
 async function readFirstConfig(repoRoot) {
     let firstError;
     for (const fileName of CONFIG_FILE_NAMES) {
         try {
-            return await readFile(path.join(repoRoot, fileName), 'utf8');
+            return await readConfigFile(path.join(repoRoot, fileName));
         }
         catch (error) {
             firstError ??= error;
@@ -93,7 +109,7 @@ export async function loadToolConfig({ repoRoot }) {
 export function renderConfigJsonc(config) {
     const setupCommandSection = config.setupCommand === undefined ? '' : `
   // Optional command run manually with the setup key in the selected worktree.
-  // Useful for first-time dependency installation without doing it on every switch.
+  // Review before running in untrusted worktrees; package installs may run lifecycle scripts.
   "setupCommand": ${JSON.stringify(config.setupCommand)},
 `;
     const editorCommandSection = config.editorCommand === undefined ? '' : `
@@ -106,8 +122,8 @@ export function renderConfigJsonc(config) {
   // Keep this filesystem-safe: letters, numbers, dots, underscores, and hyphens only.
   "namespace": ${JSON.stringify(config.namespace)},
 
-  // Command launched in the selected worktree.
-  // Use argv form so spaces and shell metacharacters are passed safely.
+  // Command launched in the selected worktree when you press Enter.
+  // Treat this config as trusted code. argv form avoids shell metacharacter expansion.
   "command": ${JSON.stringify(config.command)},
 ${setupCommandSection}${editorCommandSection}
   // TCP port owned by the command, used when stopping stale/orphaned processes.
@@ -116,7 +132,8 @@ ${setupCommandSection}${editorCommandSection}
   // Files that must exist in a worktree before the command can be started there.
   "requiredFiles": ${JSON.stringify(config.requiredFiles)},
 
-  // Extra process command-line substrings treated as orphans for cleanup.
+  // Extra command-line substrings for cleanup within the recorded process group only.
+  // Include a command plus argument fragment; broad single-token matchers are rejected.
   // Example: ["node --watch", "vite --host 0.0.0.0"]
   "orphanMatchers": ${JSON.stringify(config.orphanMatchers)},
 }

package/dist/core/github-metadata.d.ts

@@ -1,3 +1,8 @@
+export interface GitHubRepository {
+    host: string;
+    owner: string;
+    name: string;
+}
 export type PullRequestInfo = {
     kind: 'found';
     number: number;
@@ -11,4 +16,6 @@ export type PullRequestInfo = {
 } | {
     kind: 'unavailable';
 };
+export declare function isGitHubMetadataHostAllowed(host: string): boolean;
+export declare function normalizePullRequestUrlForRepository(url: string, repository: GitHubRepository, number: number): string | null;
 export declare function readPullRequestInfo(cwd: string, branch: string): Promise<PullRequestInfo>;

package/dist/core/github-metadata.js

@@ -37,10 +37,28 @@ function parseGitHubRepositoryFromRemoteUrl(remoteUrl) {
     }
     return { host: scpMatch[1].toLowerCase(), owner: segments[0], name: segments[1] };
 }
+export function isGitHubMetadataHostAllowed(host) {
+    return host.toLowerCase() === 'github.com';
+}
+export function normalizePullRequestUrlForRepository(url, repository, number) {
+    if (!URL.canParse(url)) {
+        return null;
+    }
+    const parsedUrl = new URL(url);
+    const expectedPath = `/${repository.owner}/${repository.name}/pull/${number}`;
+    if (parsedUrl.protocol !== 'https:'
+        || parsedUrl.hostname.toLowerCase() !== repository.host
+        || parsedUrl.pathname !== expectedPath
+        || parsedUrl.search !== ''
+        || parsedUrl.hash !== '') {
+        return null;
+    }
+    return `https://${repository.host}${expectedPath}`;
+}
 async function readGitHubRepository(cwd) {
     const { stdout } = await execFileAsync('git', ['config', '--get', 'remote.origin.url'], { cwd });
     const repository = parseGitHubRepositoryFromRemoteUrl(stdout);
-    if (!repository) {
+    if (!repository || !isGitHubMetadataHostAllowed(repository.host)) {
         throw new Error('GitHub repository remote unavailable');
     }
     return repository;
@@ -58,9 +76,7 @@ function buildPullRequestListArgs(repository, branch, state) {
         '-F',
         'per_page=1',
     ];
-    if (repository.host !== 'github.com' && repository.host !== 'www.github.com') {
-        args.push('--hostname', repository.host);
-    }
+    args.push('--hostname', repository.host);
     return args;
 }
 function normalizePullRequestState(state, mergedAt) {
@@ -69,17 +85,17 @@ function normalizePullRequestState(state, mergedAt) {
     }
     return typeof mergedAt === 'string' && mergedAt.length > 0 ? 'MERGED' : 'CLOSED';
 }
-function parsePullRequest(item) {
+function parsePullRequest(item, repository) {
     if (typeof item !== 'object' || item === null) {
         return null;
     }
     const pullRequest = item;
     const number = typeof pullRequest.number === 'number' ? pullRequest.number : NaN;
     const title = typeof pullRequest.title === 'string' ? pullRequest.title : '';
-    const url = typeof pullRequest.html_url === 'string' ? pullRequest.html_url : '';
+    const url = typeof pullRequest.html_url === 'string' && Number.isFinite(number) ? normalizePullRequestUrlForRepository(pullRequest.html_url, repository, number) : null;
     const isDraft = typeof pullRequest.draft === 'boolean' ? pullRequest.draft : false;
     const baseRefName = typeof pullRequest.base?.ref === 'string' ? pullRequest.base.ref : '';
-    if (!Number.isFinite(number) || !title || !url || !baseRefName) {
+    if (!Number.isFinite(number) || !title || url === null || !baseRefName) {
         return null;
     }
     return {
@@ -101,7 +117,7 @@ async function readPullRequestList(cwd, branch, state) {
     }
     const pullRequests = [];
     for (const item of payload) {
-        const parsed = parsePullRequest(item);
+        const parsed = parsePullRequest(item, repository);
         if (parsed !== null) {
             pullRequests.push(parsed);
         }

package/dist/core/log-reader.js

@@ -1,17 +1,32 @@
 import path from 'node:path';
-import { readdir, readFile, stat } from 'node:fs/promises';
+import { open, readdir, stat } from 'node:fs/promises';
 const MAX_LOG_BYTES = 16 * 1024;
 const MAX_LOG_LINES = 120;
+const MAX_LOG_FILES = 100;
 export function tailLogContent(content) {
     const byteTrimmed = content.length > MAX_LOG_BYTES ? content.slice(-MAX_LOG_BYTES) : content;
     const lines = byteTrimmed.replace(/\r\n/g, '\n').split('\n');
     const tailLines = lines.length > MAX_LOG_LINES ? lines.slice(-MAX_LOG_LINES) : lines;
     return tailLines.join('\n').trimEnd();
 }
+async function readLogTail(filePath) {
+    const stats = await stat(filePath);
+    const bytesToRead = Math.min(stats.size, MAX_LOG_BYTES);
+    const buffer = Buffer.alloc(bytesToRead);
+    const file = await open(filePath, 'r');
+    try {
+        await file.read(buffer, 0, bytesToRead, Math.max(0, stats.size - bytesToRead));
+    }
+    finally {
+        await file.close();
+    }
+    return buffer.toString('utf8');
+}
 export async function readLogs(logsDir, activeLogPath) {
     try {
         const entries = (await readdir(logsDir, { withFileTypes: true }))
             .filter(entry => entry.isFile() && entry.name.endsWith('.log'))
+            .slice(0, MAX_LOG_FILES)
             .map(entry => ({ name: entry.name, path: path.join(logsDir, entry.name) }));
         if (entries.length === 0) {
             return [];
@@ -19,8 +34,9 @@ export async function readLogs(logsDir, activeLogPath) {
         let selectedEntries = entries;
         if (activeLogPath !== null) {
             const activeEntry = entries.find(entry => entry.path === activeLogPath);
-            if (activeEntry) {
-                selectedEntries = [activeEntry];
+            selectedEntries = activeEntry ? [activeEntry] : [];
+            if (selectedEntries.length === 0) {
+                return [];
             }
         }
         else {
@@ -34,7 +50,7 @@ export async function readLogs(logsDir, activeLogPath) {
         return await Promise.all(selectedEntries.map(async (entry) => ({
             name: entry.name,
             path: entry.path,
-            content: tailLogContent(await readFile(entry.path, 'utf8')),
+            content: tailLogContent(await readLogTail(entry.path)),
         })));
     }
     catch {

package/dist/core/posix-process.d.ts

@@ -1,4 +1,4 @@
 export declare function isProcessGroupAlive(pgid: number): Promise<boolean>;
 export declare function killProcessGroup(pgid: number, signal?: NodeJS.Signals): Promise<void>;
-export declare function killPortOwner(port: number): Promise<void>;
-export declare function killOrphans(matcher: string): Promise<void>;
+export declare function killPortOwner(port: number, pgid: number): Promise<void>;
+export declare function killOrphans(matcher: string, pgid: number): Promise<void>;

package/dist/core/posix-process.js

@@ -1,6 +1,16 @@
 import { execFile } from 'node:child_process';
 import { promisify } from 'node:util';
 const execFileAsync = promisify(execFile);
+async function readProcessGroupId(pid) {
+    try {
+        const { stdout } = await execFileAsync('ps', ['-o', 'pgid=', '-p', pid]);
+        const pgid = Number(stdout.trim());
+        return Number.isInteger(pgid) ? pgid : null;
+    }
+    catch {
+        return null;
+    }
+}
 export async function isProcessGroupAlive(pgid) {
     try {
         process.kill(-pgid, 0);
@@ -11,6 +21,9 @@ export async function isProcessGroupAlive(pgid) {
     }
 }
 export async function killProcessGroup(pgid, signal = 'SIGTERM') {
+    if (pgid <= 1) {
+        return;
+    }
     try {
         process.kill(-pgid, signal);
     }
@@ -18,23 +31,25 @@ export async function killProcessGroup(pgid, signal = 'SIGTERM') {
         // Process group already gone.
     }
 }
-export async function killPortOwner(port) {
+export async function killPortOwner(port, pgid) {
     try {
         const { stdout } = await execFileAsync('lsof', ['-nP', `-iTCP:${port}`, '-sTCP:LISTEN', '-t']);
         for (const pid of stdout
             .split('\n')
             .map(line => line.trim())
             .filter(Boolean)) {
-            await execFileAsync('kill', [pid]);
+            if (await readProcessGroupId(pid) === pgid) {
+                await execFileAsync('kill', [pid]);
+            }
         }
     }
     catch {
         // Port not owned or lsof found nothing.
     }
 }
-export async function killOrphans(matcher) {
+export async function killOrphans(matcher, pgid) {
     try {
-        await execFileAsync('pkill', ['-f', matcher]);
+        await execFileAsync('pkill', ['-g', String(pgid), '-f', matcher]);
     }
     catch {
         // No matching orphan process.

package/dist/core/process-control.d.ts

@@ -1,7 +1,7 @@
 export interface CleanupDeps {
     killProcessGroup: (pgid: number, signal?: NodeJS.Signals) => Promise<void>;
-    killPortOwner: (port: number) => Promise<void>;
-    killOrphans: (matcher: string) => Promise<void>;
+    killPortOwner: (port: number, pgid: number) => Promise<void>;
+    killOrphans: (matcher: string, pgid: number) => Promise<void>;
     isSessionAlive: (pgid: number) => Promise<boolean>;
 }
 export declare function stopSessionWithFallback(input: {

package/dist/core/process-control.js

@@ -1,11 +1,14 @@
 export async function stopSessionWithFallback(input, deps) {
+    if (input.pgid <= 1) {
+        return false;
+    }
     await deps.killProcessGroup(input.pgid, 'SIGTERM');
     if (!(await deps.isSessionAlive(input.pgid))) {
         return true;
     }
-    await deps.killPortOwner(input.port);
+    await deps.killPortOwner(input.port, input.pgid);
     for (const matcher of input.orphanMatchers) {
-        await deps.killOrphans(matcher);
+        await deps.killOrphans(matcher, input.pgid);
     }
     if (!(await deps.isSessionAlive(input.pgid))) {
         return true;

package/dist/core/session-store.js

@@ -1,7 +1,11 @@
-import { mkdir, readFile, rm, writeFile } from 'node:fs/promises';
+import { mkdir, readFile, rm, stat, writeFile } from 'node:fs/promises';
 import path from 'node:path';
-function isPositiveInteger(value) {
-    return typeof value === 'number' && Number.isInteger(value) && value > 0;
+const MAX_SESSION_BYTES = 16 * 1024;
+function isSafeProcessId(value) {
+    return typeof value === 'number' && Number.isInteger(value) && value > 1;
+}
+function isValidPort(value) {
+    return typeof value === 'number' && Number.isInteger(value) && value > 0 && value <= 65535;
 }
 function isSessionRecord(value) {
     if (typeof value !== 'object' || value === null) {
@@ -11,9 +15,9 @@ function isSessionRecord(value) {
     return (typeof record.namespace === 'string' &&
         typeof record.worktreePath === 'string' &&
         typeof record.branch === 'string' &&
-        isPositiveInteger(record.pid) &&
-        isPositiveInteger(record.pgid) &&
-        isPositiveInteger(record.port) &&
+        isSafeProcessId(record.pid) &&
+        isSafeProcessId(record.pgid) &&
+        isValidPort(record.port) &&
         typeof record.logPath === 'string' &&
         typeof record.startedAt === 'string');
 }
@@ -25,9 +29,20 @@ export function getSessionPaths(gitCommonDir, namespace) {
         sessionFile: path.join(baseDir, `${namespace}.json`),
     };
 }
+async function readSessionFile(sessionFile) {
+    if ((await stat(sessionFile)).size > MAX_SESSION_BYTES) {
+        await rm(sessionFile, { force: true });
+        return null;
+    }
+    return readFile(sessionFile, 'utf8');
+}
 export async function readSessionRecord(paths, { isSessionAlive }) {
     try {
-        const parsed = JSON.parse(await readFile(paths.sessionFile, 'utf8'));
+        const source = await readSessionFile(paths.sessionFile);
+        if (source === null) {
+            return null;
+        }
+        const parsed = JSON.parse(source);
         if (!isSessionRecord(parsed)) {
             await rm(paths.sessionFile, { force: true });
             return null;

package/dist/core/worktree-projection.js

@@ -4,8 +4,16 @@ const tagPriority = {
     external: 2,
     invalid: 3,
 };
+const ANSI_CSI_PATTERN = /\u001B\[[0-?]*[ -/]*[@-~]/gu;
+const ANSI_OSC_PATTERN = /\u001B\][^\u0007\u001B\u009C]*(?:\u0007|\u001B\\|\u009C)?/gu;
+const ANSI_STRING_PATTERN = /\u001B[P^_X][\s\S]*?(?:\u001B\\|\u009C|$)/gu;
+const C1_STRING_PATTERN = /[\u0090\u0098\u009D\u009E\u009F][^\u0007\u009C]*(?:\u0007|\u009C)?/gu;
 export function sanitizeInlineText(value) {
     return value
+        .replace(ANSI_OSC_PATTERN, '')
+        .replace(ANSI_STRING_PATTERN, '')
+        .replace(C1_STRING_PATTERN, '')
+        .replace(ANSI_CSI_PATTERN, '')
         .replace(/[\r\n\t\u2028\u2029]+/g, ' ')
         .replace(/[\u0000-\u001f\u007f-\u009f]/g, '')
         .replace(/\p{Cf}/gu, '')
@@ -60,7 +68,7 @@ export function projectAction(row, activePath) {
 }
 export function projectNote(row) {
     if (row.invalidReason) {
-        return { kind: 'invalid', severity: 'error', invalidReason: row.invalidReason };
+        return { kind: 'invalid', severity: 'error', invalidReason: sanitizeInlineText(row.invalidReason) };
     }
     if (hasTag(row, 'external')) {
         return { kind: 'external', severity: 'info' };

package/dist/main.js

@@ -2,6 +2,7 @@
 import { jsx as _jsx } from "react/jsx-runtime";
 import { createConfigForRepo, parseInitArgs } from './core/init.js';
 import { CONFIG_FILE_NAME, CONFIG_FILE_NAMES } from './core/config.js';
+import { sanitizeInlineText } from './core/worktree-projection.js';
 import { ThemeProvider } from '@inkjs/ui';
 import { render } from 'ink';
 import { APP_RENDER_OPTIONS } from './render-options.js';
@@ -37,7 +38,7 @@ async function handleInitCommand() {
         parsed = parseInitArgs(args.slice(1));
     }
     catch (error) {
-        console.error(error.message);
+        console.error(sanitizeInlineText(error.message));
         process.exit(1);
     }
     if (parsed.help) {
@@ -46,10 +47,10 @@ async function handleInitCommand() {
     }
     try {
         const result = await createConfigForRepo({ cwd, force: parsed.force });
-        console.log(`Created ${result.path}`);
+        console.log(`Created ${sanitizeInlineText(result.path)}`);
     }
     catch (error) {
-        console.error(error.message);
+        console.error(sanitizeInlineText(error.message));
         process.exit(1);
     }
 }
@@ -62,7 +63,7 @@ if (args.includes('-h') || args.includes('--help')) {
     process.exit(0);
 }
 if (subcommand !== undefined) {
-    console.error(`Unknown command: ${subcommand}`);
+    console.error(`Unknown command: ${sanitizeInlineText(subcommand)}`);
     process.exit(1);
 }
 try {
@@ -90,6 +91,6 @@ try {
     }
 }
 catch (error) {
-    console.error(describeError(error));
+    console.error(sanitizeInlineText(describeError(error)));
     process.exit(1);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ohzw/worktree-command-tui",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "A TUI for managing git worktrees",
   "private": false,
   "type": "module",