@bookedsolid/rea 0.1.0 → 0.2.0

package/dist/gateway/downstream-pool.js

@@ -0,0 +1,93 @@
+/**
+ * Pool of downstream MCP connections. Owns lookup + tool-name prefixing.
+ *
+ * Tool names exposed to the upstream MCP client are `<serverName>__<toolName>`.
+ * The gateway splits on the FIRST `__` — downstream tools that themselves
+ * contain `__` in their name continue to work because the split is one-shot.
+ */
+import { DownstreamConnection } from './downstream.js';
+export class DownstreamPool {
+    connections = new Map();
+    constructor(registry) {
+        for (const server of registry.servers) {
+            if (!server.enabled)
+                continue;
+            this.connections.set(server.name, new DownstreamConnection(server));
+        }
+    }
+    get size() {
+        return this.connections.size;
+    }
+    async connectAll() {
+        const errors = [];
+        await Promise.all([...this.connections.values()].map(async (conn) => {
+            try {
+                await conn.connect();
+            }
+            catch (err) {
+                errors.push(err instanceof Error ? err.message : String(err));
+            }
+        }));
+        if (errors.length > 0 && this.connections.size > 0 && errors.length === this.connections.size) {
+            // Total failure — the gateway is useless. Bubble up.
+            throw new Error(`all downstream connections failed:\n  - ${errors.join('\n  - ')}`);
+        }
+    }
+    /**
+     * Aggregate tools from every healthy downstream with prefixed names.
+     * Unhealthy or unconnected connections are skipped — the upstream client
+     * will see a smaller catalog rather than a crash.
+     */
+    async listAllTools() {
+        const out = [];
+        for (const [server, conn] of this.connections) {
+            if (!conn.isHealthy)
+                continue;
+            try {
+                const tools = await conn.listTools();
+                for (const t of tools) {
+                    const prefixed = {
+                        ...t,
+                        server,
+                        name: `${server}__${t.name}`,
+                    };
+                    out.push(prefixed);
+                }
+            }
+            catch {
+                // Listing is best-effort — omit this server's tools this cycle.
+            }
+        }
+        return out;
+    }
+    /**
+     * Split a prefixed tool name and dispatch. Returns the raw result from the
+     * downstream (the gateway response handler shapes it for the upstream reply).
+     */
+    async callTool(prefixedName, args) {
+        const { server, tool } = splitPrefixed(prefixedName);
+        const conn = this.connections.get(server);
+        if (conn === undefined) {
+            throw new Error(`unknown downstream server "${server}" for tool "${prefixedName}"`);
+        }
+        return conn.callTool(tool, args);
+    }
+    async close() {
+        await Promise.all([...this.connections.values()].map((c) => c.close()));
+        this.connections.clear();
+    }
+    /** Visible for tests: get a connection by server name. */
+    getConnection(serverName) {
+        return this.connections.get(serverName);
+    }
+}
+export function splitPrefixed(prefixedName) {
+    const idx = prefixedName.indexOf('__');
+    if (idx === -1) {
+        throw new Error(`tool name "${prefixedName}" is missing the server prefix — expected "<server>__<tool>"`);
+    }
+    return {
+        server: prefixedName.slice(0, idx),
+        tool: prefixedName.slice(idx + 2),
+    };
+}

package/dist/gateway/downstream.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Per-server downstream MCP connection wrapper.
+ *
+ * Owns the lifecycle of a single `@modelcontextprotocol/sdk` `Client` +
+ * `StdioClientTransport` pair. The gateway spawns one of these per entry in
+ * `.rea/registry.yaml`.
+ *
+ * ## Environment inheritance
+ *
+ * Children do NOT inherit the operator's full `process.env`. Every child gets:
+ *
+ *   1. A fixed allowlist of neutral OS/runtime vars (`PATH`, `HOME`, `TZ`, …).
+ *   2. Any names the registry opts into via `env_passthrough: [...]`. The
+ *      schema refuses secret-looking names (TOKEN/KEY/SECRET/…) — the operator
+ *      must type secrets explicitly via `env:` so the decision is conscious.
+ *   3. Values from the registry's `env:` mapping. Takes precedence over 1 and 2.
+ *
+ * Rationale: the registry is a plain YAML file — an attacker who can write to
+ * `.rea/` (or who lands a malicious template via `rea init`) should not be
+ * able to exfiltrate `OPENAI_API_KEY`, `GITHUB_TOKEN`, or customer secrets by
+ * spawning a child that reads `process.env`.
+ *
+ * ## Health / reconnect
+ *
+ * On a transport-layer failure we attempt exactly ONE reconnect per failure
+ * episode. After a successful reconnect + retry the attempt flag resets so a
+ * later, unrelated transport error (e.g. an idle socket closed by the OS after
+ * hours) also gets one reconnect. A flapping guard refuses the second
+ * reconnect if it lands within `RECONNECT_FLAP_WINDOW_MS` of the previous
+ * successful reconnect — in that case we mark the connection unhealthy and
+ * let the circuit breaker take over.
+ *
+ * ## Why not request-level retries
+ *
+ * MCP tool calls are not idempotent by default. Retrying `send_message` after
+ * a transport error could double-post. We leave the decision to the caller.
+ */
+import type { RegistryServer } from '../registry/types.js';
+export interface DownstreamToolInfo {
+    name: string;
+    description?: string;
+    inputSchema?: unknown;
+}
+/**
+ * Build the child env by layering:
+ *   allowlist → registry env_passthrough → registry env.
+ * Later entries win. Missing host values are skipped so `process.env[name]`
+ * being undefined does not serialize as the literal string "undefined".
+ *
+ * Exported for testing.
+ */
+export declare function buildChildEnv(config: RegistryServer, hostEnv?: NodeJS.ProcessEnv): Record<string, string>;
+export declare class DownstreamConnection {
+    private readonly config;
+    private client;
+    /**
+     * Whether a reconnect has already been attempted in the CURRENT failure
+     * episode. Resets to `false` after a reconnect succeeds (so a later,
+     * unrelated failure also gets one shot). A flapping guard prevents this
+     * from turning into a reconnect loop.
+     */
+    private reconnectAttempted;
+    /** Epoch ms of the last successful reconnect. Used by the flapping guard. */
+    private lastReconnectAt;
+    private health;
+    constructor(config: RegistryServer);
+    get name(): string;
+    get isHealthy(): boolean;
+    connect(): Promise<void>;
+    listTools(): Promise<DownstreamToolInfo[]>;
+    /**
+     * Forward a tool call to the child process. On transport failure, attempt
+     * at most ONE reconnect per failure episode. After a successful reconnect
+     * the episode ends and future unrelated failures will be retried again;
+     * rapid back-to-back failures within the flap window are refused to avoid
+     * a reconnect loop (the circuit breaker takes over in that case).
+     */
+    callTool(toolName: string, args: Record<string, unknown>): Promise<unknown>;
+    close(): Promise<void>;
+}

package/dist/gateway/downstream.js

@@ -0,0 +1,196 @@
+/**
+ * Per-server downstream MCP connection wrapper.
+ *
+ * Owns the lifecycle of a single `@modelcontextprotocol/sdk` `Client` +
+ * `StdioClientTransport` pair. The gateway spawns one of these per entry in
+ * `.rea/registry.yaml`.
+ *
+ * ## Environment inheritance
+ *
+ * Children do NOT inherit the operator's full `process.env`. Every child gets:
+ *
+ *   1. A fixed allowlist of neutral OS/runtime vars (`PATH`, `HOME`, `TZ`, …).
+ *   2. Any names the registry opts into via `env_passthrough: [...]`. The
+ *      schema refuses secret-looking names (TOKEN/KEY/SECRET/…) — the operator
+ *      must type secrets explicitly via `env:` so the decision is conscious.
+ *   3. Values from the registry's `env:` mapping. Takes precedence over 1 and 2.
+ *
+ * Rationale: the registry is a plain YAML file — an attacker who can write to
+ * `.rea/` (or who lands a malicious template via `rea init`) should not be
+ * able to exfiltrate `OPENAI_API_KEY`, `GITHUB_TOKEN`, or customer secrets by
+ * spawning a child that reads `process.env`.
+ *
+ * ## Health / reconnect
+ *
+ * On a transport-layer failure we attempt exactly ONE reconnect per failure
+ * episode. After a successful reconnect + retry the attempt flag resets so a
+ * later, unrelated transport error (e.g. an idle socket closed by the OS after
+ * hours) also gets one reconnect. A flapping guard refuses the second
+ * reconnect if it lands within `RECONNECT_FLAP_WINDOW_MS` of the previous
+ * successful reconnect — in that case we mark the connection unhealthy and
+ * let the circuit breaker take over.
+ *
+ * ## Why not request-level retries
+ *
+ * MCP tool calls are not idempotent by default. Retrying `send_message` after
+ * a transport error could double-post. We leave the decision to the caller.
+ */
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+/**
+ * Neutral env vars every child inherits. These are the ones shells/toolchains
+ * need to function but carry no secrets in a well-configured environment.
+ * Covers macOS, Linux, and Windows-relevant names.
+ */
+const DEFAULT_ENV_ALLOWLIST = [
+    'PATH',
+    'HOME',
+    'USER',
+    'LOGNAME',
+    'LANG',
+    'LC_ALL',
+    'LC_CTYPE',
+    'LC_MESSAGES',
+    'TZ',
+    'NODE_ENV',
+    'NODE_OPTIONS',
+    'NODE_EXTRA_CA_CERTS',
+    'TMPDIR',
+    'TEMP',
+    'TMP',
+];
+/**
+ * Flapping window. If a transport error arrives within this many ms of the
+ * previous successful reconnect, we refuse to reconnect again — the underlying
+ * child is clearly unhealthy and the circuit breaker is a better place to
+ * handle it.
+ */
+const RECONNECT_FLAP_WINDOW_MS = 30_000;
+/**
+ * Build the child env by layering:
+ *   allowlist → registry env_passthrough → registry env.
+ * Later entries win. Missing host values are skipped so `process.env[name]`
+ * being undefined does not serialize as the literal string "undefined".
+ *
+ * Exported for testing.
+ */
+export function buildChildEnv(config, hostEnv = process.env) {
+    const out = {};
+    for (const name of DEFAULT_ENV_ALLOWLIST) {
+        const v = hostEnv[name];
+        if (typeof v === 'string')
+            out[name] = v;
+    }
+    if (config.env_passthrough !== undefined) {
+        for (const name of config.env_passthrough) {
+            const v = hostEnv[name];
+            if (typeof v === 'string')
+                out[name] = v;
+        }
+    }
+    // Explicit config.env wins — operator typed these values deliberately.
+    for (const [k, v] of Object.entries(config.env)) {
+        out[k] = v;
+    }
+    return out;
+}
+export class DownstreamConnection {
+    config;
+    client = null;
+    /**
+     * Whether a reconnect has already been attempted in the CURRENT failure
+     * episode. Resets to `false` after a reconnect succeeds (so a later,
+     * unrelated failure also gets one shot). A flapping guard prevents this
+     * from turning into a reconnect loop.
+     */
+    reconnectAttempted = false;
+    /** Epoch ms of the last successful reconnect. Used by the flapping guard. */
+    lastReconnectAt = 0;
+    health = 'healthy';
+    constructor(config) {
+        this.config = config;
+    }
+    get name() {
+        return this.config.name;
+    }
+    get isHealthy() {
+        return this.health !== 'unhealthy';
+    }
+    async connect() {
+        if (this.client !== null)
+            return;
+        const transport = new StdioClientTransport({
+            command: this.config.command,
+            args: this.config.args,
+            env: buildChildEnv(this.config),
+        });
+        const client = new Client({ name: `rea-gateway-client:${this.config.name}`, version: '0.2.0' }, { capabilities: {} });
+        try {
+            await client.connect(transport);
+            this.client = client;
+            this.health = 'healthy';
+        }
+        catch (err) {
+            this.health = 'unhealthy';
+            throw new Error(`failed to connect to downstream "${this.config.name}" (${this.config.command}): ${err instanceof Error ? err.message : err}`);
+        }
+    }
+    async listTools() {
+        if (this.client === null)
+            throw new Error(`downstream "${this.config.name}" not connected`);
+        const result = (await this.client.listTools());
+        return Array.isArray(result.tools) ? result.tools : [];
+    }
+    /**
+     * Forward a tool call to the child process. On transport failure, attempt
+     * at most ONE reconnect per failure episode. After a successful reconnect
+     * the episode ends and future unrelated failures will be retried again;
+     * rapid back-to-back failures within the flap window are refused to avoid
+     * a reconnect loop (the circuit breaker takes over in that case).
+     */
+    async callTool(toolName, args) {
+        if (this.client === null) {
+            await this.connect();
+        }
+        try {
+            return await this.client.callTool({ name: toolName, arguments: args });
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            const withinFlapWindow = this.lastReconnectAt !== 0 &&
+                Date.now() - this.lastReconnectAt < RECONNECT_FLAP_WINDOW_MS;
+            if (!this.reconnectAttempted && !withinFlapWindow) {
+                this.reconnectAttempted = true;
+                this.health = 'degraded';
+                try {
+                    await this.close();
+                    await this.connect();
+                    const result = await this.client.callTool({ name: toolName, arguments: args });
+                    // Success: episode closed. Reset for the NEXT unrelated failure and
+                    // stamp the reconnect time so flap-guard can refuse rapid repeats.
+                    this.reconnectAttempted = false;
+                    this.lastReconnectAt = Date.now();
+                    return result;
+                }
+                catch (reconnectErr) {
+                    this.health = 'unhealthy';
+                    throw new Error(`downstream "${this.config.name}" unhealthy after one reconnect: ${reconnectErr instanceof Error ? reconnectErr.message : reconnectErr}`);
+                }
+            }
+            this.health = 'unhealthy';
+            throw new Error(`downstream "${this.config.name}" call failed: ${message}`);
+        }
+    }
+    async close() {
+        const c = this.client;
+        this.client = null;
+        if (c === null)
+            return;
+        try {
+            await c.close();
+        }
+        catch {
+            // Best-effort close — child may already be gone.
+        }
+    }
+}

package/dist/gateway/middleware/audit-types.d.ts

@@ -11,6 +11,16 @@ export interface AuditRecord {
     account_name?: string;
     error?: string;
     redacted_fields?: string[];
+    /**
+     * Free-form structured metadata attached by middleware or by callers emitting
+     * records through the public `@bookedsolid/rea/audit` helper. Used for first-class
+     * event semantics such as `codex.review` (head_sha, verdict, finding_count)
+     * and consumer-defined events like `helix.plan` / `helix.apply`.
+     *
+     * Keys and values must be JSON-serializable. No secrets, no redactable PII —
+     * the redaction middleware runs on `ctx.arguments`, not on metadata.
+     */
+    metadata?: Record<string, unknown>;
     hash: string;
     prev_hash: string;
 }

package/dist/gateway/middleware/audit.js

@@ -62,6 +62,20 @@ export function createAuditMiddleware(baseDir, policy) {
                 if (ctx.redacted_fields?.length) {
                     recordBase.redacted_fields = ctx.redacted_fields;
                 }
+                // Attach caller-supplied metadata when the middleware context carries any.
+                // The `autonomy_level` key is reserved for internal bookkeeping (see above)
+                // and is excluded from the exported metadata payload.
+                if (ctx.metadata !== undefined) {
+                    const exported = {};
+                    for (const [k, v] of Object.entries(ctx.metadata)) {
+                        if (k === 'autonomy_level')
+                            continue;
+                        exported[k] = v;
+                    }
+                    if (Object.keys(exported).length > 0) {
+                        recordBase.metadata = exported;
+                    }
+                }
                 const hash = computeHash(recordBase);
                 const record = { ...recordBase, hash };
                 prevHash = hash;

package/dist/gateway/middleware/injection.d.ts

@@ -1,11 +1,62 @@
 import type { Middleware } from './chain.js';
+import { type SafeRegex } from '../redact-safe/match-timeout.js';
+/**
+ * Known prompt injection phrases (lowercase for case-insensitive matching).
+ * These patterns are commonly used to override system instructions in tool
+ * descriptions or resource content returned by downstream MCP servers.
+ */
+export declare const INJECTION_PHRASES: readonly string[];
+/**
+ * Base64-token scanner regex. The only regex the injection middleware runs
+ * against untrusted payloads; wrapped in `SafeRegex` at middleware creation
+ * time so a catastrophic input cannot hang the event loop. See G3
+ * (`src/gateway/redact-safe/match-timeout.ts`).
+ */
+export declare const INJECTION_BASE64_PATTERN: RegExp;
+/**
+ * Base64 shape-validation regex used by `tryDecodeBase64`. Shorter inputs are
+ * rejected before we reach this test; the pattern itself is linear, so the
+ * SafeRegex wrap is purely a defense-in-depth measure.
+ */
+export declare const INJECTION_BASE64_SHAPE: RegExp;
+/**
+ * Audit metadata key for injection-scan regex timeouts. Multiple timeouts in
+ * one invocation append to an array under this key.
+ */
+export declare const INJECTION_TIMEOUT_METADATA_KEY = "injection.regex_timeout";
+export interface InjectionTimeoutEvent {
+    event: 'injection.regex_timeout';
+    pattern_source: 'default';
+    pattern_id: string;
+    input_bytes: number;
+    timeout_ms: number;
+}
+interface CompiledInjectionPatterns {
+    base64Token: SafeRegex;
+    base64Shape: SafeRegex;
+}
+export interface ScanForInjectionOptions {
+    onTimeout?: (patternId: string, input: string) => void;
+}
+/**
+ * Build compiled injection patterns with the provided timeout. Precompiled at
+ * middleware creation so the worker spawn is the only per-call overhead.
+ */
+export declare function compileInjectionPatterns(timeoutMs: number, onTimeout?: (patternId: string, input: string) => void): CompiledInjectionPatterns;
 /**
  * Scan a string for known prompt injection phrases.
  * Also decodes base64 tokens and checks the decoded content.
  * Returns an array of matched phrase descriptions, empty if clean.
+ *
+ * The `safe` parameter carries precompiled SafeRegex wrappers; callers build
+ * it once via `compileInjectionPatterns`.
  */
-export declare function scanForInjection(input: string): string[];
+export declare function scanForInjection(input: string, safe: CompiledInjectionPatterns): string[];
 export type InjectionAction = 'block' | 'warn';
+export interface InjectionMiddlewareOptions {
+    /** Timeout budget for each regex call. Default 100ms. */
+    matchTimeoutMs?: number;
+}
 /**
  * PostToolUse middleware: scans tool results for prompt injection patterns.
  *
@@ -18,5 +69,11 @@ export type InjectionAction = 'block' | 'warn';
  * SECURITY: Checking PostToolUse (after downstream execution, before the result
  * reaches the LLM) is the correct place to catch injection in tool descriptions
  * and resource content coming from potentially untrusted downstream servers.
+ *
+ * SECURITY (G3): The only regexes this middleware runs are wrapped in
+ * `SafeRegex` with a 100ms default per-call timeout. On timeout the scanner
+ * records an audit event and proceeds — blocking is governed by the literal
+ * substring checks (which have no ReDoS surface).
  */
-export declare function createInjectionMiddleware(action?: InjectionAction): Middleware;
+export declare function createInjectionMiddleware(action?: InjectionAction, opts?: InjectionMiddlewareOptions): Middleware;
+export {};

package/dist/gateway/middleware/injection.js

@@ -1,10 +1,11 @@
 import { InvocationStatus } from '../../policy/types.js';
+import { wrapRegex } from '../redact-safe/match-timeout.js';
 /**
  * Known prompt injection phrases (lowercase for case-insensitive matching).
  * These patterns are commonly used to override system instructions in tool
  * descriptions or resource content returned by downstream MCP servers.
  */
-const INJECTION_PHRASES = [
+export const INJECTION_PHRASES = [
     'ignore previous instructions',
     'disregard your',
     'your new instructions are',
@@ -16,15 +17,34 @@ const INJECTION_PHRASES = [
     'you are now a ',
     'you are now an ',
 ];
+/**
+ * Base64-token scanner regex. The only regex the injection middleware runs
+ * against untrusted payloads; wrapped in `SafeRegex` at middleware creation
+ * time so a catastrophic input cannot hang the event loop. See G3
+ * (`src/gateway/redact-safe/match-timeout.ts`).
+ */
+export const INJECTION_BASE64_PATTERN = /[A-Za-z0-9+/]{20,}={0,2}/g;
+/**
+ * Base64 shape-validation regex used by `tryDecodeBase64`. Shorter inputs are
+ * rejected before we reach this test; the pattern itself is linear, so the
+ * SafeRegex wrap is purely a defense-in-depth measure.
+ */
+export const INJECTION_BASE64_SHAPE = /^[A-Za-z0-9+/]+=*$/;
+/**
+ * Audit metadata key for injection-scan regex timeouts. Multiple timeouts in
+ * one invocation append to an array under this key.
+ */
+export const INJECTION_TIMEOUT_METADATA_KEY = 'injection.regex_timeout';
 /**
  * Decode a base64 string, returning the decoded text or null if decoding fails.
  * Only decodes if the input looks like base64 (64-char alphabet, length divisible by 4 or padded).
  */
-function tryDecodeBase64(input) {
+function tryDecodeBase64(input, safe) {
     // Quick heuristic: must be at least 20 chars and use only base64 chars
     if (input.length < 20)
         return null;
-    if (!/^[A-Za-z0-9+/]+=*$/.test(input))
+    const shape = safe.base64Shape.test(input);
+    if (shape.timedOut || !shape.matched)
         return null;
     try {
         return Buffer.from(input, 'base64').toString('utf8');
@@ -33,26 +53,52 @@ function tryDecodeBase64(input) {
         return null;
     }
 }
+/**
+ * Build compiled injection patterns with the provided timeout. Precompiled at
+ * middleware creation so the worker spawn is the only per-call overhead.
+ */
+export function compileInjectionPatterns(timeoutMs, onTimeout) {
+    return {
+        base64Token: wrapRegex(INJECTION_BASE64_PATTERN, {
+            timeoutMs,
+            ...(onTimeout
+                ? { onTimeout: (_p, i) => onTimeout('INJECTION_BASE64_PATTERN', i) }
+                : {}),
+        }),
+        base64Shape: wrapRegex(INJECTION_BASE64_SHAPE, {
+            timeoutMs,
+            ...(onTimeout
+                ? { onTimeout: (_p, i) => onTimeout('INJECTION_BASE64_SHAPE', i) }
+                : {}),
+        }),
+    };
+}
 /**
  * Scan a string for known prompt injection phrases.
  * Also decodes base64 tokens and checks the decoded content.
  * Returns an array of matched phrase descriptions, empty if clean.
+ *
+ * The `safe` parameter carries precompiled SafeRegex wrappers; callers build
+ * it once via `compileInjectionPatterns`.
  */
-export function scanForInjection(input) {
+export function scanForInjection(input, safe) {
     if (!input || typeof input !== 'string')
         return [];
     const lower = input.toLowerCase();
     const matches = [];
-    // Check literal phrases
+    // Check literal phrases (indexOf — no regex, no ReDoS surface).
     for (const phrase of INJECTION_PHRASES) {
         if (lower.includes(phrase)) {
             matches.push(`literal: "${phrase}"`);
         }
     }
-    // Check base64-encoded variants — scan word-like tokens that look like base64
-    const base64Tokens = input.match(/[A-Za-z0-9+/]{20,}={0,2}/g) ?? [];
+    // Check base64-encoded variants — scan word-like tokens that look like
+    // base64. The regex match is bounded via SafeRegex (timeout + hard worker
+    // kill).
+    const tokenResult = safe.base64Token.matchAll(input);
+    const base64Tokens = tokenResult.matches;
     for (const token of base64Tokens) {
-        const decoded = tryDecodeBase64(token);
+        const decoded = tryDecodeBase64(token, safe);
         if (!decoded)
             continue;
         const decodedLower = decoded.toLowerCase();
@@ -69,23 +115,45 @@ export function scanForInjection(input) {
  * Scan an unknown value recursively, collecting all injection matches.
  * Walks strings, arrays, and plain objects.
  */
-function scanValue(value, matches) {
+function scanValue(value, matches, safe) {
     if (typeof value === 'string') {
-        matches.push(...scanForInjection(value));
+        matches.push(...scanForInjection(value, safe));
         return;
     }
     if (Array.isArray(value)) {
         for (const item of value) {
-            scanValue(item, matches);
+            scanValue(item, matches, safe);
         }
         return;
     }
     if (value !== null && typeof value === 'object') {
         for (const v of Object.values(value)) {
-            scanValue(v, matches);
+            scanValue(v, matches, safe);
         }
     }
 }
+/**
+ * Record a regex-timeout event on `ctx.metadata`. Array-valued so multiple
+ * timeouts in one invocation are all recorded.
+ *
+ * SECURITY: The input text is NEVER written into metadata — only `input_bytes`.
+ */
+function recordInjectionTimeout(ctx, patternId, inputBytes, timeoutMs) {
+    const ev = {
+        event: 'injection.regex_timeout',
+        pattern_source: 'default',
+        pattern_id: patternId,
+        input_bytes: inputBytes,
+        timeout_ms: timeoutMs,
+    };
+    const existing = ctx.metadata[INJECTION_TIMEOUT_METADATA_KEY];
+    if (Array.isArray(existing)) {
+        existing.push(ev);
+    }
+    else {
+        ctx.metadata[INJECTION_TIMEOUT_METADATA_KEY] = [ev];
+    }
+}
 /**
  * PostToolUse middleware: scans tool results for prompt injection patterns.
  *
@@ -98,15 +166,24 @@ function scanValue(value, matches) {
  * SECURITY: Checking PostToolUse (after downstream execution, before the result
  * reaches the LLM) is the correct place to catch injection in tool descriptions
  * and resource content coming from potentially untrusted downstream servers.
+ *
+ * SECURITY (G3): The only regexes this middleware runs are wrapped in
+ * `SafeRegex` with a 100ms default per-call timeout. On timeout the scanner
+ * records an audit event and proceeds — blocking is governed by the literal
+ * substring checks (which have no ReDoS surface).
  */
-export function createInjectionMiddleware(action = 'block') {
+export function createInjectionMiddleware(action = 'block', opts = {}) {
+    const timeoutMs = opts.matchTimeoutMs ?? 100;
     return async (ctx, next) => {
         await next();
         // Only scan if we have a result to inspect
         if (ctx.result == null)
             return;
+        const safe = compileInjectionPatterns(timeoutMs, (patternId, input) => {
+            recordInjectionTimeout(ctx, patternId, Buffer.byteLength(input, 'utf8'), timeoutMs);
+        });
         const matches = [];
-        scanValue(ctx.result, matches);
+        scanValue(ctx.result, matches, safe);
         if (matches.length === 0)
             return;
         // Deduplicate matches