opencode-swarm 7.73.1 → 7.73.3

package/dist/index.js

@@ -69,7 +69,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.73.1",
+    version: "7.73.3",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",
@@ -62433,6 +62433,9 @@ import * as path37 from "node:path";
 function resolveLogPath(directory) {
   return validateSwarmPath(directory, "skill-usage.jsonl");
 }
+function normalizeComplianceVerdict(verdict) {
+  return verdict === "violation" ? "violated" : verdict;
+}
 function appendSkillUsageEntry(directory, entry) {
   const {
     skillPath,
@@ -62503,7 +62506,9 @@ function readSkillUsageEntries(directory, options) {
     if (!trimmed)
       continue;
     try {
-      entries.push(JSON.parse(trimmed));
+      const entry = JSON.parse(trimmed);
+      entry.complianceVerdict = normalizeComplianceVerdict(entry.complianceVerdict);
+      entries.push(entry);
     } catch {}
   }
   if (!options)
@@ -62562,6 +62567,7 @@ function readSkillUsageEntriesTail(directory, filters, maxBytes = TAIL_BYTES_DEF
           continue;
         try {
           const entry = JSON.parse(line);
+          entry.complianceVerdict = normalizeComplianceVerdict(entry.complianceVerdict);
           if (filters.sessionID !== undefined && entry.sessionID !== filters.sessionID) {
             continue;
           }
@@ -62596,7 +62602,7 @@ function computeComplianceByVersion(entries, skillPath) {
     stats.total += 1;
     if (e.complianceVerdict === "compliant")
       stats.compliant += 1;
-    if (e.complianceVerdict === "violation")
+    if (e.complianceVerdict === "violated")
       stats.violation += 1;
   }
   for (const stats of map3.values()) {
@@ -62709,7 +62715,7 @@ async function applySkillUsageFeedback(directory, options) {
   try {
     const allEntries = readSkillUsageEntries(directory);
     const actionable = allEntries.filter((e) => {
-      if (e.complianceVerdict !== "compliant" && e.complianceVerdict !== "violation") {
+      if (e.complianceVerdict !== "compliant" && e.complianceVerdict !== "violated") {
         return false;
       }
       if (options?.sinceTimestamp && e.timestamp <= options.sinceTimestamp) {
@@ -62735,7 +62741,7 @@ async function applySkillUsageFeedback(directory, options) {
       for (const entry of entries) {
         if (entry.complianceVerdict === "compliant")
           compliantCount++;
-        else if (entry.complianceVerdict === "violation")
+        else if (entry.complianceVerdict === "violated")
           violationCount++;
       }
       if (compliantCount === 0 && violationCount === 0)
@@ -62819,7 +62825,7 @@ async function autoRetireSkills(directory, curatorKnowledgePath, excludeSlugs) {
           return true;
         return false;
       });
-      const violations = skillUsage.filter((e) => e.complianceVerdict === "violation").length;
+      const violations = skillUsage.filter((e) => e.complianceVerdict === "violated").length;
       const violationRate = skillUsage.length > 0 ? violations / skillUsage.length : 0;
       let allArchived = false;
       try {
@@ -63484,7 +63490,7 @@ ${phaseDigest.summary}`,
         });
         if (skillUsage.length === 0)
           continue;
-        const violations = skillUsage.filter((e) => e.complianceVerdict === "violation").length;
+        const violations = skillUsage.filter((e) => e.complianceVerdict === "violated").length;
         const violationRate = violations / skillUsage.length;
         if (violationRate > REVISION_VIOLATION_THRESHOLD && violationRate <= 0.3) {
           const content = await _internals27.readFileAsync(active.path, "utf-8");
@@ -63492,7 +63498,7 @@ ${phaseDigest.summary}`,
           if (fm && fm.skillOrigin === "promoted_external")
             continue;
           const currentVersion = fm?.version ?? 1;
-          const violationContexts = skillUsage.filter((e) => e.complianceVerdict === "violation").slice(-10).map((e) => ({
+          const violationContexts = skillUsage.filter((e) => e.complianceVerdict === "violated").slice(-10).map((e) => ({
             taskId: e.taskID,
             agent: e.agentName,
             verdict: e.complianceVerdict,
@@ -64285,6 +64291,49 @@ var init_synonym_map = __esm(() => {
   MIN_READ_CEILING_BYTES = 64 * 1024;
 });
 
+// src/hooks/knowledge-reinforcement.ts
+function isActiveSwarmKnowledgeEntry(entry) {
+  return !INACTIVE_STATUSES.has(entry.status);
+}
+function findActiveSwarmNearDuplicate(lesson, entries, threshold) {
+  return findNearDuplicate(lesson, entries.filter(isActiveSwarmKnowledgeEntry), threshold);
+}
+function distinctPhaseCount(records) {
+  const phases = new Set;
+  for (const record3 of records ?? []) {
+    if (Number.isInteger(record3.phase_number)) {
+      phases.add(record3.phase_number);
+    }
+  }
+  return phases.size;
+}
+function reinforceSwarmKnowledgeEntry(entry, confirmation) {
+  if (!isActiveSwarmKnowledgeEntry(entry)) {
+    return { entryId: entry.id, reinforced: false, reason: "inactive" };
+  }
+  if ((entry.confirmed_by ?? []).some((record3) => record3.phase_number === confirmation.phase_number)) {
+    return {
+      entryId: entry.id,
+      reinforced: false,
+      reason: "already_confirmed_phase"
+    };
+  }
+  entry.confirmed_by = [...entry.confirmed_by ?? [], confirmation];
+  entry.updated_at = confirmation.confirmed_at;
+  entry.phases_alive = 0;
+  entry.confidence = computeConfidence(distinctPhaseCount(entry.confirmed_by), entry.auto_generated ?? false);
+  return { entryId: entry.id, reinforced: true, reason: "reinforced" };
+}
+var INACTIVE_STATUSES;
+var init_knowledge_reinforcement = __esm(() => {
+  init_knowledge_store();
+  INACTIVE_STATUSES = new Set([
+    "archived",
+    "quarantined",
+    "quarantined_unactionable"
+  ]);
+});
+
 // src/hooks/skill-scoring.ts
 import * as fs21 from "node:fs";
 import * as path41 from "node:path";
@@ -65838,6 +65887,7 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
   ]);
   const snapshotPlusNew = [...snapshot];
   const toAdd = [];
+  const pendingReinforcementIds = new Set;
   for (const lesson of lessons) {
     const tags = inferTags(lesson);
     let category = "process";
@@ -65867,8 +65917,9 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
         continue;
       }
     }
-    const duplicate = findNearDuplicate(lesson, snapshotPlusNew, config3.dedup_threshold);
+    const duplicate = findActiveSwarmNearDuplicate(lesson, snapshotPlusNew, config3.dedup_threshold);
     if (duplicate) {
+      pendingReinforcementIds.add(duplicate.id);
       skipped++;
       continue;
     }
@@ -65949,7 +66000,9 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
         } catch {}
         continue;
       }
-      if (findNearDuplicate(entry.lesson, snapshotPlusNew, config3.dedup_threshold)) {
+      const duplicate = findActiveSwarmNearDuplicate(entry.lesson, snapshotPlusNew, config3.dedup_threshold);
+      if (duplicate) {
+        pendingReinforcementIds.add(duplicate.id);
         skipped++;
         continue;
       }
@@ -65958,15 +66011,48 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
     }
   } catch {}
   let stored = 0;
-  if (toAdd.length > 0) {
+  let reinforced = 0;
+  if (toAdd.length > 0 || pendingReinforcementIds.size > 0) {
     await transactKnowledge(knowledgePath, (current) => {
-      const trulyNew = toAdd.filter((e) => !findNearDuplicate(e.lesson, current, config3.dedup_threshold));
-      const extraDups = toAdd.length - trulyNew.length;
-      skipped += extraDups;
-      if (trulyNew.length === 0)
-        return null;
-      stored = trulyNew.length;
-      return [...current, ...trulyNew];
+      let changed = false;
+      for (const id of pendingReinforcementIds) {
+        const existing = current.find((entry) => entry.id === id);
+        if (!existing)
+          continue;
+        const result = reinforceSwarmKnowledgeEntry(existing, {
+          phase_number: phaseInfo.phase_number,
+          confirmed_at: new Date().toISOString(),
+          project_name: projectName
+        });
+        if (result.reinforced) {
+          reinforced++;
+          changed = true;
+        }
+      }
+      const trulyNew = [];
+      for (const entry of toAdd) {
+        const duplicate = findActiveSwarmNearDuplicate(entry.lesson, current, config3.dedup_threshold);
+        if (duplicate) {
+          skipped++;
+          const result = reinforceSwarmKnowledgeEntry(duplicate, {
+            phase_number: phaseInfo.phase_number,
+            confirmed_at: new Date().toISOString(),
+            project_name: projectName
+          });
+          if (result.reinforced) {
+            reinforced++;
+            changed = true;
+          }
+          continue;
+        }
+        trulyNew.push(entry);
+      }
+      if (trulyNew.length > 0) {
+        current.push(...trulyNew);
+        stored = trulyNew.length;
+        changed = true;
+      }
+      return changed ? current : null;
     });
   }
   await enforceKnowledgeCap(knowledgePath, config3.swarm_max_entries);
@@ -65984,7 +66070,7 @@ async function curateAndStoreSwarm(lessons, projectName, phaseInfo, directory, c
   if (!options?.skipAutoPromotion) {
     await _internals30.runAutoPromotion(directory, config3);
   }
-  return { stored, skipped, rejected, quarantined };
+  return { stored, reinforced, skipped, rejected, quarantined };
 }
 async function runAutoPromotion(directory, config3) {
   const knowledgePath = resolveSwarmKnowledgePath(directory);
@@ -66097,6 +66183,7 @@ var init_knowledge_curator = __esm(() => {
   init_synonym_map();
   init_logger();
   init_knowledge_events();
+  init_knowledge_reinforcement();
   init_knowledge_store();
   init_knowledge_validator();
   init_micro_reflector();
@@ -75112,8 +75199,8 @@ var init_history = __esm(() => {
   init_history_service();
 });
 
-// src/commands/pr-ref.ts
-import { execSync as execSync2 } from "node:child_process";
+// src/commands/_shared/url-security.ts
+import { spawnSync as spawnSync8 } from "node:child_process";
 function sanitizeUrl(raw) {
   let urlStr = raw.trim();
   urlStr = urlStr.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
@@ -75131,13 +75218,29 @@ function sanitizeUrl(raw) {
   }
   return urlStr.trim();
 }
-function sanitizeInstructions(raw) {
-  const collapsed = raw.replace(/\s+/g, " ").trim();
-  const stripped = collapsed.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
-  const normalized = stripped.replace(/\s+/g, " ").trim();
-  if (normalized.length <= MAX_INSTRUCTIONS_LEN)
-    return normalized;
-  return `${normalized.slice(0, MAX_INSTRUCTIONS_LEN)}…`;
+function sanitizeErrorEcho(raw, maxLength = 80) {
+  let stripped = "";
+  for (const ch of raw) {
+    const cp = ch.codePointAt(0);
+    if (cp !== undefined && (cp <= 31 || cp === 127)) {
+      stripped += " ";
+      continue;
+    }
+    stripped += ch;
+  }
+  const collapsed = stripped.replace(/\s+/g, " ").trim();
+  if (collapsed.length <= maxLength)
+    return collapsed;
+  return `${collapsed.slice(0, maxLength)}…`;
+}
+function containsControlCharacters(value) {
+  for (const ch of value) {
+    const cp = ch.codePointAt(0);
+    if (cp !== undefined && (cp <= 31 || cp === 127)) {
+      return true;
+    }
+  }
+  return false;
 }
 function hasNonAsciiHostname(hostname5) {
   for (const ch of hostname5) {
@@ -75147,31 +75250,38 @@ function hasNonAsciiHostname(hostname5) {
   }
   return false;
 }
+function isIpv4MappedPrivateHost(inner) {
+  if (IPV4_PRIVATE.test(inner) || IPV4_LOOPBACK.test(inner) || IPV4_LINK_LOCAL.test(inner) || IPV4_PRIVATE_172.test(inner) || IPV4_PRIVATE_192.test(inner) || IPV4_ZERO_NETWORK.test(inner)) {
+    return true;
+  }
+  const firstSegment = inner.split(":", 1)[0];
+  if (!firstSegment)
+    return false;
+  const firstWord = Number.parseInt(firstSegment, 16);
+  if (!Number.isFinite(firstWord))
+    return false;
+  return firstWord >= 0 && firstWord <= 255 || firstWord >= 2560 && firstWord <= 2815 || firstWord >= 32512 && firstWord <= 32767 || firstWord === 43518 || firstWord >= 44048 && firstWord <= 44063 || firstWord === 49320;
+}
 function isPrivateHost(url3) {
-  const host = url3.hostname.toLowerCase();
-  if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "0.0.0.0") {
+  const host = url3.hostname.toLowerCase().replace(/^\[|\]$/g, "");
+  if (host === "localhost" || host === "::1" || host === "0.0.0.0" || IPV4_LOOPBACK.test(host) || IPV4_ZERO_NETWORK.test(host)) {
     return true;
   }
   if (host.startsWith("localhost") || host === "localhost.com") {
     return true;
   }
-  const ipv4Private = /^10\./;
-  const ipv4172 = /^172\.(1[6-9]|2\d|3[0-1])\./;
-  const ipv4192 = /^192\.168\./;
-  const ipv6Private = /^fe80:/i;
-  const ipv6Unique = /^f[cd][0-9a-f]{2}:/i;
-  if (ipv4Private.test(host) || ipv4172.test(host) || ipv4192.test(host) || ipv6Private.test(host) || ipv6Unique.test(host)) {
+  if (IPV4_PRIVATE.test(host) || IPV4_LINK_LOCAL.test(host) || IPV4_PRIVATE_172.test(host) || IPV4_PRIVATE_192.test(host) || IPV6_LINK_LOCAL.test(host) || IPV6_UNIQUE_LOCAL.test(host)) {
     return true;
   }
   if (host.startsWith("::ffff:")) {
     const inner = host.slice(7);
-    if (ipv4Private.test(inner) || ipv4172.test(inner) || ipv4192.test(inner)) {
+    if (isIpv4MappedPrivateHost(inner)) {
       return true;
     }
   }
   return false;
 }
-function validateAndSanitizeUrl(rawUrl) {
+function validateAndSanitizeGithubUrl(rawUrl, resource) {
   const sanitized = sanitizeUrl(rawUrl);
   if (!sanitized) {
     return { error: "Empty URL" };
@@ -75187,10 +75297,10 @@ function validateAndSanitizeUrl(rawUrl) {
     if (isPrivateHost(url3)) {
       return { error: "Private or localhost URLs are not allowed" };
     }
-    const githubPrPattern = /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/([0-9]+)\/?$/;
-    if (!githubPrPattern.test(sanitized)) {
+    const githubPattern = new RegExp(`^https:\\/\\/github\\.com\\/([^/]+)\\/([^/]+)\\/${resource}\\/([0-9]+)\\/?$`);
+    if (!githubPattern.test(sanitized)) {
       return {
-        error: "URL must be a GitHub pull request URL (https://github.com/owner/repo/pull/N)"
+        error: resource === "issues" ? "URL must be a GitHub issue URL (https://github.com/owner/repo/issues/N)" : "URL must be a GitHub pull request URL (https://github.com/owner/repo/pull/N)"
       };
     }
     return { sanitized };
@@ -75198,50 +75308,18 @@ function validateAndSanitizeUrl(rawUrl) {
     return { error: "Invalid URL format" };
   }
 }
-function parsePrRef(input, cwd) {
-  const urlMatch = input.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i);
-  if (urlMatch) {
-    return {
-      owner: urlMatch[1],
-      repo: urlMatch[2],
-      number: parseInt(urlMatch[3], 10)
-    };
-  }
-  const shorthandMatch = input.match(/^([^/]+)\/([^#]+)#(\d+)$/);
-  if (shorthandMatch) {
-    return {
-      owner: shorthandMatch[1],
-      repo: shorthandMatch[2],
-      number: parseInt(shorthandMatch[3], 10)
-    };
-  }
-  const bareMatch = input.match(/^(\d+)$/);
-  if (bareMatch) {
-    const prNumber = parseInt(bareMatch[1], 10);
-    const remoteUrl = detectGitRemote(cwd);
-    if (!remoteUrl) {
-      return null;
-    }
-    const parsed = parseGitRemoteUrl(remoteUrl);
-    if (!parsed) {
-      return null;
-    }
-    return {
-      owner: parsed.owner,
-      repo: parsed.repo,
-      number: prNumber
-    };
-  }
-  return null;
-}
 function detectGitRemote(cwd) {
   try {
-    const remoteUrl = _internals39.execSync("git remote get-url origin", {
+    const result = _internals39.spawnSync("git", ["remote", "get-url", "origin"], {
       encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"],
+      stdio: ["ignore", "pipe", "pipe"],
       timeout: 5000,
       ...cwd ? { cwd } : {}
-    }).trim();
+    });
+    if (result.status !== 0 || result.error) {
+      return null;
+    }
+    const remoteUrl = (result.stdout ?? "").trim();
     return remoteUrl || null;
   } catch {
     return null;
@@ -75250,123 +75328,49 @@ function detectGitRemote(cwd) {
 function parseGitRemoteUrl(remoteUrl) {
   const httpsMatch = remoteUrl.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/i);
   if (httpsMatch) {
-    return {
-      owner: httpsMatch[1],
-      repo: httpsMatch[2].replace(/\.git$/, "")
-    };
+    const owner = httpsMatch[1];
+    const repo = httpsMatch[2].replace(/\.git$/, "");
+    if (containsControlCharacters(owner) || containsControlCharacters(repo)) {
+      return null;
+    }
+    return { owner, repo };
   }
   const sshMatch = remoteUrl.match(/^git@github\.com:([^/]+)\/([^/]+?)(?:\.git)?$/i);
   if (sshMatch) {
-    return {
-      owner: sshMatch[1],
-      repo: sshMatch[2].replace(/\.git$/, "")
-    };
+    const owner = sshMatch[1];
+    const repo = sshMatch[2].replace(/\.git$/, "");
+    if (containsControlCharacters(owner) || containsControlCharacters(repo)) {
+      return null;
+    }
+    return { owner, repo };
   }
   const pathMatch = remoteUrl.match(/\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/);
   if (pathMatch) {
-    return {
-      owner: pathMatch[1],
-      repo: pathMatch[2].replace(/\.git$/, "")
-    };
+    const owner = pathMatch[1];
+    const repo = pathMatch[2].replace(/\.git$/, "");
+    if (containsControlCharacters(owner) || containsControlCharacters(repo)) {
+      return null;
+    }
+    return { owner, repo };
   }
   return null;
 }
-function looksLikePrRef(token) {
-  return /^https?:\/\//i.test(token) || /^[^/]+\/[^#]+#\d+$/.test(token) || /^\d+$/.test(token);
-}
-function resolvePrCommandInput(rest, cwd) {
-  if (rest.length === 0) {
-    return null;
-  }
-  const refToken = rest[0];
-  const instructions = sanitizeInstructions(rest.slice(1).join(" "));
-  const isFullUrl = /^https?:\/\//i.test(refToken);
-  const prInfo = parsePrRef(isFullUrl ? sanitizeUrl(refToken) : refToken, cwd);
-  if (!prInfo) {
-    return { error: `Could not parse PR reference from "${refToken}"` };
-  }
-  const prUrl = `https://github.com/${prInfo.owner}/${prInfo.repo}/pull/${prInfo.number}`;
-  const result = validateAndSanitizeUrl(prUrl);
-  if ("error" in result) {
-    return { error: result.error };
-  }
-  return { prUrl: result.sanitized, instructions };
-}
-var _internals39, MAX_URL_LEN = 2048, MAX_INSTRUCTIONS_LEN = 1000;
-var init_pr_ref = __esm(() => {
-  _internals39 = { execSync: execSync2 };
+var MAX_URL_LEN = 2048, IPV4_PRIVATE, IPV4_LOOPBACK, IPV4_LINK_LOCAL, IPV4_PRIVATE_172, IPV4_PRIVATE_192, IPV4_ZERO_NETWORK, IPV6_LINK_LOCAL, IPV6_UNIQUE_LOCAL, _internals39;
+var init_url_security = __esm(() => {
+  IPV4_PRIVATE = /^10\./;
+  IPV4_LOOPBACK = /^127\./;
+  IPV4_LINK_LOCAL = /^169\.254\./;
+  IPV4_PRIVATE_172 = /^172\.(1[6-9]|2\d|3[0-1])\./;
+  IPV4_PRIVATE_192 = /^192\.168\./;
+  IPV4_ZERO_NETWORK = /^0\./;
+  IPV6_LINK_LOCAL = /^fe80:/i;
+  IPV6_UNIQUE_LOCAL = /^f[cd][0-9a-f]{2}:/i;
+  _internals39 = { spawnSync: spawnSync8 };
 });
 
 // src/commands/issue.ts
-import { execSync as execSync3 } from "node:child_process";
-function sanitizeUrl2(raw) {
-  let urlStr = raw.trim();
-  urlStr = urlStr.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
-  const fragmentIdx = urlStr.indexOf("#");
-  if (fragmentIdx !== -1) {
-    urlStr = urlStr.slice(0, fragmentIdx);
-  }
-  const queryIdx = urlStr.indexOf("?");
-  if (queryIdx !== -1) {
-    urlStr = urlStr.slice(0, queryIdx);
-  }
-  urlStr = urlStr.replace(/^[A-Za-z][A-Za-z0-9+.-]*:\/\/[^@/]+@/, "https://");
-  if (urlStr.length > MAX_URL_LEN2) {
-    urlStr = urlStr.slice(0, MAX_URL_LEN2);
-  }
-  return urlStr.trim();
-}
-function isPrivateHost2(url3) {
-  const host = url3.hostname.toLowerCase();
-  if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "0.0.0.0") {
-    return true;
-  }
-  if (host.startsWith("localhost") || host === "localhost.com") {
-    return true;
-  }
-  const ipv4Private = /^10\./;
-  const ipv4172 = /^172\.(1[6-9]|2\d|3[0-1])\./;
-  const ipv4192 = /^192\.168\./;
-  const ipv6Private = /^fe80:/i;
-  const ipv6Unique = /^f[cd][0-9a-f]{2}:/i;
-  if (ipv4Private.test(host) || ipv4172.test(host) || ipv4192.test(host) || ipv6Private.test(host) || ipv6Unique.test(host)) {
-    return true;
-  }
-  if (host.startsWith("::ffff:")) {
-    const inner = host.slice(7);
-    if (ipv4Private.test(inner) || ipv4172.test(inner) || ipv4192.test(inner)) {
-      return true;
-    }
-  }
-  return false;
-}
-function validateAndSanitizeUrl2(rawUrl) {
-  const sanitized = sanitizeUrl2(rawUrl);
-  if (!sanitized) {
-    return { error: "Empty URL" };
-  }
-  if (!sanitized.startsWith("https://")) {
-    return { error: "URL must use HTTPS scheme" };
-  }
-  try {
-    const url3 = new URL(sanitized);
-    const hostname5 = url3.hostname;
-    if (/[\u0080-\u{10FFFF}]/u.test(hostname5)) {
-      return { error: "Non-ASCII hostnames are not allowed" };
-    }
-    if (isPrivateHost2(url3)) {
-      return { error: "Private or localhost URLs are not allowed" };
-    }
-    const githubIssuePattern = /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/issues\/([0-9]+)\/?$/;
-    if (!githubIssuePattern.test(sanitized)) {
-      return {
-        error: "URL must be a GitHub issue URL (https://github.com/owner/repo/issues/N)"
-      };
-    }
-    return { sanitized };
-  } catch {
-    return { error: "Invalid URL format" };
-  }
+function validateAndSanitizeUrl(rawUrl) {
+  return validateAndSanitizeGithubUrl(rawUrl, "issues");
 }
 function parseArgs6(args2) {
   const out2 = {
@@ -75393,9 +75397,12 @@ function parseArgs6(args2) {
   }
   return out2;
 }
-function parseIssueRef(input) {
+function parseIssueRef(input, directory) {
   const urlMatch = input.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/issues\/(\d+)\/?$/i);
   if (urlMatch) {
+    if (containsControlCharacters(urlMatch[1]) || containsControlCharacters(urlMatch[2])) {
+      return null;
+    }
     return {
       owner: urlMatch[1],
       repo: urlMatch[2],
@@ -75404,6 +75411,9 @@ function parseIssueRef(input) {
   }
   const shorthandMatch = input.match(/^([^/]+)\/([^#]+)#(\d+)$/);
   if (shorthandMatch) {
+    if (containsControlCharacters(shorthandMatch[1]) || containsControlCharacters(shorthandMatch[2])) {
+      return null;
+    }
     return {
       owner: shorthandMatch[1],
       repo: shorthandMatch[2],
@@ -75413,7 +75423,7 @@ function parseIssueRef(input) {
   const bareMatch = input.match(/^(\d+)$/);
   if (bareMatch) {
     const issueNumber = parseInt(bareMatch[1], 10);
-    const remoteUrl = detectGitRemote2();
+    const remoteUrl = detectGitRemote(directory);
     if (!remoteUrl) {
       return null;
     }
@@ -75429,33 +75439,21 @@ function parseIssueRef(input) {
   }
   return null;
 }
-function detectGitRemote2() {
-  try {
-    const remoteUrl = execSync3("git remote get-url origin", {
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"],
-      timeout: 5000
-    }).trim();
-    return remoteUrl || null;
-  } catch {
-    return null;
-  }
-}
-function handleIssueCommand(_directory, args2) {
+function handleIssueCommand(directory, args2) {
   const parsed = parseArgs6(args2);
   const rawInput = parsed.rest.join(" ").trim();
   if (!rawInput) {
     return USAGE6;
   }
   const isFullUrl = /^https?:\/\//i.test(rawInput);
-  const issueInfo = parseIssueRef(isFullUrl ? sanitizeUrl2(rawInput) : rawInput);
+  const issueInfo = parseIssueRef(isFullUrl ? sanitizeUrl(rawInput) : rawInput, directory);
   if (!issueInfo) {
-    return `Error: Could not parse issue reference from "${rawInput}"
+    return `Error: Could not parse issue reference from "${sanitizeErrorEcho(rawInput)}"
 
 ${USAGE6}`;
   }
   const issueUrl = `https://github.com/${issueInfo.owner}/${issueInfo.repo}/issues/${issueInfo.number}`;
-  const result = validateAndSanitizeUrl2(issueUrl);
+  const result = validateAndSanitizeUrl(issueUrl);
   if ("error" in result) {
     return `Error: ${result.error}
 
@@ -75471,9 +75469,9 @@ ${USAGE6}`;
   const flagsStr = flags2.length > 0 ? ` ${flags2.join(" ")}` : "";
   return `[MODE: ISSUE_INGEST issue="${result.sanitized}"${flagsStr}]`;
 }
-var MAX_URL_LEN2 = 2048, USAGE6;
+var USAGE6;
 var init_issue = __esm(() => {
-  init_pr_ref();
+  init_url_security();
   USAGE6 = [
     "Usage: /swarm issue <url|owner/repo#N|N> [--plan] [--trace] [--no-repro]",
     "",
@@ -80656,6 +80654,88 @@ var init_post_mortem = __esm(() => {
   init_curator_postmortem();
 });
 
+// src/commands/pr-ref.ts
+function sanitizeInstructions(raw) {
+  const collapsed = raw.replace(/\s+/g, " ").trim();
+  const stripped = collapsed.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
+  const normalized = stripped.replace(/\s+/g, " ").trim();
+  if (normalized.length <= MAX_INSTRUCTIONS_LEN)
+    return normalized;
+  return `${normalized.slice(0, MAX_INSTRUCTIONS_LEN)}…`;
+}
+function validateAndSanitizeUrl2(rawUrl) {
+  return validateAndSanitizeGithubUrl(rawUrl, "pull");
+}
+function parsePrRef(input, cwd) {
+  const urlMatch = input.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i);
+  if (urlMatch) {
+    if (containsControlCharacters(urlMatch[1]) || containsControlCharacters(urlMatch[2])) {
+      return null;
+    }
+    return {
+      owner: urlMatch[1],
+      repo: urlMatch[2],
+      number: parseInt(urlMatch[3], 10)
+    };
+  }
+  const shorthandMatch = input.match(/^([^/]+)\/([^#]+)#(\d+)$/);
+  if (shorthandMatch) {
+    if (containsControlCharacters(shorthandMatch[1]) || containsControlCharacters(shorthandMatch[2])) {
+      return null;
+    }
+    return {
+      owner: shorthandMatch[1],
+      repo: shorthandMatch[2],
+      number: parseInt(shorthandMatch[3], 10)
+    };
+  }
+  const bareMatch = input.match(/^(\d+)$/);
+  if (bareMatch) {
+    const prNumber = parseInt(bareMatch[1], 10);
+    const remoteUrl = detectGitRemote(cwd);
+    if (!remoteUrl) {
+      return null;
+    }
+    const parsed = parseGitRemoteUrl(remoteUrl);
+    if (!parsed) {
+      return null;
+    }
+    return {
+      owner: parsed.owner,
+      repo: parsed.repo,
+      number: prNumber
+    };
+  }
+  return null;
+}
+function looksLikePrRef(token) {
+  return /^https?:\/\//i.test(token) || /^[^/]+\/[^#]+#\d+$/.test(token) || /^\d+$/.test(token);
+}
+function resolvePrCommandInput(rest, cwd) {
+  if (rest.length === 0) {
+    return null;
+  }
+  const refToken = rest[0];
+  const instructions = sanitizeInstructions(rest.slice(1).join(" "));
+  const isFullUrl = /^https?:\/\//i.test(refToken);
+  const prInfo = parsePrRef(isFullUrl ? sanitizeUrl(refToken) : refToken, cwd);
+  if (!prInfo) {
+    return {
+      error: `Could not parse PR reference from "${sanitizeErrorEcho(refToken)}"`
+    };
+  }
+  const prUrl = `https://github.com/${prInfo.owner}/${prInfo.repo}/pull/${prInfo.number}`;
+  const result = validateAndSanitizeUrl2(prUrl);
+  if ("error" in result) {
+    return { error: result.error };
+  }
+  return { prUrl: result.sanitized, instructions };
+}
+var MAX_INSTRUCTIONS_LEN = 1000;
+var init_pr_ref = __esm(() => {
+  init_url_security();
+});
+
 // src/commands/pr-feedback.ts
 function handlePrFeedbackCommand(directory, args2) {
   const rest = args2.filter((t) => t.trim().length > 0);
@@ -124942,10 +125022,10 @@ var knowledge_ack = createSwarmTool({
 // src/tools/knowledge-add.ts
 init_zod();
 init_config();
+init_knowledge_reinforcement();
 init_knowledge_store();
 init_knowledge_validator();
 init_manager();
-init_utils();
 init_create_tool();
 import { randomUUID as randomUUID15 } from "node:crypto";
 var VALID_CATEGORIES2 = [
@@ -125037,9 +125117,13 @@ var knowledge_add = createSwarmTool({
       });
     }
     let project_name = "";
+    let phase_number = 1;
     try {
       const plan = await loadPlan(directory);
       project_name = plan?.title ?? "";
+      if (typeof plan?.current_phase === "number") {
+        phase_number = plan.current_phase;
+      }
     } catch {}
     const entry = {
       id: randomUUID15(),
@@ -125084,19 +125168,6 @@ var knowledge_add = createSwarmTool({
         }
       }
     } catch {}
-    try {
-      const existingEntries = await readKnowledge(resolveSwarmKnowledgePath(directory));
-      const duplicate = findNearDuplicate(lesson, existingEntries, dedupThreshold);
-      if (duplicate) {
-        return JSON.stringify({
-          success: false,
-          id: duplicate.id,
-          message: "near-duplicate of existing entry"
-        });
-      }
-    } catch (err2) {
-      warn("knowledge_add: dedup check failed — skipping near-duplicate detection", err2);
-    }
     const actionability = validateActionability(entry);
     if (!actionability.actionable) {
       try {
@@ -125112,7 +125183,55 @@ var knowledge_add = createSwarmTool({
     }
     try {
       const maxEntries = config3?.knowledge?.swarm_max_entries ?? 100;
-      await appendKnowledgeWithCapEnforcement(resolveSwarmKnowledgePath(directory), entry, maxEntries);
+      let duplicateResponse;
+      await transactKnowledge(resolveSwarmKnowledgePath(directory), (existingEntries) => {
+        const activeDuplicate = findActiveSwarmNearDuplicate(lesson, existingEntries, dedupThreshold);
+        if (activeDuplicate) {
+          const result = reinforceSwarmKnowledgeEntry(activeDuplicate, {
+            phase_number,
+            confirmed_at: new Date().toISOString(),
+            project_name
+          });
+          duplicateResponse = {
+            id: activeDuplicate.id,
+            reinforced: result.reinforced,
+            idempotent: result.reason === "already_confirmed_phase",
+            inactive: false
+          };
+          return result.reinforced ? existingEntries : null;
+        }
+        const inactiveDuplicate = findNearDuplicate(lesson, existingEntries, dedupThreshold);
+        if (inactiveDuplicate) {
+          duplicateResponse = {
+            id: inactiveDuplicate.id,
+            reinforced: false,
+            idempotent: false,
+            inactive: true
+          };
+          return null;
+        }
+        const updated = [...existingEntries, entry];
+        if (updated.length > maxEntries) {
+          return updated.slice(updated.length - maxEntries);
+        }
+        return updated;
+      });
+      if (duplicateResponse) {
+        if (duplicateResponse.inactive) {
+          return JSON.stringify({
+            success: false,
+            id: duplicateResponse.id,
+            message: "near-duplicate of inactive existing entry"
+          });
+        }
+        return JSON.stringify({
+          success: true,
+          id: duplicateResponse.id,
+          reinforced: duplicateResponse.reinforced,
+          idempotent: duplicateResponse.idempotent,
+          message: duplicateResponse.reinforced ? "near-duplicate reinforced existing entry" : "near-duplicate already confirmed for this phase"
+        });
+      }
     } catch (err2) {
       const message = err2 instanceof Error ? err2.message : "Unknown error";
       return JSON.stringify({
@@ -127725,7 +127844,7 @@ import * as fs103 from "node:fs";
 import * as path156 from "node:path";
 
 // src/mutation/engine.ts
-import { spawnSync as spawnSync10 } from "node:child_process";
+import { spawnSync as spawnSync11 } from "node:child_process";
 import { unlinkSync as unlinkSync19, writeFileSync as writeFileSync27 } from "node:fs";
 import * as path155 from "node:path";
 
@@ -127903,7 +128022,7 @@ var _internals88 = {
   executeMutation,
   computeReport,
   executeMutationSuite,
-  spawnSync: spawnSync10
+  spawnSync: spawnSync11
 };
 async function executeMutation(patch, testCommand, testFiles, workingDir) {
   const startTime = Date.now();
@@ -130197,7 +130316,7 @@ async function executePhaseComplete(args2, workingDirectory, directory) {
         const sessionState = swarmState.agentSessions.get(sessionID);
         if (sessionState) {
           sessionState.pendingAdvisoryMessages ??= [];
-          sessionState.pendingAdvisoryMessages.push(`[CURATOR] Knowledge curation: ${curationResult.stored} stored, ${curationResult.skipped} skipped, ${curationResult.rejected} rejected, ${curationResult.quarantined} quarantined (unactionable).`);
+          sessionState.pendingAdvisoryMessages.push(`[CURATOR] Knowledge curation: ${curationResult.stored} stored, ${curationResult.reinforced} reinforced, ${curationResult.skipped} skipped, ${curationResult.rejected} rejected, ${curationResult.quarantined} quarantined (unactionable).`);
         }
       }
       await updateRetrievalOutcome(dir, `Phase ${phase}`, true);
@@ -141956,6 +142075,7 @@ var write_architecture_supervisor_evidence = createSwarmTool({
     };
     const evidencePath = writeSupervisorReport(dirResult.directory, report);
     let knowledgeProposed = 0;
+    let knowledgeReinforced = 0;
     let knowledgeQuarantined = 0;
     try {
       const config3 = loadPluginConfig(dirResult.directory);
@@ -141972,6 +142092,7 @@ var write_architecture_supervisor_evidence = createSwarmTool({
           }
         });
         knowledgeProposed = result.stored;
+        knowledgeReinforced = result.reinforced;
         knowledgeQuarantined = result.quarantined;
       }
     } catch {}
@@ -141993,6 +142114,7 @@ var write_architecture_supervisor_evidence = createSwarmTool({
       verdict: args2.verdict,
       findings_count: args2.findings.length,
       knowledge_proposed: knowledgeProposed,
+      knowledge_reinforced: knowledgeReinforced,
       knowledge_quarantined: knowledgeQuarantined,
       skills_proposed: skillsProposed,
       evidence_path: evidencePath