test(taskctl): add utility function to validate branch name safety

[randomm]

Task Description

Add a branch name validation utility to packages/opencode/src/tasks/pulse-verdicts.ts that validates branch names before git operations.

Currently branch names are used directly in git commands without validation. Add a validateBranchName() function that:

• Rejects names with dangerous characters (spaces, shell specials, backticks, $, etc.)
• Allows safe characters: alphanumeric, hyphen, underscore, slash, dot, plus
• Returns validated branch or throws descriptive error

Quality Gates (Non-Negotiable)

• TDD: Write tests before implementation
• Coverage: 80%+ test coverage for new code
• Linting: All code passes project linting rules
• Documentation: Add JSDoc comment explaining validation rules
• Local Verification: All tests pass locally before completion

Acceptance Criteria

• Function exported from pulse-verdicts.ts
• Function rejects: spaces, backticks, $, ;, |, &, newlines
• Function accepts: feature/my-branch, fix/issue_123, release/v1.0+beta
• Tests cover edge cases: empty string, extremely long names, unicode
• No type errors, no lint violations
• Test file under 500 lines

Test Scenarios to Cover

1. Valid branch names (normal cases)
2. Shell injection attempts (my$(cmd)branch, `backtick`)
3. Path traversal attempts (../evil)
4. Empty/null/whitespace inputs
5. Extremely long branch names (>255 chars)