opencode-swarm 7.73.1 → 7.73.3

package/dist/cli/index.js

@@ -52,7 +52,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.73.1",
+    version: "7.73.3",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",
@@ -40093,6 +40093,9 @@ import * as path19 from "path";
 function resolveLogPath(directory) {
   return validateSwarmPath(directory, "skill-usage.jsonl");
 }
+function normalizeComplianceVerdict(verdict) {
+  return verdict === "violation" ? "violated" : verdict;
+}
 function appendSkillUsageEntry(directory, entry) {
   const {
     skillPath,
@@ -40163,7 +40166,9 @@ function readSkillUsageEntries(directory, options) {
     if (!trimmed)
       continue;
     try {
-      entries.push(JSON.parse(trimmed));
+      const entry = JSON.parse(trimmed);
+      entry.complianceVerdict = normalizeComplianceVerdict(entry.complianceVerdict);
+      entries.push(entry);
     } catch {}
   }
   if (!options)
@@ -40222,6 +40227,7 @@ function readSkillUsageEntriesTail(directory, filters, maxBytes = TAIL_BYTES_DEF
           continue;
         try {
           const entry = JSON.parse(line);
+          entry.complianceVerdict = normalizeComplianceVerdict(entry.complianceVerdict);
           if (filters.sessionID !== undefined && entry.sessionID !== filters.sessionID) {
             continue;
           }
@@ -40256,7 +40262,7 @@ function computeComplianceByVersion(entries, skillPath) {
     stats.total += 1;
     if (e.complianceVerdict === "compliant")
       stats.compliant += 1;
-    if (e.complianceVerdict === "violation")
+    if (e.complianceVerdict === "violated")
       stats.violation += 1;
   }
   for (const stats of map3.values()) {
@@ -40369,7 +40375,7 @@ async function applySkillUsageFeedback(directory, options) {
   try {
     const allEntries = readSkillUsageEntries(directory);
     const actionable = allEntries.filter((e) => {
-      if (e.complianceVerdict !== "compliant" && e.complianceVerdict !== "violation") {
+      if (e.complianceVerdict !== "compliant" && e.complianceVerdict !== "violated") {
         return false;
       }
       if (options?.sinceTimestamp && e.timestamp <= options.sinceTimestamp) {
@@ -40395,7 +40401,7 @@ async function applySkillUsageFeedback(directory, options) {
       for (const entry of entries) {
         if (entry.complianceVerdict === "compliant")
           compliantCount++;
-        else if (entry.complianceVerdict === "violation")
+        else if (entry.complianceVerdict === "violated")
           violationCount++;
       }
       if (compliantCount === 0 && violationCount === 0)
@@ -40921,6 +40927,49 @@ var init_synonym_map = __esm(() => {
   MIN_READ_CEILING_BYTES = 64 * 1024;
 });
 
+// src/hooks/knowledge-reinforcement.ts
+function isActiveSwarmKnowledgeEntry(entry) {
+  return !INACTIVE_STATUSES.has(entry.status);
+}
+function findActiveSwarmNearDuplicate(lesson, entries, threshold) {
+  return findNearDuplicate(lesson, entries.filter(isActiveSwarmKnowledgeEntry), threshold);
+}
+function distinctPhaseCount(records) {
+  const phases = new Set;
+  for (const record3 of records ?? []) {
+    if (Number.isInteger(record3.phase_number)) {
+      phases.add(record3.phase_number);
+    }
+  }
+  return phases.size;
+}
+function reinforceSwarmKnowledgeEntry(entry, confirmation) {
+  if (!isActiveSwarmKnowledgeEntry(entry)) {
+    return { entryId: entry.id, reinforced: false, reason: "inactive" };
+  }
+  if ((entry.confirmed_by ?? []).some((record3) => record3.phase_number === confirmation.phase_number)) {
+    return {
+      entryId: entry.id,
+      reinforced: false,
+      reason: "already_confirmed_phase"
+    };
+  }
+  entry.confirmed_by = [...entry.confirmed_by ?? [], confirmation];
+  entry.updated_at = confirmation.confirmed_at;
+  entry.phases_alive = 0;
+  entry.confidence = computeConfidence(distinctPhaseCount(entry.confirmed_by), entry.auto_generated ?? false);
+  return { entryId: entry.id, reinforced: true, reason: "reinforced" };
+}
+var INACTIVE_STATUSES;
+var init_knowledge_reinforcement = __esm(() => {
+  init_knowledge_store();
+  INACTIVE_STATUSES = new Set([
+    "archived",
+    "quarantined",
+    "quarantined_unactionable"
+  ]);
+});
+
 // src/hooks/skill-scoring.ts
 import * as fs10 from "fs";
 import * as path22 from "path";
@@ -42244,6 +42293,7 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
   ]);
   const snapshotPlusNew = [...snapshot];
   const toAdd = [];
+  const pendingReinforcementIds = new Set;
   for (const lesson of lessons) {
     const tags = inferTags(lesson);
     let category = "process";
@@ -42273,8 +42323,9 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
         continue;
       }
     }
-    const duplicate = findNearDuplicate(lesson, snapshotPlusNew, config3.dedup_threshold);
+    const duplicate = findActiveSwarmNearDuplicate(lesson, snapshotPlusNew, config3.dedup_threshold);
     if (duplicate) {
+      pendingReinforcementIds.add(duplicate.id);
       skipped++;
       continue;
     }
@@ -42355,7 +42406,9 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
         } catch {}
         continue;
       }
-      if (findNearDuplicate(entry.lesson, snapshotPlusNew, config3.dedup_threshold)) {
+      const duplicate = findActiveSwarmNearDuplicate(entry.lesson, snapshotPlusNew, config3.dedup_threshold);
+      if (duplicate) {
+        pendingReinforcementIds.add(duplicate.id);
         skipped++;
         continue;
       }
@@ -42364,15 +42417,48 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
     }
   } catch {}
   let stored = 0;
-  if (toAdd.length > 0) {
+  let reinforced = 0;
+  if (toAdd.length > 0 || pendingReinforcementIds.size > 0) {
     await transactKnowledge(knowledgePath, (current) => {
-      const trulyNew = toAdd.filter((e) => !findNearDuplicate(e.lesson, current, config3.dedup_threshold));
-      const extraDups = toAdd.length - trulyNew.length;
-      skipped += extraDups;
-      if (trulyNew.length === 0)
-        return null;
-      stored = trulyNew.length;
-      return [...current, ...trulyNew];
+      let changed = false;
+      for (const id of pendingReinforcementIds) {
+        const existing = current.find((entry) => entry.id === id);
+        if (!existing)
+          continue;
+        const result = reinforceSwarmKnowledgeEntry(existing, {
+          phase_number: phaseInfo.phase_number,
+          confirmed_at: new Date().toISOString(),
+          project_name: projectName
+        });
+        if (result.reinforced) {
+          reinforced++;
+          changed = true;
+        }
+      }
+      const trulyNew = [];
+      for (const entry of toAdd) {
+        const duplicate = findActiveSwarmNearDuplicate(entry.lesson, current, config3.dedup_threshold);
+        if (duplicate) {
+          skipped++;
+          const result = reinforceSwarmKnowledgeEntry(duplicate, {
+            phase_number: phaseInfo.phase_number,
+            confirmed_at: new Date().toISOString(),
+            project_name: projectName
+          });
+          if (result.reinforced) {
+            reinforced++;
+            changed = true;
+          }
+          continue;
+        }
+        trulyNew.push(entry);
+      }
+      if (trulyNew.length > 0) {
+        current.push(...trulyNew);
+        stored = trulyNew.length;
+        changed = true;
+      }
+      return changed ? current : null;
     });
   }
   await enforceKnowledgeCap(knowledgePath, config3.swarm_max_entries);
@@ -42390,7 +42476,7 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
   if (!options?.skipAutoPromotion) {
     await _internals19.runAutoPromotion(directory, config3);
   }
-  return { stored, skipped, rejected, quarantined };
+  return { stored, reinforced, skipped, rejected, quarantined };
 }
 async function runAutoPromotion(directory, config3) {
   const knowledgePath = resolveSwarmKnowledgePath(directory);
@@ -42503,6 +42589,7 @@ var init_knowledge_curator = __esm(() => {
   init_synonym_map();
   init_logger();
   init_knowledge_events();
+  init_knowledge_reinforcement();
   init_knowledge_store();
   init_knowledge_validator();
   init_micro_reflector();
@@ -51391,8 +51478,8 @@ var init_history = __esm(() => {
   init_history_service();
 });
 
-// src/commands/pr-ref.ts
-import { execSync as execSync2 } from "child_process";
+// src/commands/_shared/url-security.ts
+import { spawnSync as spawnSync3 } from "child_process";
 function sanitizeUrl(raw) {
   let urlStr = raw.trim();
   urlStr = urlStr.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
@@ -51410,13 +51497,29 @@ function sanitizeUrl(raw) {
   }
   return urlStr.trim();
 }
-function sanitizeInstructions(raw) {
-  const collapsed = raw.replace(/\s+/g, " ").trim();
-  const stripped = collapsed.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
-  const normalized = stripped.replace(/\s+/g, " ").trim();
-  if (normalized.length <= MAX_INSTRUCTIONS_LEN)
-    return normalized;
-  return `${normalized.slice(0, MAX_INSTRUCTIONS_LEN)}\u2026`;
+function sanitizeErrorEcho(raw, maxLength = 80) {
+  let stripped = "";
+  for (const ch of raw) {
+    const cp = ch.codePointAt(0);
+    if (cp !== undefined && (cp <= 31 || cp === 127)) {
+      stripped += " ";
+      continue;
+    }
+    stripped += ch;
+  }
+  const collapsed = stripped.replace(/\s+/g, " ").trim();
+  if (collapsed.length <= maxLength)
+    return collapsed;
+  return `${collapsed.slice(0, maxLength)}\u2026`;
+}
+function containsControlCharacters(value) {
+  for (const ch of value) {
+    const cp = ch.codePointAt(0);
+    if (cp !== undefined && (cp <= 31 || cp === 127)) {
+      return true;
+    }
+  }
+  return false;
 }
 function hasNonAsciiHostname(hostname5) {
   for (const ch of hostname5) {
@@ -51426,31 +51529,38 @@ function hasNonAsciiHostname(hostname5) {
   }
   return false;
 }
+function isIpv4MappedPrivateHost(inner) {
+  if (IPV4_PRIVATE.test(inner) || IPV4_LOOPBACK.test(inner) || IPV4_LINK_LOCAL.test(inner) || IPV4_PRIVATE_172.test(inner) || IPV4_PRIVATE_192.test(inner) || IPV4_ZERO_NETWORK.test(inner)) {
+    return true;
+  }
+  const firstSegment = inner.split(":", 1)[0];
+  if (!firstSegment)
+    return false;
+  const firstWord = Number.parseInt(firstSegment, 16);
+  if (!Number.isFinite(firstWord))
+    return false;
+  return firstWord >= 0 && firstWord <= 255 || firstWord >= 2560 && firstWord <= 2815 || firstWord >= 32512 && firstWord <= 32767 || firstWord === 43518 || firstWord >= 44048 && firstWord <= 44063 || firstWord === 49320;
+}
 function isPrivateHost(url3) {
-  const host = url3.hostname.toLowerCase();
-  if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "0.0.0.0") {
+  const host = url3.hostname.toLowerCase().replace(/^\[|\]$/g, "");
+  if (host === "localhost" || host === "::1" || host === "0.0.0.0" || IPV4_LOOPBACK.test(host) || IPV4_ZERO_NETWORK.test(host)) {
     return true;
   }
   if (host.startsWith("localhost") || host === "localhost.com") {
     return true;
   }
-  const ipv4Private = /^10\./;
-  const ipv4172 = /^172\.(1[6-9]|2\d|3[0-1])\./;
-  const ipv4192 = /^192\.168\./;
-  const ipv6Private = /^fe80:/i;
-  const ipv6Unique = /^f[cd][0-9a-f]{2}:/i;
-  if (ipv4Private.test(host) || ipv4172.test(host) || ipv4192.test(host) || ipv6Private.test(host) || ipv6Unique.test(host)) {
+  if (IPV4_PRIVATE.test(host) || IPV4_LINK_LOCAL.test(host) || IPV4_PRIVATE_172.test(host) || IPV4_PRIVATE_192.test(host) || IPV6_LINK_LOCAL.test(host) || IPV6_UNIQUE_LOCAL.test(host)) {
     return true;
   }
   if (host.startsWith("::ffff:")) {
     const inner = host.slice(7);
-    if (ipv4Private.test(inner) || ipv4172.test(inner) || ipv4192.test(inner)) {
+    if (isIpv4MappedPrivateHost(inner)) {
       return true;
     }
   }
   return false;
 }
-function validateAndSanitizeUrl(rawUrl) {
+function validateAndSanitizeGithubUrl(rawUrl, resource) {
   const sanitized = sanitizeUrl(rawUrl);
   if (!sanitized) {
     return { error: "Empty URL" };
@@ -51466,10 +51576,10 @@ function validateAndSanitizeUrl(rawUrl) {
     if (isPrivateHost(url3)) {
       return { error: "Private or localhost URLs are not allowed" };
     }
-    const githubPrPattern = /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/([0-9]+)\/?$/;
-    if (!githubPrPattern.test(sanitized)) {
+    const githubPattern = new RegExp(`^https:\\/\\/github\\.com\\/([^/]+)\\/([^/]+)\\/${resource}\\/([0-9]+)\\/?$`);
+    if (!githubPattern.test(sanitized)) {
       return {
-        error: "URL must be a GitHub pull request URL (https://github.com/owner/repo/pull/N)"
+        error: resource === "issues" ? "URL must be a GitHub issue URL (https://github.com/owner/repo/issues/N)" : "URL must be a GitHub pull request URL (https://github.com/owner/repo/pull/N)"
       };
     }
     return { sanitized };
@@ -51477,50 +51587,18 @@ function validateAndSanitizeUrl(rawUrl) {
     return { error: "Invalid URL format" };
   }
 }
-function parsePrRef(input, cwd) {
-  const urlMatch = input.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i);
-  if (urlMatch) {
-    return {
-      owner: urlMatch[1],
-      repo: urlMatch[2],
-      number: parseInt(urlMatch[3], 10)
-    };
-  }
-  const shorthandMatch = input.match(/^([^/]+)\/([^#]+)#(\d+)$/);
-  if (shorthandMatch) {
-    return {
-      owner: shorthandMatch[1],
-      repo: shorthandMatch[2],
-      number: parseInt(shorthandMatch[3], 10)
-    };
-  }
-  const bareMatch = input.match(/^(\d+)$/);
-  if (bareMatch) {
-    const prNumber = parseInt(bareMatch[1], 10);
-    const remoteUrl = detectGitRemote(cwd);
-    if (!remoteUrl) {
-      return null;
-    }
-    const parsed = parseGitRemoteUrl(remoteUrl);
-    if (!parsed) {
-      return null;
-    }
-    return {
-      owner: parsed.owner,
-      repo: parsed.repo,
-      number: prNumber
-    };
-  }
-  return null;
-}
 function detectGitRemote(cwd) {
   try {
-    const remoteUrl = _internals28.execSync("git remote get-url origin", {
+    const result = _internals28.spawnSync("git", ["remote", "get-url", "origin"], {
       encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"],
+      stdio: ["ignore", "pipe", "pipe"],
       timeout: 5000,
       ...cwd ? { cwd } : {}
-    }).trim();
+    });
+    if (result.status !== 0 || result.error) {
+      return null;
+    }
+    const remoteUrl = (result.stdout ?? "").trim();
     return remoteUrl || null;
   } catch {
     return null;
@@ -51529,123 +51607,49 @@ function detectGitRemote(cwd) {
 function parseGitRemoteUrl(remoteUrl) {
   const httpsMatch = remoteUrl.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/i);
   if (httpsMatch) {
-    return {
-      owner: httpsMatch[1],
-      repo: httpsMatch[2].replace(/\.git$/, "")
-    };
+    const owner = httpsMatch[1];
+    const repo = httpsMatch[2].replace(/\.git$/, "");
+    if (containsControlCharacters(owner) || containsControlCharacters(repo)) {
+      return null;
+    }
+    return { owner, repo };
   }
   const sshMatch = remoteUrl.match(/^git@github\.com:([^/]+)\/([^/]+?)(?:\.git)?$/i);
   if (sshMatch) {
-    return {
-      owner: sshMatch[1],
-      repo: sshMatch[2].replace(/\.git$/, "")
-    };
+    const owner = sshMatch[1];
+    const repo = sshMatch[2].replace(/\.git$/, "");
+    if (containsControlCharacters(owner) || containsControlCharacters(repo)) {
+      return null;
+    }
+    return { owner, repo };
   }
   const pathMatch = remoteUrl.match(/\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/);
   if (pathMatch) {
-    return {
-      owner: pathMatch[1],
-      repo: pathMatch[2].replace(/\.git$/, "")
-    };
+    const owner = pathMatch[1];
+    const repo = pathMatch[2].replace(/\.git$/, "");
+    if (containsControlCharacters(owner) || containsControlCharacters(repo)) {
+      return null;
+    }
+    return { owner, repo };
   }
   return null;
 }
-function looksLikePrRef(token) {
-  return /^https?:\/\//i.test(token) || /^[^/]+\/[^#]+#\d+$/.test(token) || /^\d+$/.test(token);
-}
-function resolvePrCommandInput(rest, cwd) {
-  if (rest.length === 0) {
-    return null;
-  }
-  const refToken = rest[0];
-  const instructions = sanitizeInstructions(rest.slice(1).join(" "));
-  const isFullUrl = /^https?:\/\//i.test(refToken);
-  const prInfo = parsePrRef(isFullUrl ? sanitizeUrl(refToken) : refToken, cwd);
-  if (!prInfo) {
-    return { error: `Could not parse PR reference from "${refToken}"` };
-  }
-  const prUrl = `https://github.com/${prInfo.owner}/${prInfo.repo}/pull/${prInfo.number}`;
-  const result = validateAndSanitizeUrl(prUrl);
-  if ("error" in result) {
-    return { error: result.error };
-  }
-  return { prUrl: result.sanitized, instructions };
-}
-var _internals28, MAX_URL_LEN = 2048, MAX_INSTRUCTIONS_LEN = 1000;
-var init_pr_ref = __esm(() => {
-  _internals28 = { execSync: execSync2 };
+var MAX_URL_LEN = 2048, IPV4_PRIVATE, IPV4_LOOPBACK, IPV4_LINK_LOCAL, IPV4_PRIVATE_172, IPV4_PRIVATE_192, IPV4_ZERO_NETWORK, IPV6_LINK_LOCAL, IPV6_UNIQUE_LOCAL, _internals28;
+var init_url_security = __esm(() => {
+  IPV4_PRIVATE = /^10\./;
+  IPV4_LOOPBACK = /^127\./;
+  IPV4_LINK_LOCAL = /^169\.254\./;
+  IPV4_PRIVATE_172 = /^172\.(1[6-9]|2\d|3[0-1])\./;
+  IPV4_PRIVATE_192 = /^192\.168\./;
+  IPV4_ZERO_NETWORK = /^0\./;
+  IPV6_LINK_LOCAL = /^fe80:/i;
+  IPV6_UNIQUE_LOCAL = /^f[cd][0-9a-f]{2}:/i;
+  _internals28 = { spawnSync: spawnSync3 };
 });
 
 // src/commands/issue.ts
-import { execSync as execSync3 } from "child_process";
-function sanitizeUrl2(raw) {
-  let urlStr = raw.trim();
-  urlStr = urlStr.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
-  const fragmentIdx = urlStr.indexOf("#");
-  if (fragmentIdx !== -1) {
-    urlStr = urlStr.slice(0, fragmentIdx);
-  }
-  const queryIdx = urlStr.indexOf("?");
-  if (queryIdx !== -1) {
-    urlStr = urlStr.slice(0, queryIdx);
-  }
-  urlStr = urlStr.replace(/^[A-Za-z][A-Za-z0-9+.-]*:\/\/[^@/]+@/, "https://");
-  if (urlStr.length > MAX_URL_LEN2) {
-    urlStr = urlStr.slice(0, MAX_URL_LEN2);
-  }
-  return urlStr.trim();
-}
-function isPrivateHost2(url3) {
-  const host = url3.hostname.toLowerCase();
-  if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "0.0.0.0") {
-    return true;
-  }
-  if (host.startsWith("localhost") || host === "localhost.com") {
-    return true;
-  }
-  const ipv4Private = /^10\./;
-  const ipv4172 = /^172\.(1[6-9]|2\d|3[0-1])\./;
-  const ipv4192 = /^192\.168\./;
-  const ipv6Private = /^fe80:/i;
-  const ipv6Unique = /^f[cd][0-9a-f]{2}:/i;
-  if (ipv4Private.test(host) || ipv4172.test(host) || ipv4192.test(host) || ipv6Private.test(host) || ipv6Unique.test(host)) {
-    return true;
-  }
-  if (host.startsWith("::ffff:")) {
-    const inner = host.slice(7);
-    if (ipv4Private.test(inner) || ipv4172.test(inner) || ipv4192.test(inner)) {
-      return true;
-    }
-  }
-  return false;
-}
-function validateAndSanitizeUrl2(rawUrl) {
-  const sanitized = sanitizeUrl2(rawUrl);
-  if (!sanitized) {
-    return { error: "Empty URL" };
-  }
-  if (!sanitized.startsWith("https://")) {
-    return { error: "URL must use HTTPS scheme" };
-  }
-  try {
-    const url3 = new URL(sanitized);
-    const hostname5 = url3.hostname;
-    if (/[\u0080-\u{10FFFF}]/u.test(hostname5)) {
-      return { error: "Non-ASCII hostnames are not allowed" };
-    }
-    if (isPrivateHost2(url3)) {
-      return { error: "Private or localhost URLs are not allowed" };
-    }
-    const githubIssuePattern = /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/issues\/([0-9]+)\/?$/;
-    if (!githubIssuePattern.test(sanitized)) {
-      return {
-        error: "URL must be a GitHub issue URL (https://github.com/owner/repo/issues/N)"
-      };
-    }
-    return { sanitized };
-  } catch {
-    return { error: "Invalid URL format" };
-  }
+function validateAndSanitizeUrl(rawUrl) {
+  return validateAndSanitizeGithubUrl(rawUrl, "issues");
 }
 function parseArgs6(args) {
   const out = {
@@ -51672,9 +51676,12 @@ function parseArgs6(args) {
   }
   return out;
 }
-function parseIssueRef(input) {
+function parseIssueRef(input, directory) {
   const urlMatch = input.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/issues\/(\d+)\/?$/i);
   if (urlMatch) {
+    if (containsControlCharacters(urlMatch[1]) || containsControlCharacters(urlMatch[2])) {
+      return null;
+    }
     return {
       owner: urlMatch[1],
       repo: urlMatch[2],
@@ -51683,6 +51690,9 @@ function parseIssueRef(input) {
   }
   const shorthandMatch = input.match(/^([^/]+)\/([^#]+)#(\d+)$/);
   if (shorthandMatch) {
+    if (containsControlCharacters(shorthandMatch[1]) || containsControlCharacters(shorthandMatch[2])) {
+      return null;
+    }
     return {
       owner: shorthandMatch[1],
       repo: shorthandMatch[2],
@@ -51692,7 +51702,7 @@ function parseIssueRef(input) {
   const bareMatch = input.match(/^(\d+)$/);
   if (bareMatch) {
     const issueNumber = parseInt(bareMatch[1], 10);
-    const remoteUrl = detectGitRemote2();
+    const remoteUrl = detectGitRemote(directory);
     if (!remoteUrl) {
       return null;
     }
@@ -51708,33 +51718,21 @@ function parseIssueRef(input) {
   }
   return null;
 }
-function detectGitRemote2() {
-  try {
-    const remoteUrl = execSync3("git remote get-url origin", {
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"],
-      timeout: 5000
-    }).trim();
-    return remoteUrl || null;
-  } catch {
-    return null;
-  }
-}
-function handleIssueCommand(_directory, args) {
+function handleIssueCommand(directory, args) {
   const parsed = parseArgs6(args);
   const rawInput = parsed.rest.join(" ").trim();
   if (!rawInput) {
     return USAGE6;
   }
   const isFullUrl = /^https?:\/\//i.test(rawInput);
-  const issueInfo = parseIssueRef(isFullUrl ? sanitizeUrl2(rawInput) : rawInput);
+  const issueInfo = parseIssueRef(isFullUrl ? sanitizeUrl(rawInput) : rawInput, directory);
   if (!issueInfo) {
-    return `Error: Could not parse issue reference from "${rawInput}"
+    return `Error: Could not parse issue reference from "${sanitizeErrorEcho(rawInput)}"
 
 ${USAGE6}`;
   }
   const issueUrl = `https://github.com/${issueInfo.owner}/${issueInfo.repo}/issues/${issueInfo.number}`;
-  const result = validateAndSanitizeUrl2(issueUrl);
+  const result = validateAndSanitizeUrl(issueUrl);
   if ("error" in result) {
     return `Error: ${result.error}
 
@@ -51750,9 +51748,9 @@ ${USAGE6}`;
   const flagsStr = flags.length > 0 ? ` ${flags.join(" ")}` : "";
   return `[MODE: ISSUE_INGEST issue="${result.sanitized}"${flagsStr}]`;
 }
-var MAX_URL_LEN2 = 2048, USAGE6;
+var USAGE6;
 var init_issue = __esm(() => {
-  init_pr_ref();
+  init_url_security();
   USAGE6 = [
     "Usage: /swarm issue <url|owner/repo#N|N> [--plan] [--trace] [--no-repro]",
     "",
@@ -55944,6 +55942,88 @@ var init_post_mortem = __esm(() => {
   init_curator_postmortem();
 });
 
+// src/commands/pr-ref.ts
+function sanitizeInstructions(raw) {
+  const collapsed = raw.replace(/\s+/g, " ").trim();
+  const stripped = collapsed.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
+  const normalized = stripped.replace(/\s+/g, " ").trim();
+  if (normalized.length <= MAX_INSTRUCTIONS_LEN)
+    return normalized;
+  return `${normalized.slice(0, MAX_INSTRUCTIONS_LEN)}\u2026`;
+}
+function validateAndSanitizeUrl2(rawUrl) {
+  return validateAndSanitizeGithubUrl(rawUrl, "pull");
+}
+function parsePrRef(input, cwd) {
+  const urlMatch = input.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i);
+  if (urlMatch) {
+    if (containsControlCharacters(urlMatch[1]) || containsControlCharacters(urlMatch[2])) {
+      return null;
+    }
+    return {
+      owner: urlMatch[1],
+      repo: urlMatch[2],
+      number: parseInt(urlMatch[3], 10)
+    };
+  }
+  const shorthandMatch = input.match(/^([^/]+)\/([^#]+)#(\d+)$/);
+  if (shorthandMatch) {
+    if (containsControlCharacters(shorthandMatch[1]) || containsControlCharacters(shorthandMatch[2])) {
+      return null;
+    }
+    return {
+      owner: shorthandMatch[1],
+      repo: shorthandMatch[2],
+      number: parseInt(shorthandMatch[3], 10)
+    };
+  }
+  const bareMatch = input.match(/^(\d+)$/);
+  if (bareMatch) {
+    const prNumber = parseInt(bareMatch[1], 10);
+    const remoteUrl = detectGitRemote(cwd);
+    if (!remoteUrl) {
+      return null;
+    }
+    const parsed = parseGitRemoteUrl(remoteUrl);
+    if (!parsed) {
+      return null;
+    }
+    return {
+      owner: parsed.owner,
+      repo: parsed.repo,
+      number: prNumber
+    };
+  }
+  return null;
+}
+function looksLikePrRef(token) {
+  return /^https?:\/\//i.test(token) || /^[^/]+\/[^#]+#\d+$/.test(token) || /^\d+$/.test(token);
+}
+function resolvePrCommandInput(rest, cwd) {
+  if (rest.length === 0) {
+    return null;
+  }
+  const refToken = rest[0];
+  const instructions = sanitizeInstructions(rest.slice(1).join(" "));
+  const isFullUrl = /^https?:\/\//i.test(refToken);
+  const prInfo = parsePrRef(isFullUrl ? sanitizeUrl(refToken) : refToken, cwd);
+  if (!prInfo) {
+    return {
+      error: `Could not parse PR reference from "${sanitizeErrorEcho(refToken)}"`
+    };
+  }
+  const prUrl = `https://github.com/${prInfo.owner}/${prInfo.repo}/pull/${prInfo.number}`;
+  const result = validateAndSanitizeUrl2(prUrl);
+  if ("error" in result) {
+    return { error: result.error };
+  }
+  return { prUrl: result.sanitized, instructions };
+}
+var MAX_INSTRUCTIONS_LEN = 1000;
+var init_pr_ref = __esm(() => {
+  init_url_security();
+});
+
 // src/commands/pr-feedback.ts
 function handlePrFeedbackCommand(directory, args) {
   const rest = args.filter((t) => t.trim().length > 0);