use git cli to make sure https auth helpers work

[Soph]

This fixes a bug with entire resume <branch> not working with a https remote when the branch wasn't locally available yet.

---

Note

Medium Risk
Switches remote branch fetching from go-git to invoking git fetch, changing how authentication, timeouts, and errors behave during branch resume/metadata sync. While it improves compatibility and adds branch-name validation, it touches core CLI git operations and could impact users in varied git environments.

Overview
Fixes fetching remote branches for commands like entire resume when using HTTPS remotes by replacing go-git fetches with git fetch so credential helpers are honored.

Adds ValidateBranchName (via git check-ref-format) before using user-provided branch names, introduces a 2-minute fetch timeout with clearer timeout/error messages, and retains go-git only for updating local refs after the fetch.

^{Written by Cursor Bugbot for commit 5e22650. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[Copilot]

Pull request overview

Fixes entire resume <branch> failing when the target branch only exists on an HTTPS remote (and auth relies on git credential helpers) by switching fetch operations from go-git to the system git CLI.

Changes:

• Replace go-git-based remote fetching with git fetch origin <refspec> in FetchAndCheckoutRemoteBranch.
• Replace go-git-based metadata branch fetching with git fetch origin <refspec> in FetchMetadataBranch.
• Remove the now-unused go-git config import.

Comments suppressed due to low confidence (1)

cmd/entire/cli/git_operations.go:364

• This PR changes the branch-fetch path from go-git to invoking git fetch and then creating a local ref. Please add a unit/integration test that sets up a repo + bare origin, pushes a branch, deletes the local branch, and verifies FetchAndCheckoutRemoteBranch successfully fetches + checks out the branch. This guards the bug fix described in the PR (branch not available locally yet).

// FetchAndCheckoutRemoteBranch fetches a branch from origin and creates a local tracking branch.
// Uses git CLI instead of go-git for fetch because go-git doesn't use credential helpers,
// which breaks HTTPS URLs that require authentication.
func FetchAndCheckoutRemoteBranch(branchName string) error {
	// Use git CLI for fetch (go-git's fetch can be tricky with auth)
	ctx := context.Background()
	refSpec := fmt.Sprintf("+refs/heads/%s:refs/remotes/origin/%s", branchName, branchName)
	//nolint:gosec // G204: refSpec is constructed from branchName which comes from git refs, not user input
	fetchCmd := exec.CommandContext(ctx, "git", "fetch", "origin", refSpec)
	if output, err := fetchCmd.CombinedOutput(); err != nil {
		return fmt.Errorf("failed to fetch branch from origin: %s", strings.TrimSpace(string(output)))
	}

	repo, err := openRepository()
	if err != nil {
		return fmt.Errorf("failed to open repository: %w", err)
	}

	// Get the remote branch reference
	remoteRef, err := repo.Reference(plumbing.NewRemoteReferenceName("origin", branchName), true)
	if err != nil {
		return fmt.Errorf("branch '%s' not found on origin: %w", branchName, err)
	}

	// Create local branch pointing to the same commit
	localRef := plumbing.NewHashReference(plumbing.NewBranchReferenceName(branchName), remoteRef.Hash())
	err = repo.Storer.SetReference(localRef)
	if err != nil {
		return fmt.Errorf("failed to create local branch: %w", err)
	}

	// Checkout the new local branch
	return CheckoutBranch(branchName)
}

[Copilot]

The gosec suppression comment is inaccurate: branchName is passed from entire resume <branch> (user-provided CLI arg), not derived from existing git refs. Please either (a) validate branchName as a safe refname (e.g., git check-ref-format --branch or equivalent) before constructing the refspec, or (b) update the suppression rationale to reflect the real trust boundary.