opencode-swarm 7.73.2 → 7.74.0

package/dist/index.js

@@ -69,7 +69,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.73.2",
+    version: "7.74.0",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",
@@ -16736,7 +16736,7 @@ var init_plan_schema = __esm(() => {
   init_zod();
   ExecutionProfileSchema = exports_external.object({
     parallelization_enabled: exports_external.boolean().default(false),
-    max_concurrent_tasks: exports_external.number().int().min(1).max(64).default(1),
+    max_concurrent_tasks: exports_external.number().int().min(1).max(64).default(10),
     council_parallel: exports_external.boolean().default(true),
     locked: exports_external.boolean().default(false),
     auto_proceed: exports_external.boolean().default(false)
@@ -42662,8 +42662,30 @@ async function buildParallelExecutionGuidance(directory, sessionID, session) {
   }
   const profile = plan.execution_profile;
   const enabled = profile?.parallelization_enabled === true;
-  const maxConcurrent = profile?.max_concurrent_tasks ?? 1;
-  const effectiveMaxConcurrent = session?.maxConcurrencyOverride ?? maxConcurrent;
+  const maxConcurrent = profile?.max_concurrent_tasks ?? 10;
+  let effectiveMaxConcurrent = session?.maxConcurrencyOverride ?? maxConcurrent;
+  const allTasks = plan.phases.flatMap((phase) => phase.tasks);
+  const blockedTasks = allTasks.filter((task) => {
+    if (task.status !== "blocked")
+      return false;
+    const reason = (task.blocked_reason ?? "").toLowerCase();
+    return reason.includes("fail") || reason.includes("error") || reason.includes("exception");
+  });
+  const totalTasks = allTasks.length;
+  let backoffTriggered = false;
+  if (totalTasks > 0 && blockedTasks.length > 0) {
+    const failureRate = blockedTasks.length / totalTasks;
+    const FAILURE_RATE_THRESHOLD = 0.2;
+    const BACKOFF_MULTIPLIER = 0.5;
+    if (failureRate > FAILURE_RATE_THRESHOLD && blockedTasks.length >= 2) {
+      const newConcurrency = Math.max(1, Math.floor(effectiveMaxConcurrent * BACKOFF_MULTIPLIER));
+      if (newConcurrency < effectiveMaxConcurrent) {
+        effectiveMaxConcurrent = newConcurrency;
+        session.maxConcurrencyOverride = newConcurrency;
+        backoffTriggered = true;
+      }
+    }
+  }
   if (!enabled || effectiveMaxConcurrent <= 1)
     return null;
   if (hasActiveLeanTurbo(sessionID)) {
@@ -42675,7 +42697,6 @@ async function buildParallelExecutionGuidance(directory, sessionID, session) {
   const tasks = currentPhase.tasks;
   if (tasks.length === 0)
     return null;
-  const allTasks = plan.phases.flatMap((phase) => phase.tasks);
   const completed = new Set;
   for (const task of allTasks) {
     const taskId = task.id;
@@ -42709,7 +42730,8 @@ async function buildParallelExecutionGuidance(directory, sessionID, session) {
   if (eligible.length === 0) {
     return `[PARALLEL EXECUTION PROFILE] parallelization_enabled=true max_concurrent_tasks=${effectiveMaxConcurrent}; no dependency-ready pending tasks are available for a new coder slot. Continue the current task/gate.`;
   }
-  return `[PARALLEL EXECUTION PROFILE] parallelization_enabled=true max_concurrent_tasks=${effectiveMaxConcurrent}; ${occupied.size} slot(s) occupied. Eligible now: ${eligible.join(", ")}. [NEXT] dispatch up to ${availableSlots} eligible coder task(s) before waiting; preserve ONE task per coder call and call declare_scope for each task.`;
+  const failureWarning = backoffTriggered ? ` (${blockedTasks.length} blocked task(s) detected — concurrency auto-reduced due to failures)` : "";
+  return `[PARALLEL EXECUTION PROFILE] parallelization_enabled=true max_concurrent_tasks=${effectiveMaxConcurrent}; ${occupied.size} slot(s) occupied. Eligible now: ${eligible.join(", ")}. [NEXT] dispatch up to ${availableSlots} eligible coder task(s) before waiting; preserve ONE task per coder call and call declare_scope for each task.${failureWarning}`;
 }
 function isParallelGuidancePhaseComplete(phase) {
   return phase.status === "complete" || phase.status === "completed" || phase.status === "closed";
@@ -42873,7 +42895,7 @@ function createDelegationGateHook(config2, directory) {
       return;
     const profile = plan.execution_profile;
     const parallelEnabled = profile?.parallelization_enabled === true;
-    const maxConcurrent = profile?.max_concurrent_tasks ?? 1;
+    const maxConcurrent = profile?.max_concurrent_tasks ?? 10;
     const effectiveMaxConcurrent = session.maxConcurrencyOverride ?? maxConcurrent;
     if (!parallelEnabled || effectiveMaxConcurrent <= 1)
       return;
@@ -62433,6 +62455,9 @@ import * as path37 from "node:path";
 function resolveLogPath(directory) {
   return validateSwarmPath(directory, "skill-usage.jsonl");
 }
+function normalizeComplianceVerdict(verdict) {
+  return verdict === "violation" ? "violated" : verdict;
+}
 function appendSkillUsageEntry(directory, entry) {
   const {
     skillPath,
@@ -62503,7 +62528,9 @@ function readSkillUsageEntries(directory, options) {
     if (!trimmed)
       continue;
     try {
-      entries.push(JSON.parse(trimmed));
+      const entry = JSON.parse(trimmed);
+      entry.complianceVerdict = normalizeComplianceVerdict(entry.complianceVerdict);
+      entries.push(entry);
     } catch {}
   }
   if (!options)
@@ -62562,6 +62589,7 @@ function readSkillUsageEntriesTail(directory, filters, maxBytes = TAIL_BYTES_DEF
           continue;
         try {
           const entry = JSON.parse(line);
+          entry.complianceVerdict = normalizeComplianceVerdict(entry.complianceVerdict);
           if (filters.sessionID !== undefined && entry.sessionID !== filters.sessionID) {
             continue;
           }
@@ -62596,7 +62624,7 @@ function computeComplianceByVersion(entries, skillPath) {
     stats.total += 1;
     if (e.complianceVerdict === "compliant")
       stats.compliant += 1;
-    if (e.complianceVerdict === "violation")
+    if (e.complianceVerdict === "violated")
       stats.violation += 1;
   }
   for (const stats of map3.values()) {
@@ -62709,7 +62737,7 @@ async function applySkillUsageFeedback(directory, options) {
   try {
     const allEntries = readSkillUsageEntries(directory);
     const actionable = allEntries.filter((e) => {
-      if (e.complianceVerdict !== "compliant" && e.complianceVerdict !== "violation") {
+      if (e.complianceVerdict !== "compliant" && e.complianceVerdict !== "violated") {
         return false;
       }
       if (options?.sinceTimestamp && e.timestamp <= options.sinceTimestamp) {
@@ -62735,7 +62763,7 @@ async function applySkillUsageFeedback(directory, options) {
       for (const entry of entries) {
         if (entry.complianceVerdict === "compliant")
           compliantCount++;
-        else if (entry.complianceVerdict === "violation")
+        else if (entry.complianceVerdict === "violated")
           violationCount++;
       }
       if (compliantCount === 0 && violationCount === 0)
@@ -62819,7 +62847,7 @@ async function autoRetireSkills(directory, curatorKnowledgePath, excludeSlugs) {
           return true;
         return false;
       });
-      const violations = skillUsage.filter((e) => e.complianceVerdict === "violation").length;
+      const violations = skillUsage.filter((e) => e.complianceVerdict === "violated").length;
       const violationRate = skillUsage.length > 0 ? violations / skillUsage.length : 0;
       let allArchived = false;
       try {
@@ -63484,7 +63512,7 @@ ${phaseDigest.summary}`,
         });
         if (skillUsage.length === 0)
           continue;
-        const violations = skillUsage.filter((e) => e.complianceVerdict === "violation").length;
+        const violations = skillUsage.filter((e) => e.complianceVerdict === "violated").length;
         const violationRate = violations / skillUsage.length;
         if (violationRate > REVISION_VIOLATION_THRESHOLD && violationRate <= 0.3) {
           const content = await _internals27.readFileAsync(active.path, "utf-8");
@@ -63492,7 +63520,7 @@ ${phaseDigest.summary}`,
           if (fm && fm.skillOrigin === "promoted_external")
             continue;
           const currentVersion = fm?.version ?? 1;
-          const violationContexts = skillUsage.filter((e) => e.complianceVerdict === "violation").slice(-10).map((e) => ({
+          const violationContexts = skillUsage.filter((e) => e.complianceVerdict === "violated").slice(-10).map((e) => ({
             taskId: e.taskID,
             agent: e.agentName,
             verdict: e.complianceVerdict,
@@ -68778,7 +68806,7 @@ function buildStatusMessage(session, plan) {
   const overrideActive = session.maxConcurrencyOverride !== undefined;
   const configuredOverride = session.maxConcurrencyOverride ?? "absent";
   const hasPlan = plan !== null && plan !== undefined;
-  const planBaseline = hasPlan ? plan.execution_profile?.max_concurrent_tasks ?? 1 : 1;
+  const planBaseline = hasPlan ? plan.execution_profile?.max_concurrent_tasks ?? 10 : 10;
   const parallelizationEnabled = hasPlan ? plan.execution_profile?.parallelization_enabled ?? false : false;
   const operationalEffective = !parallelizationEnabled ? 1 : session.maxConcurrencyOverride ?? planBaseline;
   let description;
@@ -68807,8 +68835,8 @@ var init_concurrency = __esm(() => {
   init_state();
   PRESETS = {
     min: 1,
-    medium: 3,
-    max: 8
+    medium: 8,
+    max: 16
   };
 });
 
@@ -75193,8 +75221,8 @@ var init_history = __esm(() => {
   init_history_service();
 });
 
-// src/commands/pr-ref.ts
-import { execSync as execSync2 } from "node:child_process";
+// src/commands/_shared/url-security.ts
+import { spawnSync as spawnSync8 } from "node:child_process";
 function sanitizeUrl(raw) {
   let urlStr = raw.trim();
   urlStr = urlStr.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
@@ -75212,13 +75240,29 @@ function sanitizeUrl(raw) {
   }
   return urlStr.trim();
 }
-function sanitizeInstructions(raw) {
-  const collapsed = raw.replace(/\s+/g, " ").trim();
-  const stripped = collapsed.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
-  const normalized = stripped.replace(/\s+/g, " ").trim();
-  if (normalized.length <= MAX_INSTRUCTIONS_LEN)
-    return normalized;
-  return `${normalized.slice(0, MAX_INSTRUCTIONS_LEN)}…`;
+function sanitizeErrorEcho(raw, maxLength = 80) {
+  let stripped = "";
+  for (const ch of raw) {
+    const cp = ch.codePointAt(0);
+    if (cp !== undefined && (cp <= 31 || cp === 127)) {
+      stripped += " ";
+      continue;
+    }
+    stripped += ch;
+  }
+  const collapsed = stripped.replace(/\s+/g, " ").trim();
+  if (collapsed.length <= maxLength)
+    return collapsed;
+  return `${collapsed.slice(0, maxLength)}…`;
+}
+function containsControlCharacters(value) {
+  for (const ch of value) {
+    const cp = ch.codePointAt(0);
+    if (cp !== undefined && (cp <= 31 || cp === 127)) {
+      return true;
+    }
+  }
+  return false;
 }
 function hasNonAsciiHostname(hostname5) {
   for (const ch of hostname5) {
@@ -75228,31 +75272,38 @@ function hasNonAsciiHostname(hostname5) {
   }
   return false;
 }
+function isIpv4MappedPrivateHost(inner) {
+  if (IPV4_PRIVATE.test(inner) || IPV4_LOOPBACK.test(inner) || IPV4_LINK_LOCAL.test(inner) || IPV4_PRIVATE_172.test(inner) || IPV4_PRIVATE_192.test(inner) || IPV4_ZERO_NETWORK.test(inner)) {
+    return true;
+  }
+  const firstSegment = inner.split(":", 1)[0];
+  if (!firstSegment)
+    return false;
+  const firstWord = Number.parseInt(firstSegment, 16);
+  if (!Number.isFinite(firstWord))
+    return false;
+  return firstWord >= 0 && firstWord <= 255 || firstWord >= 2560 && firstWord <= 2815 || firstWord >= 32512 && firstWord <= 32767 || firstWord === 43518 || firstWord >= 44048 && firstWord <= 44063 || firstWord === 49320;
+}
 function isPrivateHost(url3) {
-  const host = url3.hostname.toLowerCase();
-  if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "0.0.0.0") {
+  const host = url3.hostname.toLowerCase().replace(/^\[|\]$/g, "");
+  if (host === "localhost" || host === "::1" || host === "0.0.0.0" || IPV4_LOOPBACK.test(host) || IPV4_ZERO_NETWORK.test(host)) {
     return true;
   }
   if (host.startsWith("localhost") || host === "localhost.com") {
     return true;
   }
-  const ipv4Private = /^10\./;
-  const ipv4172 = /^172\.(1[6-9]|2\d|3[0-1])\./;
-  const ipv4192 = /^192\.168\./;
-  const ipv6Private = /^fe80:/i;
-  const ipv6Unique = /^f[cd][0-9a-f]{2}:/i;
-  if (ipv4Private.test(host) || ipv4172.test(host) || ipv4192.test(host) || ipv6Private.test(host) || ipv6Unique.test(host)) {
+  if (IPV4_PRIVATE.test(host) || IPV4_LINK_LOCAL.test(host) || IPV4_PRIVATE_172.test(host) || IPV4_PRIVATE_192.test(host) || IPV6_LINK_LOCAL.test(host) || IPV6_UNIQUE_LOCAL.test(host)) {
     return true;
   }
   if (host.startsWith("::ffff:")) {
     const inner = host.slice(7);
-    if (ipv4Private.test(inner) || ipv4172.test(inner) || ipv4192.test(inner)) {
+    if (isIpv4MappedPrivateHost(inner)) {
       return true;
     }
   }
   return false;
 }
-function validateAndSanitizeUrl(rawUrl) {
+function validateAndSanitizeGithubUrl(rawUrl, resource) {
   const sanitized = sanitizeUrl(rawUrl);
   if (!sanitized) {
     return { error: "Empty URL" };
@@ -75268,10 +75319,10 @@ function validateAndSanitizeUrl(rawUrl) {
     if (isPrivateHost(url3)) {
       return { error: "Private or localhost URLs are not allowed" };
     }
-    const githubPrPattern = /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/([0-9]+)\/?$/;
-    if (!githubPrPattern.test(sanitized)) {
+    const githubPattern = new RegExp(`^https:\\/\\/github\\.com\\/([^/]+)\\/([^/]+)\\/${resource}\\/([0-9]+)\\/?$`);
+    if (!githubPattern.test(sanitized)) {
       return {
-        error: "URL must be a GitHub pull request URL (https://github.com/owner/repo/pull/N)"
+        error: resource === "issues" ? "URL must be a GitHub issue URL (https://github.com/owner/repo/issues/N)" : "URL must be a GitHub pull request URL (https://github.com/owner/repo/pull/N)"
       };
     }
     return { sanitized };
@@ -75279,50 +75330,18 @@ function validateAndSanitizeUrl(rawUrl) {
     return { error: "Invalid URL format" };
   }
 }
-function parsePrRef(input, cwd) {
-  const urlMatch = input.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i);
-  if (urlMatch) {
-    return {
-      owner: urlMatch[1],
-      repo: urlMatch[2],
-      number: parseInt(urlMatch[3], 10)
-    };
-  }
-  const shorthandMatch = input.match(/^([^/]+)\/([^#]+)#(\d+)$/);
-  if (shorthandMatch) {
-    return {
-      owner: shorthandMatch[1],
-      repo: shorthandMatch[2],
-      number: parseInt(shorthandMatch[3], 10)
-    };
-  }
-  const bareMatch = input.match(/^(\d+)$/);
-  if (bareMatch) {
-    const prNumber = parseInt(bareMatch[1], 10);
-    const remoteUrl = detectGitRemote(cwd);
-    if (!remoteUrl) {
-      return null;
-    }
-    const parsed = parseGitRemoteUrl(remoteUrl);
-    if (!parsed) {
-      return null;
-    }
-    return {
-      owner: parsed.owner,
-      repo: parsed.repo,
-      number: prNumber
-    };
-  }
-  return null;
-}
 function detectGitRemote(cwd) {
   try {
-    const remoteUrl = _internals39.execSync("git remote get-url origin", {
+    const result = _internals39.spawnSync("git", ["remote", "get-url", "origin"], {
       encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"],
+      stdio: ["ignore", "pipe", "pipe"],
       timeout: 5000,
       ...cwd ? { cwd } : {}
-    }).trim();
+    });
+    if (result.status !== 0 || result.error) {
+      return null;
+    }
+    const remoteUrl = (result.stdout ?? "").trim();
     return remoteUrl || null;
   } catch {
     return null;
@@ -75331,123 +75350,49 @@ function detectGitRemote(cwd) {
 function parseGitRemoteUrl(remoteUrl) {
   const httpsMatch = remoteUrl.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/i);
   if (httpsMatch) {
-    return {
-      owner: httpsMatch[1],
-      repo: httpsMatch[2].replace(/\.git$/, "")
-    };
+    const owner = httpsMatch[1];
+    const repo = httpsMatch[2].replace(/\.git$/, "");
+    if (containsControlCharacters(owner) || containsControlCharacters(repo)) {
+      return null;
+    }
+    return { owner, repo };
   }
   const sshMatch = remoteUrl.match(/^git@github\.com:([^/]+)\/([^/]+?)(?:\.git)?$/i);
   if (sshMatch) {
-    return {
-      owner: sshMatch[1],
-      repo: sshMatch[2].replace(/\.git$/, "")
-    };
+    const owner = sshMatch[1];
+    const repo = sshMatch[2].replace(/\.git$/, "");
+    if (containsControlCharacters(owner) || containsControlCharacters(repo)) {
+      return null;
+    }
+    return { owner, repo };
   }
   const pathMatch = remoteUrl.match(/\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/);
   if (pathMatch) {
-    return {
-      owner: pathMatch[1],
-      repo: pathMatch[2].replace(/\.git$/, "")
-    };
+    const owner = pathMatch[1];
+    const repo = pathMatch[2].replace(/\.git$/, "");
+    if (containsControlCharacters(owner) || containsControlCharacters(repo)) {
+      return null;
+    }
+    return { owner, repo };
   }
   return null;
 }
-function looksLikePrRef(token) {
-  return /^https?:\/\//i.test(token) || /^[^/]+\/[^#]+#\d+$/.test(token) || /^\d+$/.test(token);
-}
-function resolvePrCommandInput(rest, cwd) {
-  if (rest.length === 0) {
-    return null;
-  }
-  const refToken = rest[0];
-  const instructions = sanitizeInstructions(rest.slice(1).join(" "));
-  const isFullUrl = /^https?:\/\//i.test(refToken);
-  const prInfo = parsePrRef(isFullUrl ? sanitizeUrl(refToken) : refToken, cwd);
-  if (!prInfo) {
-    return { error: `Could not parse PR reference from "${refToken}"` };
-  }
-  const prUrl = `https://github.com/${prInfo.owner}/${prInfo.repo}/pull/${prInfo.number}`;
-  const result = validateAndSanitizeUrl(prUrl);
-  if ("error" in result) {
-    return { error: result.error };
-  }
-  return { prUrl: result.sanitized, instructions };
-}
-var _internals39, MAX_URL_LEN = 2048, MAX_INSTRUCTIONS_LEN = 1000;
-var init_pr_ref = __esm(() => {
-  _internals39 = { execSync: execSync2 };
+var MAX_URL_LEN = 2048, IPV4_PRIVATE, IPV4_LOOPBACK, IPV4_LINK_LOCAL, IPV4_PRIVATE_172, IPV4_PRIVATE_192, IPV4_ZERO_NETWORK, IPV6_LINK_LOCAL, IPV6_UNIQUE_LOCAL, _internals39;
+var init_url_security = __esm(() => {
+  IPV4_PRIVATE = /^10\./;
+  IPV4_LOOPBACK = /^127\./;
+  IPV4_LINK_LOCAL = /^169\.254\./;
+  IPV4_PRIVATE_172 = /^172\.(1[6-9]|2\d|3[0-1])\./;
+  IPV4_PRIVATE_192 = /^192\.168\./;
+  IPV4_ZERO_NETWORK = /^0\./;
+  IPV6_LINK_LOCAL = /^fe80:/i;
+  IPV6_UNIQUE_LOCAL = /^f[cd][0-9a-f]{2}:/i;
+  _internals39 = { spawnSync: spawnSync8 };
 });
 
 // src/commands/issue.ts
-import { execSync as execSync3 } from "node:child_process";
-function sanitizeUrl2(raw) {
-  let urlStr = raw.trim();
-  urlStr = urlStr.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
-  const fragmentIdx = urlStr.indexOf("#");
-  if (fragmentIdx !== -1) {
-    urlStr = urlStr.slice(0, fragmentIdx);
-  }
-  const queryIdx = urlStr.indexOf("?");
-  if (queryIdx !== -1) {
-    urlStr = urlStr.slice(0, queryIdx);
-  }
-  urlStr = urlStr.replace(/^[A-Za-z][A-Za-z0-9+.-]*:\/\/[^@/]+@/, "https://");
-  if (urlStr.length > MAX_URL_LEN2) {
-    urlStr = urlStr.slice(0, MAX_URL_LEN2);
-  }
-  return urlStr.trim();
-}
-function isPrivateHost2(url3) {
-  const host = url3.hostname.toLowerCase();
-  if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "0.0.0.0") {
-    return true;
-  }
-  if (host.startsWith("localhost") || host === "localhost.com") {
-    return true;
-  }
-  const ipv4Private = /^10\./;
-  const ipv4172 = /^172\.(1[6-9]|2\d|3[0-1])\./;
-  const ipv4192 = /^192\.168\./;
-  const ipv6Private = /^fe80:/i;
-  const ipv6Unique = /^f[cd][0-9a-f]{2}:/i;
-  if (ipv4Private.test(host) || ipv4172.test(host) || ipv4192.test(host) || ipv6Private.test(host) || ipv6Unique.test(host)) {
-    return true;
-  }
-  if (host.startsWith("::ffff:")) {
-    const inner = host.slice(7);
-    if (ipv4Private.test(inner) || ipv4172.test(inner) || ipv4192.test(inner)) {
-      return true;
-    }
-  }
-  return false;
-}
-function validateAndSanitizeUrl2(rawUrl) {
-  const sanitized = sanitizeUrl2(rawUrl);
-  if (!sanitized) {
-    return { error: "Empty URL" };
-  }
-  if (!sanitized.startsWith("https://")) {
-    return { error: "URL must use HTTPS scheme" };
-  }
-  try {
-    const url3 = new URL(sanitized);
-    const hostname5 = url3.hostname;
-    if (/[\u0080-\u{10FFFF}]/u.test(hostname5)) {
-      return { error: "Non-ASCII hostnames are not allowed" };
-    }
-    if (isPrivateHost2(url3)) {
-      return { error: "Private or localhost URLs are not allowed" };
-    }
-    const githubIssuePattern = /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/issues\/([0-9]+)\/?$/;
-    if (!githubIssuePattern.test(sanitized)) {
-      return {
-        error: "URL must be a GitHub issue URL (https://github.com/owner/repo/issues/N)"
-      };
-    }
-    return { sanitized };
-  } catch {
-    return { error: "Invalid URL format" };
-  }
+function validateAndSanitizeUrl(rawUrl) {
+  return validateAndSanitizeGithubUrl(rawUrl, "issues");
 }
 function parseArgs6(args2) {
   const out2 = {
@@ -75474,9 +75419,12 @@ function parseArgs6(args2) {
   }
   return out2;
 }
-function parseIssueRef(input) {
+function parseIssueRef(input, directory) {
   const urlMatch = input.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/issues\/(\d+)\/?$/i);
   if (urlMatch) {
+    if (containsControlCharacters(urlMatch[1]) || containsControlCharacters(urlMatch[2])) {
+      return null;
+    }
     return {
       owner: urlMatch[1],
       repo: urlMatch[2],
@@ -75485,6 +75433,9 @@ function parseIssueRef(input) {
   }
   const shorthandMatch = input.match(/^([^/]+)\/([^#]+)#(\d+)$/);
   if (shorthandMatch) {
+    if (containsControlCharacters(shorthandMatch[1]) || containsControlCharacters(shorthandMatch[2])) {
+      return null;
+    }
     return {
       owner: shorthandMatch[1],
       repo: shorthandMatch[2],
@@ -75494,7 +75445,7 @@ function parseIssueRef(input) {
   const bareMatch = input.match(/^(\d+)$/);
   if (bareMatch) {
     const issueNumber = parseInt(bareMatch[1], 10);
-    const remoteUrl = detectGitRemote2();
+    const remoteUrl = detectGitRemote(directory);
     if (!remoteUrl) {
       return null;
     }
@@ -75510,33 +75461,21 @@ function parseIssueRef(input) {
   }
   return null;
 }
-function detectGitRemote2() {
-  try {
-    const remoteUrl = execSync3("git remote get-url origin", {
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"],
-      timeout: 5000
-    }).trim();
-    return remoteUrl || null;
-  } catch {
-    return null;
-  }
-}
-function handleIssueCommand(_directory, args2) {
+function handleIssueCommand(directory, args2) {
   const parsed = parseArgs6(args2);
   const rawInput = parsed.rest.join(" ").trim();
   if (!rawInput) {
     return USAGE6;
   }
   const isFullUrl = /^https?:\/\//i.test(rawInput);
-  const issueInfo = parseIssueRef(isFullUrl ? sanitizeUrl2(rawInput) : rawInput);
+  const issueInfo = parseIssueRef(isFullUrl ? sanitizeUrl(rawInput) : rawInput, directory);
   if (!issueInfo) {
-    return `Error: Could not parse issue reference from "${rawInput}"
+    return `Error: Could not parse issue reference from "${sanitizeErrorEcho(rawInput)}"
 
 ${USAGE6}`;
   }
   const issueUrl = `https://github.com/${issueInfo.owner}/${issueInfo.repo}/issues/${issueInfo.number}`;
-  const result = validateAndSanitizeUrl2(issueUrl);
+  const result = validateAndSanitizeUrl(issueUrl);
   if ("error" in result) {
     return `Error: ${result.error}
 
@@ -75552,9 +75491,9 @@ ${USAGE6}`;
   const flagsStr = flags2.length > 0 ? ` ${flags2.join(" ")}` : "";
   return `[MODE: ISSUE_INGEST issue="${result.sanitized}"${flagsStr}]`;
 }
-var MAX_URL_LEN2 = 2048, USAGE6;
+var USAGE6;
 var init_issue = __esm(() => {
-  init_pr_ref();
+  init_url_security();
   USAGE6 = [
     "Usage: /swarm issue <url|owner/repo#N|N> [--plan] [--trace] [--no-repro]",
     "",
@@ -80737,6 +80676,88 @@ var init_post_mortem = __esm(() => {
   init_curator_postmortem();
 });
 
+// src/commands/pr-ref.ts
+function sanitizeInstructions(raw) {
+  const collapsed = raw.replace(/\s+/g, " ").trim();
+  const stripped = collapsed.replace(/\[\s*MODE\s*:[^\]]*\]/gi, "");
+  const normalized = stripped.replace(/\s+/g, " ").trim();
+  if (normalized.length <= MAX_INSTRUCTIONS_LEN)
+    return normalized;
+  return `${normalized.slice(0, MAX_INSTRUCTIONS_LEN)}…`;
+}
+function validateAndSanitizeUrl2(rawUrl) {
+  return validateAndSanitizeGithubUrl(rawUrl, "pull");
+}
+function parsePrRef(input, cwd) {
+  const urlMatch = input.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i);
+  if (urlMatch) {
+    if (containsControlCharacters(urlMatch[1]) || containsControlCharacters(urlMatch[2])) {
+      return null;
+    }
+    return {
+      owner: urlMatch[1],
+      repo: urlMatch[2],
+      number: parseInt(urlMatch[3], 10)
+    };
+  }
+  const shorthandMatch = input.match(/^([^/]+)\/([^#]+)#(\d+)$/);
+  if (shorthandMatch) {
+    if (containsControlCharacters(shorthandMatch[1]) || containsControlCharacters(shorthandMatch[2])) {
+      return null;
+    }
+    return {
+      owner: shorthandMatch[1],
+      repo: shorthandMatch[2],
+      number: parseInt(shorthandMatch[3], 10)
+    };
+  }
+  const bareMatch = input.match(/^(\d+)$/);
+  if (bareMatch) {
+    const prNumber = parseInt(bareMatch[1], 10);
+    const remoteUrl = detectGitRemote(cwd);
+    if (!remoteUrl) {
+      return null;
+    }
+    const parsed = parseGitRemoteUrl(remoteUrl);
+    if (!parsed) {
+      return null;
+    }
+    return {
+      owner: parsed.owner,
+      repo: parsed.repo,
+      number: prNumber
+    };
+  }
+  return null;
+}
+function looksLikePrRef(token) {
+  return /^https?:\/\//i.test(token) || /^[^/]+\/[^#]+#\d+$/.test(token) || /^\d+$/.test(token);
+}
+function resolvePrCommandInput(rest, cwd) {
+  if (rest.length === 0) {
+    return null;
+  }
+  const refToken = rest[0];
+  const instructions = sanitizeInstructions(rest.slice(1).join(" "));
+  const isFullUrl = /^https?:\/\//i.test(refToken);
+  const prInfo = parsePrRef(isFullUrl ? sanitizeUrl(refToken) : refToken, cwd);
+  if (!prInfo) {
+    return {
+      error: `Could not parse PR reference from "${sanitizeErrorEcho(refToken)}"`
+    };
+  }
+  const prUrl = `https://github.com/${prInfo.owner}/${prInfo.repo}/pull/${prInfo.number}`;
+  const result = validateAndSanitizeUrl2(prUrl);
+  if ("error" in result) {
+    return { error: result.error };
+  }
+  return { prUrl: result.sanitized, instructions };
+}
+var MAX_INSTRUCTIONS_LEN = 1000;
+var init_pr_ref = __esm(() => {
+  init_url_security();
+});
+
 // src/commands/pr-feedback.ts
 function handlePrFeedbackCommand(directory, args2) {
   const rest = args2.filter((t) => t.trim().length > 0);
@@ -127845,7 +127866,7 @@ import * as fs103 from "node:fs";
 import * as path156 from "node:path";
 
 // src/mutation/engine.ts
-import { spawnSync as spawnSync10 } from "node:child_process";
+import { spawnSync as spawnSync11 } from "node:child_process";
 import { unlinkSync as unlinkSync19, writeFileSync as writeFileSync27 } from "node:fs";
 import * as path155 from "node:path";
 
@@ -128023,7 +128044,7 @@ var _internals88 = {
   executeMutation,
   computeReport,
   executeMutationSuite,
-  spawnSync: spawnSync10
+  spawnSync: spawnSync11
 };
 async function executeMutation(patch, testCommand, testFiles, workingDir) {
   const startTime = Date.now();