diff --git a/deploy/sync-mirror.sh b/deploy/sync-mirror.sh
index 15c9cdd..7b3a4e2 100755
--- a/deploy/sync-mirror.sh
+++ b/deploy/sync-mirror.sh
@@ -378,8 +378,15 @@ if [ -f "$PIPELINE_DB" ]; then
     sqlite3 -separator '|' "$PIPELINE_DB" \
         "SELECT number, branch FROM prs WHERE branch LIKE 'gh-pr-%' AND github_pr IS NULL;" \
         2>/dev/null | while IFS='|' read -r pr_num branch; do
-        gh_pr_num=$(echo "$branch" | sed -n 's|^gh-pr-\([0-9]*\)/.*|\1|p')
+        # Regex requires >=1 digit — empty/non-numeric branches fail to parse here,
+        # not just at the empty-guard below. Keeps SQL-integer-safety load-bearing
+        # on the regex alone. [0-9][0-9]* is the portable BRE form of [0-9]+,
+        # works on both GNU sed (VPS) and BSD sed (dev macs).
+        gh_pr_num=$(echo "$branch" | sed -n 's|^gh-pr-\([0-9][0-9]*\)/.*|\1|p')
         [ -z "$gh_pr_num" ] && continue
+        # Both interpolated values are integer-validated upstream (pr_num from
+        # INTEGER `number` column, gh_pr_num from regex above). No parametric
+        # binding available in bash sqlite3 — safety relies on those invariants.
         if sqlite3 "$PIPELINE_DB" \
             "UPDATE prs SET github_pr = $gh_pr_num, source_channel = 'github' WHERE number = $pr_num;" \
             2>/dev/null; then