Several git handlers in cli/src/index.ts pass user input to git argv without a -- separator. Anything starting with - gets treated as a git option.

Affected handlers

• handleGitCheckout (line 1134): ["checkout", branch] / ["checkout", "-b", branch]
• handleGitDeleteBranch (line 1148): ["branch", "-d", branch]
• handleGitDiff (line 1098): ["diff", ..., filepath]
• handleGitCommitDetails (line 1026): three git show calls with hash direct

handleGitStage, handleGitUnstage, and handleGitDiscard already use --.

Why this matters

git diff --output=<path> writes the diff to that path. Bypasses assertSafePath. From a paired app:

{ "v": 1, "id": "x", "ns": "git", "action": "diff",
  "payload": { "path": "--output=/tmp/owned" } }

creates /tmp/owned.

For checkout, branch -d, and show, an option-shaped ref doesn't write a file the same way, but git still parses it as an option. Exact behavior depends on git version.

Threat model

Needs a paired-but-hostile app. The CLI already exposes processes.spawn, fs.write, and terminal.spawn, so the new thing here is escaping assertSafePath.

Fix

Reject inputs starting with -, or add -- before user values. PR coming.