@unbrained/pm-cli 2026.5.27 → 2026.5.29

package/dist/core/shared/html-entity-decode.js

@@ -0,0 +1,122 @@
+// Defensive HTML-entity decode for free-text fields arriving over the MCP boundary.
+// Background (pm-ydkl 2026-05-28): when Claude / the Anthropic MCP SDK forwards
+// tool arguments containing `<` or `>`, the upstream platform HTML-encodes those
+// characters before they reach pm-cli. The result is stored pm text containing
+// literal `&lt;type&gt;` instead of `<type>`. Direct CLI calls do NOT have this
+// issue — only the MCP path — so the decode is applied exclusively at the MCP
+// server boundary on incoming tool-call arguments.
+//
+// We decode only the five core HTML entities and ONLY when `&lt;` or `&gt;` is
+// present in the string (the signal that something upstream HTML-encoded it).
+// That makes the function a true no-op for normal text. All replacements run in
+// a single non-greedy pass via a lookup map so we never double-decode — most
+// importantly `&amp;lt;` stays as the literal `&lt;` (because `&amp;` is the
+// last entity resolved in the pass), preserving any text that was already
+// double-encoded upstream.
+
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="59b9e6dc-4fde-5bd0-b4bc-972055df82fe")}catch(e){}}();
+const ENTITY_MAP = Object.freeze({
+    "&lt;": "<",
+    "&gt;": ">",
+    "&quot;": '"',
+    "&#39;": "'",
+    "&amp;": "&",
+});
+// Pattern order is important for documentation only: the alternation matches
+// the leftmost occurrence at each position, and the map lookup resolves each
+// match independently. Crucially, `&amp;` is matched as a whole token, so a
+// substring like `&amp;lt;` matches `&amp;` once → `&lt;` (literal) and the
+// regex engine then advances past the inserted text without re-scanning it.
+const ENTITY_PATTERN = /&(?:lt|gt|quot|#39|amp);/g;
+/**
+ * Decode the five core HTML entities (`&lt;`, `&gt;`, `&quot;`, `&#39;`,
+ * `&amp;`) in a single pass — but only when the input contains `&lt;` or
+ * `&gt;`. Returns the input unchanged otherwise so the function is a no-op for
+ * normal text and idempotent on already-decoded strings.
+ *
+ * Single-pass semantics guarantee `&amp;lt;` decodes to `&lt;` (literal) rather
+ * than collapsing to `<`, preserving any intentional double-encoding.
+ */
+export function decodeHtmlEntitiesIfEscaped(input) {
+    if (typeof input !== "string") {
+        return input;
+    }
+    // Activation signal is INTENTIONALLY narrow: only `&lt;` / `&gt;` trigger
+    // decoding. Rationale: the observed MCP-platform behavior only encodes
+    // angle brackets (the characters that risk display-time HTML
+    // misinterpretation upstream). Widening to `&amp;` / `&quot;` / `&#39;`
+    // would risk altering legitimate text that contains those literal token
+    // sequences for unrelated reasons (a URL containing `&amp;`, a snippet
+    // of HTML being intentionally stored as escaped, etc.). If upstream
+    // changes its encoding policy to cover `&` / `"` / `'` standalone, the
+    // signal-guard here will need to be widened in lockstep — covered by
+    // tests `&amp;-only is no-op` and `&quot;-only is no-op`.
+    if (!input.includes("&lt;") && !input.includes("&gt;")) {
+        return input;
+    }
+    // The regex only matches keys present in ENTITY_MAP, so the lookup is total.
+    return input.replace(ENTITY_PATTERN, (match) => ENTITY_MAP[match]);
+}
+/**
+ * Walk an arbitrary value (string / array / plain object) and apply
+ * {@link decodeHtmlEntitiesIfEscaped} to every string leaf. Non-string scalars
+ * (numbers, booleans, null, undefined) and non-plain values pass through
+ * untouched.
+ *
+ * The walker mutates a fresh shallow copy at each level so the caller's input
+ * is not modified. Cycles are not expected (MCP arguments arrive as JSON), but
+ * a visited-set is used as defensive protection against accidental cycles.
+ */
+export function decodeHtmlEntitiesInOptions(options) {
+    return decodeValue(options, new WeakSet());
+}
+function decodeValue(value, seen) {
+    if (typeof value === "string") {
+        return decodeHtmlEntitiesIfEscaped(value);
+    }
+    if (Array.isArray(value)) {
+        if (seen.has(value)) {
+            return value;
+        }
+        seen.add(value);
+        return value.map((entry) => decodeValue(entry, seen));
+    }
+    if (value !== null && typeof value === "object") {
+        // Only traverse plain objects (`{}` and `Object.create(null)` literals).
+        // Class instances (Date, RegExp, Map, Set, Buffer, etc.) and `null`-proto
+        // objects with no proto would lose their prototype and methods if we
+        // rebuilt them as a `Record<string, unknown>` here, so we pass them through.
+        if (!isPlainObject(value)) {
+            return value;
+        }
+        if (seen.has(value)) {
+            return value;
+        }
+        seen.add(value);
+        const source = value;
+        // Preserve the original prototype so downstream callers can still rely on
+        // standard methods like `.hasOwnProperty` on plain objects.
+        const result = Object.create(Object.getPrototypeOf(value));
+        // Use Object.defineProperty (not bracket assignment) for ALL keys so a
+        // smuggled `__proto__` / `constructor` / `prototype` key from an MCP
+        // caller becomes a regular own property — never triggers JS's special
+        // prototype-chain assignment semantics that would otherwise pollute
+        // Object.prototype. This preserves legitimate data while staying safe.
+        for (const [key, entry] of Object.entries(source)) {
+            Object.defineProperty(result, key, {
+                value: decodeValue(entry, seen),
+                enumerable: true,
+                writable: true,
+                configurable: true,
+            });
+        }
+        return result;
+    }
+    return value;
+}
+function isPlainObject(value) {
+    const proto = Object.getPrototypeOf(value);
+    return proto === Object.prototype || proto === null;
+}
+//# sourceMappingURL=html-entity-decode.js.map
+//# debugId=59b9e6dc-4fde-5bd0-b4bc-972055df82fe

package/dist/core/shared/html-entity-decode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-entity-decode.js","sources":["core/shared/html-entity-decode.ts"],"sourceRoot":"/","sourcesContent":["// Defensive HTML-entity decode for free-text fields arriving over the MCP boundary.\n// Background (pm-ydkl 2026-05-28): when Claude / the Anthropic MCP SDK forwards\n// tool arguments containing `<` or `>`, the upstream platform HTML-encodes those\n// characters before they reach pm-cli. The result is stored pm text containing\n// literal `&lt;type&gt;` instead of `<type>`. Direct CLI calls do NOT have this\n// issue — only the MCP path — so the decode is applied exclusively at the MCP\n// server boundary on incoming tool-call arguments.\n//\n// We decode only the five core HTML entities and ONLY when `&lt;` or `&gt;` is\n// present in the string (the signal that something upstream HTML-encoded it).\n// That makes the function a true no-op for normal text. All replacements run in\n// a single non-greedy pass via a lookup map so we never double-decode — most\n// importantly `&amp;lt;` stays as the literal `&lt;` (because `&amp;` is the\n// last entity resolved in the pass), preserving any text that was already\n// double-encoded upstream.\n\nconst ENTITY_MAP: Readonly<Record<string, string>> = Object.freeze({\n  \"&lt;\": \"<\",\n  \"&gt;\": \">\",\n  \"&quot;\": '\"',\n  \"&#39;\": \"'\",\n  \"&amp;\": \"&\",\n});\n\n// Pattern order is important for documentation only: the alternation matches\n// the leftmost occurrence at each position, and the map lookup resolves each\n// match independently. Crucially, `&amp;` is matched as a whole token, so a\n// substring like `&amp;lt;` matches `&amp;` once → `&lt;` (literal) and the\n// regex engine then advances past the inserted text without re-scanning it.\nconst ENTITY_PATTERN = /&(?:lt|gt|quot|#39|amp);/g;\n\n/**\n * Decode the five core HTML entities (`&lt;`, `&gt;`, `&quot;`, `&#39;`,\n * `&amp;`) in a single pass — but only when the input contains `&lt;` or\n * `&gt;`. Returns the input unchanged otherwise so the function is a no-op for\n * normal text and idempotent on already-decoded strings.\n *\n * Single-pass semantics guarantee `&amp;lt;` decodes to `&lt;` (literal) rather\n * than collapsing to `<`, preserving any intentional double-encoding.\n */\nexport function decodeHtmlEntitiesIfEscaped(input: string): string {\n  if (typeof input !== \"string\") {\n    return input;\n  }\n  // Activation signal is INTENTIONALLY narrow: only `&lt;` / `&gt;` trigger\n  // decoding. Rationale: the observed MCP-platform behavior only encodes\n  // angle brackets (the characters that risk display-time HTML\n  // misinterpretation upstream). Widening to `&amp;` / `&quot;` / `&#39;`\n  // would risk altering legitimate text that contains those literal token\n  // sequences for unrelated reasons (a URL containing `&amp;`, a snippet\n  // of HTML being intentionally stored as escaped, etc.). If upstream\n  // changes its encoding policy to cover `&` / `\"` / `'` standalone, the\n  // signal-guard here will need to be widened in lockstep — covered by\n  // tests `&amp;-only is no-op` and `&quot;-only is no-op`.\n  if (!input.includes(\"&lt;\") && !input.includes(\"&gt;\")) {\n    return input;\n  }\n  // The regex only matches keys present in ENTITY_MAP, so the lookup is total.\n  return input.replace(ENTITY_PATTERN, (match) => ENTITY_MAP[match] as string);\n}\n\n/**\n * Walk an arbitrary value (string / array / plain object) and apply\n * {@link decodeHtmlEntitiesIfEscaped} to every string leaf. Non-string scalars\n * (numbers, booleans, null, undefined) and non-plain values pass through\n * untouched.\n *\n * The walker mutates a fresh shallow copy at each level so the caller's input\n * is not modified. Cycles are not expected (MCP arguments arrive as JSON), but\n * a visited-set is used as defensive protection against accidental cycles.\n */\nexport function decodeHtmlEntitiesInOptions<T>(options: T): T {\n  return decodeValue(options, new WeakSet<object>()) as T;\n}\n\nfunction decodeValue(value: unknown, seen: WeakSet<object>): unknown {\n  if (typeof value === \"string\") {\n    return decodeHtmlEntitiesIfEscaped(value);\n  }\n  if (Array.isArray(value)) {\n    if (seen.has(value)) {\n      return value;\n    }\n    seen.add(value);\n    return value.map((entry) => decodeValue(entry, seen));\n  }\n  if (value !== null && typeof value === \"object\") {\n    // Only traverse plain objects (`{}` and `Object.create(null)` literals).\n    // Class instances (Date, RegExp, Map, Set, Buffer, etc.) and `null`-proto\n    // objects with no proto would lose their prototype and methods if we\n    // rebuilt them as a `Record<string, unknown>` here, so we pass them through.\n    if (!isPlainObject(value)) {\n      return value;\n    }\n    if (seen.has(value as object)) {\n      return value;\n    }\n    seen.add(value as object);\n    const source = value as Record<string, unknown>;\n    // Preserve the original prototype so downstream callers can still rely on\n    // standard methods like `.hasOwnProperty` on plain objects.\n    const result: Record<string, unknown> = Object.create(Object.getPrototypeOf(value as object));\n    // Use Object.defineProperty (not bracket assignment) for ALL keys so a\n    // smuggled `__proto__` / `constructor` / `prototype` key from an MCP\n    // caller becomes a regular own property — never triggers JS's special\n    // prototype-chain assignment semantics that would otherwise pollute\n    // Object.prototype. This preserves legitimate data while staying safe.\n    for (const [key, entry] of Object.entries(source)) {\n      Object.defineProperty(result, key, {\n        value: decodeValue(entry, seen),\n        enumerable: true,\n        writable: true,\n        configurable: true,\n      });\n    }\n    return result;\n  }\n  return value;\n}\n\nfunction isPlainObject(value: object): boolean {\n  const proto = Object.getPrototypeOf(value);\n  return proto === Object.prototype || proto === null;\n}\n"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,gFAAgF;AAChF,iFAAiF;AACjF,+EAA+E;AAC/E,gFAAgF;AAChF,8EAA8E;AAC9E,mDAAmD;AACnD,EAAE;AACF,+EAA+E;AAC/E,8EAA8E;AAC9E,gFAAgF;AAChF,6EAA6E;AAC7E,6EAA6E;AAC7E,0EAA0E;AAC1E,2BAA2B;;;AAE3B,MAAM,UAAU,GAAqC,MAAM,CAAC,MAAM,CAAC;IACjE,MAAM,EAAE,GAAG;IACX,MAAM,EAAE,GAAG;IACX,QAAQ,EAAE,GAAG;IACb,OAAO,EAAE,GAAG;IACZ,OAAO,EAAE,GAAG;CACb,CAAC,CAAC;AAEH,6EAA6E;AAC7E,6EAA6E;AAC7E,4EAA4E;AAC5E,4EAA4E;AAC5E,4EAA4E;AAC5E,MAAM,cAAc,GAAG,2BAA2B,CAAC;AAEnD;;;;;;;;GAQG;AACH,MAAM,UAAU,2BAA2B,CAAC,KAAa;IACvD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,0EAA0E;IAC1E,uEAAuE;IACvE,6DAA6D;IAC7D,wEAAwE;IACxE,wEAAwE;IACxE,uEAAuE;IACvE,oEAAoE;IACpE,uEAAuE;IACvE,qEAAqE;IACrE,0DAA0D;IAC1D,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACvD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,6EAA6E;IAC7E,OAAO,KAAK,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAW,CAAC,CAAC;AAC/E,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,2BAA2B,CAAI,OAAU;IACvD,OAAO,WAAW,CAAC,OAAO,EAAE,IAAI,OAAO,EAAU,CAAM,CAAC;AAC1D,CAAC;AAED,SAAS,WAAW,CAAC,KAAc,EAAE,IAAqB;IACxD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,2BAA2B,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACpB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAChB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,yEAAyE;QACzE,0EAA0E;QAC1E,qEAAqE;QACrE,6EAA6E;QAC7E,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,CAAC,KAAe,CAAC,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,KAAe,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAG,KAAgC,CAAC;QAChD,0EAA0E;QAC1E,4DAA4D;QAC5D,MAAM,MAAM,GAA4B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,KAAe,CAAC,CAAC,CAAC;QAC9F,uEAAuE;QACvE,qEAAqE;QACrE,sEAAsE;QACtE,oEAAoE;QACpE,uEAAuE;QACvE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,GAAG,EAAE;gBACjC,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC;gBAC/B,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;gBACd,YAAY,EAAE,IAAI;aACnB,CAAC,CAAC;QACL,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAC3C,OAAO,KAAK,KAAK,MAAM,CAAC,SAAS,IAAI,KAAK,KAAK,IAAI,CAAC;AACtD,CAAC","debugId":"59b9e6dc-4fde-5bd0-b4bc-972055df82fe"}

package/dist/core/shared/levenshtein.js

@@ -1,5 +1,11 @@
+// Optimal String Alignment (OSA) Damerau–Levenshtein: counts a single adjacent
+// transposition as one edit (e.g. "titel" vs "title", "lst" vs "lts" -> "list")
+// so flag/command typo suggestions catch transpositions at the same maxDistance
+// budget plain Levenshtein uses for substitutions. pm-fl0c #6 (2026-05-28):
+// fixed because plain Levenshtein scored "titel"->"title" at 2, defeating the
+// length-5 maxDistance=1 ceiling in suggestNearestLongFlags.
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="ed0e9098-b7bf-5a5c-a816-6fcdf522a50b")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="6f3e0977-8505-552c-b2ff-862f2a5d5a91")}catch(e){}}();
 export function levenshteinDistanceWithinLimit(left, right, limit) {
     if (left === right) {
         return 0;
@@ -7,9 +13,12 @@ export function levenshteinDistanceWithinLimit(left, right, limit) {
     if (Math.abs(left.length - right.length) > limit) {
         return null;
     }
-    const previous = new Array(right.length + 1);
-    const current = new Array(right.length + 1);
-    for (let column = 0; column <= right.length; column += 1) {
+    const width = right.length + 1;
+    const beforePrevious = new Array(width);
+    const previous = new Array(width);
+    const current = new Array(width);
+    for (let column = 0; column < width; column += 1) {
+        beforePrevious[column] = 0;
         previous[column] = column;
     }
     for (let row = 1; row <= left.length; row += 1) {
@@ -20,7 +29,13 @@ export function levenshteinDistanceWithinLimit(left, right, limit) {
             const substitution = previous[column - 1] + cost;
             const insertion = current[column - 1] + 1;
             const deletion = previous[column] + 1;
-            const candidate = Math.min(substitution, insertion, deletion);
+            let candidate = Math.min(substitution, insertion, deletion);
+            if (row > 1 &&
+                column > 1 &&
+                left[row - 1] === right[column - 2] &&
+                left[row - 2] === right[column - 1]) {
+                candidate = Math.min(candidate, beforePrevious[column - 2] + 1);
+            }
             current[column] = candidate;
             if (candidate < rowMin) {
                 rowMin = candidate;
@@ -29,7 +44,8 @@ export function levenshteinDistanceWithinLimit(left, right, limit) {
         if (rowMin > limit) {
             return null;
         }
-        for (let column = 0; column <= right.length; column += 1) {
+        for (let column = 0; column < width; column += 1) {
+            beforePrevious[column] = previous[column];
             previous[column] = current[column];
         }
     }
@@ -37,4 +53,4 @@ export function levenshteinDistanceWithinLimit(left, right, limit) {
     return result <= limit ? result : null;
 }
 //# sourceMappingURL=levenshtein.js.map
-//# debugId=ed0e9098-b7bf-5a5c-a816-6fcdf522a50b
+//# debugId=6f3e0977-8505-552c-b2ff-862f2a5d5a91

package/dist/core/shared/levenshtein.js.map

@@ -1 +1 @@
-{"version":3,"file":"levenshtein.js","sources":["core/shared/levenshtein.ts"],"sourceRoot":"/","sourcesContent":["export function levenshteinDistanceWithinLimit(left: string, right: string, limit: number): number | null {\n  if (left === right) {\n    return 0;\n  }\n  if (Math.abs(left.length - right.length) > limit) {\n    return null;\n  }\n  const previous = new Array<number>(right.length + 1);\n  const current = new Array<number>(right.length + 1);\n  for (let column = 0; column <= right.length; column += 1) {\n    previous[column] = column;\n  }\n  for (let row = 1; row <= left.length; row += 1) {\n    current[0] = row;\n    let rowMin = current[0];\n    for (let column = 1; column <= right.length; column += 1) {\n      const cost = left[row - 1] === right[column - 1] ? 0 : 1;\n      const substitution = previous[column - 1] + cost;\n      const insertion = current[column - 1] + 1;\n      const deletion = previous[column] + 1;\n      const candidate = Math.min(substitution, insertion, deletion);\n      current[column] = candidate;\n      if (candidate < rowMin) {\n        rowMin = candidate;\n      }\n    }\n    if (rowMin > limit) {\n      return null;\n    }\n    for (let column = 0; column <= right.length; column += 1) {\n      previous[column] = current[column];\n    }\n  }\n  const result = previous[right.length];\n  return result <= limit ? result : null;\n}\n"],"names":[],"mappings":";;AAAA,MAAM,UAAU,8BAA8B,CAAC,IAAY,EAAE,KAAa,EAAE,KAAa;IACvF,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,KAAK,CAAS,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,KAAK,CAAS,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACpD,KAAK,IAAI,MAAM,GAAG,CAAC,EAAE,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,EAAE,CAAC;QACzD,QAAQ,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAC5B,CAAC;IACD,KAAK,IAAI,GAAG,GAAG,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC;QACjB,IAAI,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACxB,KAAK,IAAI,MAAM,GAAG,CAAC,EAAE,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACzD,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;YACjD,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;YAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;YAC9D,OAAO,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC;YAC5B,IAAI,SAAS,GAAG,MAAM,EAAE,CAAC;gBACvB,MAAM,GAAG,SAAS,CAAC;YACrB,CAAC;QACH,CAAC;QACD,IAAI,MAAM,GAAG,KAAK,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,KAAK,IAAI,MAAM,GAAG,CAAC,EAAE,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,EAAE,CAAC;YACzD,QAAQ,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,OAAO,MAAM,IAAI,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC","debugId":"ed0e9098-b7bf-5a5c-a816-6fcdf522a50b"}
+{"version":3,"file":"levenshtein.js","sources":["core/shared/levenshtein.ts"],"sourceRoot":"/","sourcesContent":["// Optimal String Alignment (OSA) Damerau–Levenshtein: counts a single adjacent\n// transposition as one edit (e.g. \"titel\" vs \"title\", \"lst\" vs \"lts\" -> \"list\")\n// so flag/command typo suggestions catch transpositions at the same maxDistance\n// budget plain Levenshtein uses for substitutions. pm-fl0c #6 (2026-05-28):\n// fixed because plain Levenshtein scored \"titel\"->\"title\" at 2, defeating the\n// length-5 maxDistance=1 ceiling in suggestNearestLongFlags.\nexport function levenshteinDistanceWithinLimit(left: string, right: string, limit: number): number | null {\n  if (left === right) {\n    return 0;\n  }\n  if (Math.abs(left.length - right.length) > limit) {\n    return null;\n  }\n  const width = right.length + 1;\n  const beforePrevious = new Array<number>(width);\n  const previous = new Array<number>(width);\n  const current = new Array<number>(width);\n  for (let column = 0; column < width; column += 1) {\n    beforePrevious[column] = 0;\n    previous[column] = column;\n  }\n  for (let row = 1; row <= left.length; row += 1) {\n    current[0] = row;\n    let rowMin = current[0];\n    for (let column = 1; column <= right.length; column += 1) {\n      const cost = left[row - 1] === right[column - 1] ? 0 : 1;\n      const substitution = previous[column - 1] + cost;\n      const insertion = current[column - 1] + 1;\n      const deletion = previous[column] + 1;\n      let candidate = Math.min(substitution, insertion, deletion);\n      if (\n        row > 1 &&\n        column > 1 &&\n        left[row - 1] === right[column - 2] &&\n        left[row - 2] === right[column - 1]\n      ) {\n        candidate = Math.min(candidate, beforePrevious[column - 2] + 1);\n      }\n      current[column] = candidate;\n      if (candidate < rowMin) {\n        rowMin = candidate;\n      }\n    }\n    if (rowMin > limit) {\n      return null;\n    }\n    for (let column = 0; column < width; column += 1) {\n      beforePrevious[column] = previous[column];\n      previous[column] = current[column];\n    }\n  }\n  const result = previous[right.length];\n  return result <= limit ? result : null;\n}\n"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,gFAAgF;AAChF,gFAAgF;AAChF,4EAA4E;AAC5E,8EAA8E;AAC9E,6DAA6D;;;AAC7D,MAAM,UAAU,8BAA8B,CAAC,IAAY,EAAE,KAAa,EAAE,KAAa;IACvF,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAC/B,MAAM,cAAc,GAAG,IAAI,KAAK,CAAS,KAAK,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,IAAI,KAAK,CAAS,KAAK,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,KAAK,CAAS,KAAK,CAAC,CAAC;IACzC,KAAK,IAAI,MAAM,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,EAAE,MAAM,IAAI,CAAC,EAAE,CAAC;QACjD,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC3B,QAAQ,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAC5B,CAAC;IACD,KAAK,IAAI,GAAG,GAAG,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC;QACjB,IAAI,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACxB,KAAK,IAAI,MAAM,GAAG,CAAC,EAAE,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACzD,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;YACjD,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;YAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtC,IAAI,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;YAC5D,IACE,GAAG,GAAG,CAAC;gBACP,MAAM,GAAG,CAAC;gBACV,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;gBACnC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EACnC,CAAC;gBACD,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAClE,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC;YAC5B,IAAI,SAAS,GAAG,MAAM,EAAE,CAAC;gBACvB,MAAM,GAAG,SAAS,CAAC;YACrB,CAAC;QACH,CAAC;QACD,IAAI,MAAM,GAAG,KAAK,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,KAAK,IAAI,MAAM,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,EAAE,MAAM,IAAI,CAAC,EAAE,CAAC;YACjD,cAAc,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC1C,QAAQ,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,OAAO,MAAM,IAAI,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC","debugId":"6f3e0977-8505-552c-b2ff-862f2a5d5a91"}

package/dist/core/shared/split-comma-list.d.ts

@@ -0,0 +1,20 @@
+export interface SplitCommaListOptions {
+    /** Separator pattern. Defaults to `/,/`. */
+    separators?: RegExp | string;
+    /** De-duplicate entries while preserving first-seen order. Defaults to `true`. */
+    unique?: boolean;
+    /** Sort entries lexicographically (default JS string sort). Defaults to `false`. */
+    sort?: boolean;
+}
+/**
+ * Split a comma-separated (or custom-separator) string into trimmed, non-empty entries.
+ *
+ * Default behaviour:
+ *   - Splits on `,`.
+ *   - Trims each entry and discards empty results (collapsing leading/trailing/duplicate separators).
+ *   - De-duplicates while preserving first-seen order.
+ *   - Does not sort.
+ *
+ * Returns `[]` for `undefined`/`null` input. Pure, dependency-free.
+ */
+export declare function splitCommaList(raw: string | undefined | null, options?: SplitCommaListOptions): string[];

package/dist/core/shared/split-comma-list.js

@@ -0,0 +1,29 @@
+/**
+ * Split a comma-separated (or custom-separator) string into trimmed, non-empty entries.
+ *
+ * Default behaviour:
+ *   - Splits on `,`.
+ *   - Trims each entry and discards empty results (collapsing leading/trailing/duplicate separators).
+ *   - De-duplicates while preserving first-seen order.
+ *   - Does not sort.
+ *
+ * Returns `[]` for `undefined`/`null` input. Pure, dependency-free.
+ */
+
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="e5a31927-2a55-5d1d-97e4-b6190988caa1")}catch(e){}}();
+export function splitCommaList(raw, options) {
+    if (raw === undefined || raw === null) {
+        return [];
+    }
+    const separators = options?.separators ?? /,/;
+    const parts = raw.split(separators);
+    const trimmed = parts.map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+    const unique = options?.unique !== false;
+    const deduped = unique ? Array.from(new Set(trimmed)) : trimmed;
+    if (options?.sort === true) {
+        return [...deduped].sort();
+    }
+    return deduped;
+}
+//# sourceMappingURL=split-comma-list.js.map
+//# debugId=e5a31927-2a55-5d1d-97e4-b6190988caa1

package/dist/core/shared/split-comma-list.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"split-comma-list.js","sources":["core/shared/split-comma-list.ts"],"sourceRoot":"/","sourcesContent":["export interface SplitCommaListOptions {\n  /** Separator pattern. Defaults to `/,/`. */\n  separators?: RegExp | string;\n  /** De-duplicate entries while preserving first-seen order. Defaults to `true`. */\n  unique?: boolean;\n  /** Sort entries lexicographically (default JS string sort). Defaults to `false`. */\n  sort?: boolean;\n}\n\n/**\n * Split a comma-separated (or custom-separator) string into trimmed, non-empty entries.\n *\n * Default behaviour:\n *   - Splits on `,`.\n *   - Trims each entry and discards empty results (collapsing leading/trailing/duplicate separators).\n *   - De-duplicates while preserving first-seen order.\n *   - Does not sort.\n *\n * Returns `[]` for `undefined`/`null` input. Pure, dependency-free.\n */\nexport function splitCommaList(raw: string | undefined | null, options?: SplitCommaListOptions): string[] {\n  if (raw === undefined || raw === null) {\n    return [];\n  }\n  const separators = options?.separators ?? /,/;\n  const parts = raw.split(separators as never);\n  const trimmed = parts.map((entry) => entry.trim()).filter((entry) => entry.length > 0);\n  const unique = options?.unique !== false;\n  const deduped = unique ? Array.from(new Set(trimmed)) : trimmed;\n  if (options?.sort === true) {\n    return [...deduped].sort();\n  }\n  return deduped;\n}\n"],"names":[],"mappings":"AASA;;;;;;;;;;GAUG;;;AACH,MAAM,UAAU,cAAc,CAAC,GAA8B,EAAE,OAA+B;IAC5F,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACtC,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,UAAU,GAAG,OAAO,EAAE,UAAU,IAAI,GAAG,CAAC;IAC9C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,UAAmB,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACvF,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,KAAK,KAAK,CAAC;IACzC,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAChE,IAAI,OAAO,EAAE,IAAI,KAAK,IAAI,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC","debugId":"e5a31927-2a55-5d1d-97e4-b6190988caa1"}

package/dist/mcp/server.js

@@ -1,12 +1,13 @@
 #!/usr/bin/env node
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="16ab349e-99ce-51eb-85d5-62e1c2c56c10")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="0b886283-0ee3-5dcd-bd65-6199134c8901")}catch(e){}}();
 import readline from "node:readline";
 import { fileURLToPath } from "node:url";
 import { activateExtensions, loadExtensions, runActiveCommandHandler, setActiveExtensionCommands, setActiveExtensionHooks, setActiveExtensionParsers, setActiveExtensionPreflight, setActiveExtensionRegistrations, setActiveExtensionRenderers, setActiveExtensionServices, } from "../core/extensions/index.js";
 import { pathExists } from "../core/fs/fs-utils.js";
 import { projectMutationResult } from "../core/output/mutation-projection.js";
 import { PmCliError } from "../core/shared/errors.js";
+import { decodeHtmlEntitiesInOptions } from "../core/shared/html-entity-decode.js";
 import { asRecordClone } from "../core/shared/primitives.js";
 import { getSettingsPath, resolvePmRoot } from "../core/store/paths.js";
 import { readSettings } from "../core/store/settings.js";
@@ -619,7 +620,13 @@ export async function handleRequest(request) {
         if (!handler) {
             throw new PmCliError(`Unknown pm MCP tool: ${name}`, 64);
         }
-        const args = asRecordClone(params.arguments);
+        // pm-ydkl: defensive HTML-entity decode for free-text fields. Claude / the
+        // Anthropic MCP SDK HTML-encodes `<` / `>` (and friends) in tool arguments
+        // before they reach pm-cli, which would otherwise leak `&lt;type&gt;` into
+        // stored pm comments / notes / item bodies. Direct CLI calls are not
+        // affected; decoding at the MCP boundary normalizes the agent path while
+        // leaving normal text untouched.
+        const args = decodeHtmlEntitiesInOptions(asRecordClone(params.arguments));
         const result = await withCwd(args.cwd, () => handler(args));
         return resultContent(result);
     }
@@ -669,4 +676,4 @@ if (process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1]) {
     startMcpServer();
 }
 //# sourceMappingURL=server.js.map
-//# debugId=16ab349e-99ce-51eb-85d5-62e1c2c56c10
+//# debugId=0b886283-0ee3-5dcd-bd65-6199134c8901