fix: enforce alphanumeric branchprefix values (#76)

Co-authored-by: Cursor Agent <cursoragent@cursor.com>

Author: captainsafia

README.md

@@ -89,6 +89,7 @@ grove add
 # Example generated name: quiet-meadow
 # If .groverc sets "branchPrefix": "safia", example: safia/quiet-meadow
 # Directory remains: quiet-meadow
+# branchPrefix only accepts alphanumeric characters
 ```
 
 Track a remote branch:
@@ -113,7 +114,7 @@ Bootstrap a newly created worktree with project-scoped commands:
 
 Save this as `.groverc` in your Grove project root (the directory that contains your bare clone, for example `repo/.groverc` next to `repo/repo.git`).
 
-When `grove add` is called without an explicit branch name, Grove generates an adjective-noun name and prepends `branchPrefix` to the branch name when configured. The worktree directory keeps the generated base name.
+When `grove add` is called without an explicit branch name, Grove generates an adjective-noun name and prepends `branchPrefix` to the branch name when configured. `branchPrefix` must be alphanumeric only (letters and numbers). The worktree directory keeps the generated base name.
 
 When `grove add` creates a worktree, it runs each bootstrap command in order inside that new worktree directory.
 

site/index.html

@@ -801,7 +801,8 @@ <h3>Add a new worktree</h3>
                     <pre><code>grove add
 # Example generated name: quiet-meadow
 # If .groverc sets "branchPrefix": "safia", example: safia/quiet-meadow
-# Directory remains: quiet-meadow</code></pre>
+# Directory remains: quiet-meadow
+# branchPrefix only accepts alphanumeric characters</code></pre>
                     <p>With tracking for a remote branch:</p>
                     <pre><code>grove add feature-branch --track origin/feature-branch</code></pre>
                     <p>Optional bootstrap commands from <code>.groverc</code> run in the new worktree:</p>
@@ -815,7 +816,7 @@ <h3>Add a new worktree</h3>
   }
 }</code></pre>
                     <p>Place <code>.groverc</code> in the Grove project root (next to the bare clone directory).</p>
-                    <p>When <code>grove add</code> is called without an explicit branch name, Grove generates an adjective-noun name and prepends <code>branchPrefix</code> to the branch name when configured. The worktree directory keeps the generated base name.</p>
+                    <p>When <code>grove add</code> is called without an explicit branch name, Grove generates an adjective-noun name and prepends <code>branchPrefix</code> to the branch name when configured. <code>branchPrefix</code> must be alphanumeric only (letters and numbers). The worktree directory keeps the generated base name.</p>
                     <p>Commands must be portable across Linux/macOS/Windows and use executable + args only (no shell operators like <code>&amp;&amp;</code> or pipes). If one command fails, Grove continues and reports a partial bootstrap state.</p>
                 </div>
 

src/commands/add.rs

@@ -7,7 +7,7 @@ use crate::git::{
 };
 use crate::utils::{
     default_worktree_name_seed, generate_default_worktree_name, read_repo_config,
-    trim_trailing_branch_slashes, BootstrapCommand, RepoConfig, DEFAULT_WORKTREE_NAME_ATTEMPTS,
+    sanitize_branch_prefix, BootstrapCommand, RepoConfig, DEFAULT_WORKTREE_NAME_ATTEMPTS,
 };
 
 #[derive(Debug)]
@@ -169,7 +169,7 @@ fn choose_default_worktree_spec(
     let seed = default_worktree_name_seed();
     for attempt in 0..DEFAULT_WORKTREE_NAME_ATTEMPTS {
         let generated_name = generate_default_worktree_name(seed, attempt);
-        let candidate = generated_worktree_spec(branch_prefix, &generated_name);
+        let candidate = generated_worktree_spec(branch_prefix, &generated_name)?;
         if is_name_available(repo, project_root, &candidate) {
             return Ok(candidate);
         }
@@ -189,22 +189,28 @@ fn is_name_available(repo: &RepoContext, project_root: &Path, candidate: &Worktr
     !project_root.join(&candidate.directory_name).exists()
 }
 
-fn generated_worktree_spec(branch_prefix: Option<&str>, generated_name: &str) -> WorktreeSpec {
-    WorktreeSpec {
+fn generated_worktree_spec(
+    branch_prefix: Option<&str>,
+    generated_name: &str,
+) -> Result<WorktreeSpec, String> {
+    Ok(WorktreeSpec {
         directory_name: generated_name.to_string(),
-        branch_name: apply_branch_prefix(branch_prefix, generated_name),
-    }
+        branch_name: apply_branch_prefix(branch_prefix, generated_name)?,
+    })
 }
 
-fn apply_branch_prefix(branch_prefix: Option<&str>, generated_name: &str) -> String {
-    let Some(prefix) = branch_prefix
-        .map(trim_trailing_branch_slashes)
-        .filter(|prefix| !prefix.is_empty())
-    else {
-        return generated_name.to_string();
+fn apply_branch_prefix(
+    branch_prefix: Option<&str>,
+    generated_name: &str,
+) -> Result<String, String> {
+    let Some(prefix) = branch_prefix else {
+        return Ok(generated_name.to_string());
+    };
+    let Some(prefix) = sanitize_branch_prefix(prefix)? else {
+        return Ok(generated_name.to_string());
     };
 
-    format!("{}/{}", prefix, generated_name)
+    Ok(format!("{}/{}", prefix, generated_name))
 }
 
 fn resolve_target_branch(name: &str, track: Option<&str>) -> Result<String, String> {
@@ -539,32 +545,38 @@ mod tests {
 
     #[test]
     fn apply_branch_prefix_adds_separator_when_configured() {
-        let prefixed = apply_branch_prefix(Some("safia"), "quiet-meadow");
+        let prefixed = apply_branch_prefix(Some("safia"), "quiet-meadow").unwrap();
         assert_eq!(prefixed, "safia/quiet-meadow");
     }
 
     #[test]
     fn apply_branch_prefix_trims_whitespace_and_trailing_slashes() {
-        let prefixed = apply_branch_prefix(Some("  teams/safia/  "), "quiet-meadow");
-        assert_eq!(prefixed, "teams/safia/quiet-meadow");
+        let prefixed = apply_branch_prefix(Some("  safia123/  "), "quiet-meadow").unwrap();
+        assert_eq!(prefixed, "safia123/quiet-meadow");
     }
 
     #[test]
     fn apply_branch_prefix_ignores_empty_prefix() {
-        let unprefixed = apply_branch_prefix(Some("  /  "), "quiet-meadow");
+        let unprefixed = apply_branch_prefix(Some("  /  "), "quiet-meadow").unwrap();
         assert_eq!(unprefixed, "quiet-meadow");
     }
 
+    #[test]
+    fn apply_branch_prefix_rejects_non_alphanumeric_prefix() {
+        let err = apply_branch_prefix(Some("teams/safia"), "quiet-meadow").unwrap_err();
+        assert!(err.contains("alphanumeric"));
+    }
+
     #[test]
     fn generated_worktree_spec_applies_prefix_only_to_branch_name() {
-        let spec = generated_worktree_spec(Some("safia"), "quiet-meadow");
+        let spec = generated_worktree_spec(Some("safia"), "quiet-meadow").unwrap();
         assert_eq!(spec.directory_name, "quiet-meadow");
         assert_eq!(spec.branch_name, "safia/quiet-meadow");
     }
 
     #[test]
     fn generated_worktree_spec_without_prefix_keeps_names_equal() {
-        let spec = generated_worktree_spec(None, "quiet-meadow");
+        let spec = generated_worktree_spec(None, "quiet-meadow").unwrap();
         assert_eq!(spec.directory_name, "quiet-meadow");
         assert_eq!(spec.branch_name, "quiet-meadow");
     }

src/utils.rs

@@ -109,8 +109,15 @@ pub fn read_repo_config(project_root: &Path) -> Result<RepoConfig, String> {
         }
     };
 
-    serde_json::from_str(&content)
-        .map_err(|e| format!("Invalid repo config at {}: {}", path.display(), e))
+    let mut config: RepoConfig = serde_json::from_str(&content)
+        .map_err(|e| format!("Invalid repo config at {}: {}", path.display(), e))?;
+
+    if let Some(prefix) = config.branch_prefix.as_deref() {
+        config.branch_prefix = sanitize_branch_prefix(prefix)
+            .map_err(|e| format!("Invalid repo config at {}: {}", path.display(), e))?;
+    }
+
+    Ok(config)
 }
 
 // ============================================================================
@@ -198,6 +205,21 @@ pub fn trim_trailing_branch_slashes(value: &str) -> &str {
     value.trim().trim_end_matches('/')
 }
 
+/// Sanitize a branchPrefix value from config.
+/// Returns None for empty values after trimming.
+pub fn sanitize_branch_prefix(value: &str) -> Result<Option<String>, String> {
+    let normalized = trim_trailing_branch_slashes(value);
+    if normalized.is_empty() {
+        return Ok(None);
+    }
+
+    if normalized.chars().all(|c| c.is_ascii_alphanumeric()) {
+        return Ok(Some(normalized.to_string()));
+    }
+
+    Err("Invalid branchPrefix: must contain only alphanumeric characters".to_string())
+}
+
 pub const DEFAULT_WORKTREE_NAME_ATTEMPTS: u64 = 64;
 const DEFAULT_WORKTREE_NAME_ADJECTIVES: &[&str] = &[
     "amber", "autumn", "brisk", "calm", "cedar", "clear", "cobalt", "cosmic", "dawn", "deep",
@@ -738,17 +760,33 @@ mod tests {
         fs::write(
             dir.join(".groverc"),
             r#"{
-  "branchPrefix": "teams/safia"
+  "branchPrefix": "  safia123/  "
 }"#,
         )
         .unwrap();
 
         let config = read_repo_config(&dir).unwrap();
-        assert_eq!(config.branch_prefix.as_deref(), Some("teams/safia"));
+        assert_eq!(config.branch_prefix.as_deref(), Some("safia123"));
         assert!(config.bootstrap.is_none());
         let _ = fs::remove_dir_all(dir);
     }
 
+    #[test]
+    fn read_repo_config_rejects_non_alphanumeric_branch_prefix() {
+        let dir = make_temp_dir("repo-config-invalid-prefix");
+        fs::write(
+            dir.join(".groverc"),
+            r#"{
+  "branchPrefix": "teams/safia"
+}"#,
+        )
+        .unwrap();
+
+        let err = read_repo_config(&dir).unwrap_err();
+        assert!(err.contains("branchPrefix"));
+        let _ = fs::remove_dir_all(dir);
+    }
+
     #[test]
     fn read_repo_config_rejects_string_commands_schema() {
         let dir = make_temp_dir("repo-config-string-schema");
@@ -767,6 +805,28 @@ mod tests {
         let _ = fs::remove_dir_all(dir);
     }
 
+    #[test]
+    fn sanitize_branch_prefix_accepts_alphanumeric_value() {
+        assert_eq!(
+            sanitize_branch_prefix("  safia123  ").unwrap(),
+            Some("safia123".to_string())
+        );
+    }
+
+    #[test]
+    fn sanitize_branch_prefix_trims_trailing_slashes() {
+        assert_eq!(
+            sanitize_branch_prefix("safia123/").unwrap(),
+            Some("safia123".to_string())
+        );
+    }
+
+    #[test]
+    fn sanitize_branch_prefix_rejects_non_alphanumeric_value() {
+        let err = sanitize_branch_prefix("team/safia").unwrap_err();
+        assert!(err.contains("alphanumeric"));
+    }
+
     // --- extractRepoName tests ---
 
     #[test]