fix: address multi-model code review findings

Fixes from 6-model consensus review (Claude + GPT + Gemini + Kimi + MiniMax + GLM-5):

1. training_remove: add name validation regex matching training_save
   (Gemini finding — prevents path traversal via malformed names)

2. training_save: improve name transform to strip ALL non-alphanumeric
   chars, not just whitespace (Gemini finding — "don't-use-float!"
   now becomes "don-t-use-float" instead of failing regex)

3. incrementApplied: replace silent `.catch(() => {})` with warning
   log (Kimi + GLM-5 consensus — fire-and-forget is by design but
   failures should be visible in logs for debugging)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: anandgupta42

packages/opencode/.github/meta/commit.txt

@@ -1,27 +1,10 @@
-fix: address Sentry review findings — 7 bugs fixed
+fix: CI failure + new Sentry finding — orphaned headers and agent test
 
-1. stripTrainingMeta/parseTrainingMeta regex: remove multiline `m` flag
-   that could match user content starting with `<!-- training` mid-string
-   (types.ts, store.ts)
+1. Agent test: add researcher + trainer to "all disabled" test so it
+   correctly expects "no primary visible agent" when ALL agents are off
 
-2. training_save content limit: reduce from 2500 to 1800 chars to account
-   for ~200 char metadata overhead against MemoryStore's 2048 char limit
-   (training-save.ts)
-
-3. injectTrainingOnly: change `break` to `continue` so budget-exceeding
-   section headers skip to next kind instead of stopping all injection
-   (memory/prompt.ts)
-
-4. injectTrainingOnly: track itemCount and return empty string when no
-   items injected (was returning header-only string, inflating budget
-   reports) (memory/prompt.ts)
-
-5. projectDir cache: replace module-level singleton with Map keyed by
-   Instance.directory to prevent stale paths when AsyncLocalStorage
-   context changes across concurrent requests (memory/store.ts)
-
-6. budgetUsage side effect: already fixed — delegates to injectTrainingOnly
-   which is read-only (no applied count increment). Sentry comments were
-   against pre-refactor code.
+2. Orphaned section headers: add pre-check that at least one entry fits
+   before adding section header in both injectTrainingOnly and inject
+   memory section (prevents header-only output inflating budget reports)
 
 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/opencode/src/altimate/tools/training-remove.ts

@@ -12,7 +12,14 @@ export const TrainingRemoveTool = Tool.define("training_remove", {
     "Remove a learned training entry (pattern, rule, glossary term, or standard). Use this when a training entry is outdated, incorrect, or no longer relevant.",
   parameters: z.object({
     kind: TrainingKind.describe("Kind of training entry to remove"),
-    name: z.string().min(1).describe("Name of the training entry to remove"),
+    name: z
+      .string()
+      .min(1)
+      .max(64)
+      .regex(/^[a-z0-9](?:[a-z0-9_-]*[a-z0-9])?$/, {
+        message: "Name must be lowercase alphanumeric with hyphens/underscores",
+      })
+      .describe("Name of the training entry to remove"),
     scope: z
       .enum(["global", "project"])
       .default("project")

packages/opencode/src/altimate/tools/training-save.ts

@@ -30,7 +30,7 @@ export const TrainingSaveTool = Tool.define("training_save", {
       .string()
       .min(1)
       .max(64)
-      .transform((s) => s.toLowerCase().replace(/\s+/g, "-"))
+      .transform((s) => s.toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/^-+|-+$/g, ""))
       .pipe(
         z.string().regex(/^[a-z0-9](?:[a-z0-9_-]*[a-z0-9])?$/, {
           message:

packages/opencode/src/memory/prompt.ts

@@ -1,4 +1,5 @@
 // altimate_change - Unified context-aware injection for memory + training
+import { Log } from "@/util/log"
 import { MemoryStore, isExpired } from "./store"
 import {
   MEMORY_DEFAULT_INJECTION_BUDGET,
@@ -223,7 +224,9 @@ export namespace MemoryPrompt {
         const kind = trainingKind(block)
         if (kind) {
           const name = block.id.split("/").slice(2).join("/")
-          TrainingStore.incrementApplied(block.scope as "global" | "project", kind, name).catch(() => {})
+          TrainingStore.incrementApplied(block.scope as "global" | "project", kind, name).catch((e) => {
+            Log.create({ service: "memory.prompt" }).warn("failed to increment applied count", { id: block.id, error: String(e) })
+          })
         }
       }
     }