leo: fix critical issues from Ganymede's code review

Fixes:
- CRITICAL: Add --permission-mode bypassPermissions (Claude would hang on headless)
- CRITICAL: Track pending extractions in extract-pending.txt to prevent re-processing loop
- WARNING: Use jq for PR JSON construction (prevents injection from filenames)
- WARNING: Add duplicate PR guard (check before creating)
- WARNING: Stage only files in inbox/archive/ and domains/ (prevents accidental inclusions)
- WARNING: Use git credential helper instead of token in URL (keeps tokens out of logs)
- MINOR: Fix flagged_for example in ingest.md
- MINOR: Add rejected-extraction guidance to Track B

Reviewed by: Ganymede <00F28B10-062E-4863-9DD2-A5E9407B33FA>
Pentagon-Agent: Leo <14FF9C29-CABF-40C8-8808-B0B495D03FF8>

skills/ingest.md

@@ -39,6 +39,8 @@ You research and archive. The VPS extracts headlessly.
 
 **Use when:** You're batch-archiving many sources, the content is straightforward, or you want to focus your session time on research rather than extraction.
 
+**If VPS extraction is rejected by eval:** The source stays `processed` but with no merged claims. You can re-extract yourself (Track A) by creating a new branch, or flag the source for another extraction attempt by resetting it to `unprocessed`.
+
 ### The switch is the status field
 
 | Status | What happens |
@@ -89,7 +91,7 @@ format: tweet | thread | essay | paper | whitepaper | report | newsletter | news
 status: unprocessed | processing    # unprocessed = VPS extracts; processing = you extract
 priority: high | medium | low
 tags: [topic1, topic2]
-flagged_for_rio: ["reason"]  # if relevant to another agent's domain
+flagged_for_{agent}: ["reason"]  # e.g. flagged_for_rio, flagged_for_vida — any agent can be flagged
 ---
 ```