@de-otio/repo-aegis-core 0.2.0

package/dist/regex-safety.js

@@ -0,0 +1,322 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// Copyright (C) 2026 Richard Myers and contributors.
+import { spawnSync } from "node:child_process";
+import { createRequire } from "node:module";
+// Probe `re2` once at module load via `createRequire` so we keep
+// validatePattern fully sync. `re2` is an optionalDependency: install
+// failures (no native build toolchain) leave us on the in-process
+// fallback, which still provides best-effort ReDoS detection.
+const _require = createRequire(import.meta.url);
+let re2Ctor = null;
+let re2Probed = false;
+function probeRe2() {
+    if (re2Probed)
+        return re2Ctor;
+    re2Probed = true;
+    try {
+        const mod = _require("re2");
+        re2Ctor =
+            typeof mod === "function"
+                ? mod
+                : "default" in mod
+                    ? mod.default
+                    : mod;
+    }
+    catch {
+        re2Ctor = null;
+    }
+    return re2Ctor;
+}
+let forcedBackend = null;
+/**
+ * Test-only override. Forces {@link getRegexBackend} and
+ * {@link validatePattern} to use a specific backend regardless of which
+ * backends are installed. Pass `null` to clear. Production callers must
+ * not use this.
+ *
+ * @internal
+ */
+export function setRegexBackendForTesting(backend) {
+    forcedBackend = backend;
+}
+/**
+ * Report which regex backend repo-aegis is using for *additional*
+ * pattern-safety validation:
+ *
+ * - `"re2"`: the optional `re2` dependency is installed. Patterns that
+ *   compile cleanly in re2 are provably safe from catastrophic
+ *   backtracking (re2's hybrid NFA/DFA evaluator is linear-time by
+ *   construction). For patterns that re2 can't parse (lookahead /
+ *   look-behind / backreferences are unsupported in re2), validation
+ *   falls back to the `"in-process"` time-budget heuristic.
+ * - `"in-process"`: re2 is unavailable; the in-process timer fires
+ *   after the test completes (best-effort, may exceed budget).
+ *   {@link validatePatterns} `{ strict: true }` upgrades to
+ *   `"subprocess"` for the duration of that call.
+ * - `"subprocess"`: only returned by {@link getRegexBackend} when set
+ *   via {@link setRegexBackendForTesting}; otherwise an internal
+ *   detail of {@link validatePatterns}.
+ *
+ * Note: re2 affects *validation*, not the scanner's regex engine. The
+ * scanner still uses Node's native RegExp because the marker patterns
+ * may legitimately use lookahead constructs that re2 doesn't support.
+ */
+export function getRegexBackend() {
+    if (forcedBackend !== null)
+        return forcedBackend;
+    return probeRe2() !== null ? "re2" : "in-process";
+}
+const MAX_PATTERN_LENGTH = 2048;
+const MAX_COMBINED_BYTES = 128 * 1024;
+const REDOS_STRESS_LENGTH = 1000;
+const REDOS_TIMEOUT_MS = 100;
+const STRICT_BATCH_TIMEOUT_MS = 5000;
+/**
+ * Validate a single regex pattern for use as a marker.
+ *
+ * Checks:
+ * 1. Compiles as a JavaScript RegExp without throwing.
+ * 2. Length <= 2048 chars.
+ * 3. Backtracking-bound test against `'a'.repeat(1000)` completes within 100ms.
+ *    Catastrophic-backtracking patterns (e.g., `(a+)+$`) hang here and are
+ *    rejected as ReDoS-suspected.
+ *
+ * Run at `render` time; bad patterns must not reach the hot path of `check`.
+ *
+ * @internal Prefer {@link validatePatterns} (which can run strict,
+ * subprocess-backed validation that is preemptable on catastrophic
+ * backtracking). This single-pattern, in-process helper is exposed for
+ * intra-repo callers that already pre-validate adversary-trust boundaries
+ * but is not part of the supported public API.
+ */
+export function validatePattern(pattern) {
+    if (typeof pattern !== "string" || pattern.length === 0) {
+        return { ok: false, reason: "empty pattern" };
+    }
+    if (pattern.length > MAX_PATTERN_LENGTH) {
+        return { ok: false, reason: `pattern exceeds ${MAX_PATTERN_LENGTH} characters` };
+    }
+    try {
+        new RegExp(pattern, "i");
+    }
+    catch (err) {
+        return { ok: false, reason: `invalid regex: ${err.message}` };
+    }
+    // Backend-dependent ReDoS check.
+    const backend = getRegexBackend();
+    if (backend === "re2") {
+        const Re2 = probeRe2();
+        if (Re2 !== null) {
+            try {
+                new Re2(pattern, "i");
+                // re2 compile succeeded → linear-time evaluation guaranteed.
+                return { ok: true };
+            }
+            catch {
+                // re2 rejected (typically: pattern uses lookahead/lookbehind/
+                // backreferences which re2 doesn't support). Fall through to
+                // the in-process timer — the pattern is still valid for the
+                // scanner's RegExp engine, just not provably safe under re2.
+            }
+        }
+    }
+    // Synchronous in-process timing check. Best-effort: see SECURITY
+    // WARNING on isInTimeBudget. Worker-based watchdog adds startup
+    // overhead disproportionate to per-pattern cost; for marker-list sizes
+    // we expect (tens to low hundreds of patterns) the in-process check
+    // is fine for trusted-by-policy operator input.
+    if (!isInTimeBudget(pattern, REDOS_STRESS_LENGTH, REDOS_TIMEOUT_MS)) {
+        return {
+            ok: false,
+            reason: `pattern took >${REDOS_TIMEOUT_MS}ms on stress input ` +
+                `(possible catastrophic backtracking; consider re-anchoring)`,
+        };
+    }
+    return { ok: true };
+}
+/**
+ * Validate a list of patterns. Returns split valid/invalid.
+ *
+ * With `strict: true`, runs the backtracking-bound check in a subprocess
+ * that can be preemptively killed if any pattern hangs the regex engine.
+ * Recommended for `render` and other one-time-cost paths; not for the
+ * per-scan hot path.
+ */
+export function validatePatterns(patterns, opts = {}) {
+    if (opts.strict) {
+        return validatePatternsStrict(patterns);
+    }
+    const valid = [];
+    const invalid = [];
+    for (const p of patterns) {
+        const r = validatePattern(p);
+        if (r.ok)
+            valid.push(p);
+        else
+            invalid.push({ pattern: p, reason: r.reason ?? "unknown" });
+    }
+    return { valid, invalid };
+}
+/**
+ * Subprocess-backed strict validation. Spawns a child node process that
+ * runs each pattern's stress test sequentially, streaming a one-line
+ * JSON result per pattern. If the parent kills the child by timeout,
+ * the partial output identifies which pattern was in flight.
+ */
+function validatePatternsStrict(patterns) {
+    if (patterns.length === 0)
+        return { valid: [], invalid: [] };
+    // First pass: catch syntax + length errors in-process so we don't
+    // pay process-spawn cost for them.
+    const valid = [];
+    const invalid = [];
+    const toCheckRedos = [];
+    for (const p of patterns) {
+        if (typeof p !== "string" || p.length === 0) {
+            invalid.push({ pattern: p, reason: "empty pattern" });
+            continue;
+        }
+        if (p.length > MAX_PATTERN_LENGTH) {
+            invalid.push({
+                pattern: p,
+                reason: `pattern exceeds ${MAX_PATTERN_LENGTH} characters`,
+            });
+            continue;
+        }
+        try {
+            new RegExp(p, "i");
+        }
+        catch (err) {
+            invalid.push({ pattern: p, reason: `invalid regex: ${err.message}` });
+            continue;
+        }
+        toCheckRedos.push(p);
+    }
+    if (toCheckRedos.length === 0) {
+        return { valid, invalid };
+    }
+    const script = `
+const fs = require('fs');
+const input = JSON.parse(fs.readFileSync(0, 'utf8'));
+const { patterns, stressLength, perPatternBudgetMs } = input;
+const stress = 'a'.repeat(stressLength);
+for (let i = 0; i < patterns.length; i++) {
+  const p = patterns[i];
+  const start = Date.now();
+  let outcome;
+  try {
+    new RegExp(p, 'i').test(stress);
+    const elapsed = Date.now() - start;
+    if (elapsed > perPatternBudgetMs * 10) {
+      outcome = { i, ok: false, reason:
+        'pattern took >' + perPatternBudgetMs + 'ms on stress input ' +
+        '(possible catastrophic backtracking; consider re-anchoring)' };
+    } else {
+      outcome = { i, ok: true };
+    }
+  } catch (err) {
+    outcome = { i, ok: false, reason: 'invalid regex: ' + err.message };
+  }
+  process.stdout.write(JSON.stringify(outcome) + '\\n');
+}
+`;
+    const result = spawnSync(process.execPath, ["-e", script], {
+        input: JSON.stringify({
+            patterns: toCheckRedos,
+            stressLength: REDOS_STRESS_LENGTH,
+            perPatternBudgetMs: REDOS_TIMEOUT_MS,
+        }),
+        encoding: "utf8",
+        timeout: STRICT_BATCH_TIMEOUT_MS,
+        maxBuffer: 16 * 1024 * 1024,
+    });
+    // Parse partial stdout (one JSON object per line).
+    const seenResults = new Map();
+    for (const line of (result.stdout ?? "").split("\n")) {
+        if (!line.trim())
+            continue;
+        try {
+            const obj = JSON.parse(line);
+            seenResults.set(obj.i, { ok: obj.ok, reason: obj.reason });
+        }
+        catch {
+            /* skip malformed line */
+        }
+    }
+    const timedOut = result.signal === "SIGTERM" || result.signal === "SIGKILL";
+    for (let i = 0; i < toCheckRedos.length; i++) {
+        const p = toCheckRedos[i];
+        const r = seenResults.get(i);
+        if (r) {
+            if (r.ok)
+                valid.push(p);
+            else
+                invalid.push({ pattern: p, reason: r.reason ?? "unknown" });
+        }
+        else {
+            // No result for this pattern: either the worker died on this
+            // pattern (likeliest culprit on timeout) or output was truncated.
+            const reason = timedOut
+                ? "strict validation timed out on this pattern (likely catastrophic backtracking)"
+                : "strict validation produced no result";
+            invalid.push({ pattern: p, reason });
+        }
+    }
+    return { valid, invalid };
+}
+/**
+ * Validate that a combined alternation regex is within the size cap.
+ * Used by render and the deny-set computation as a safety net.
+ */
+export function validateCombinedSize(combined) {
+    if (Buffer.byteLength(combined, "utf8") > MAX_COMBINED_BYTES) {
+        return {
+            ok: false,
+            reason: `combined regex exceeds ${MAX_COMBINED_BYTES} bytes`,
+        };
+    }
+    return { ok: true };
+}
+/**
+ * SECURITY WARNING — adversary input.
+ *
+ * `isInTimeBudget` (and therefore the non-strict {@link validatePattern}
+ * default that calls it) is **not** a preemptive ReDoS guard. Node's
+ * regex engine has no timeout; this function runs the pattern in-process
+ * against a stress input and measures wall-clock elapsed time *after* it
+ * returns. A genuinely catastrophic pattern can hang the event loop for
+ * seconds-to-minutes before the timer reading even runs, during which
+ * nothing else in the process makes progress.
+ *
+ * As a consequence, the non-strict {@link validatePattern} **must not**
+ * be called on adversary-controlled input. Use it only for marker
+ * patterns the operator has authored (registry / `engagements.yaml`),
+ * which are trusted-by-policy.
+ *
+ * For any path that takes pattern strings from outside that trust
+ * boundary — third-party config, network input, future MCP tool input —
+ * use the strict mode of {@link validatePatterns} (`{ strict: true }`),
+ * which spawns a subprocess that the parent can preemptively kill on
+ * timeout via `SIGTERM`/`SIGKILL`.
+ */
+function isInTimeBudget(pattern, stressLength, budgetMs) {
+    // Best-effort time-bounded check. Node has no preemptive regex timeout, so
+    // we rely on the regex engine being well-behaved enough that 'a'-fuzzing
+    // against a pathological pattern still returns within seconds (not hours).
+    // For genuinely catastrophic patterns this may exceed the budget by a
+    // small multiple, which is still survivable. The check exists to flag
+    // patterns that show signs of being problematic; it does not guarantee
+    // safety against an adversary who controls pattern input.
+    const re = new RegExp(pattern, "i");
+    const stress = "a".repeat(stressLength);
+    const start = Date.now();
+    try {
+        re.test(stress);
+    }
+    catch {
+        return false;
+    }
+    const elapsed = Date.now() - start;
+    return elapsed <= budgetMs * 10; // generous: 10x to account for noisy CI
+}
+//# sourceMappingURL=regex-safety.js.map

package/dist/regex-safety.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex-safety.js","sourceRoot":"","sources":["../src/regex-safety.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,qDAAqD;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAS5C,iEAAiE;AACjE,sEAAsE;AACtE,kEAAkE;AAClE,8DAA8D;AAC9D,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAIhD,IAAI,OAAO,GAA0B,IAAI,CAAC;AAC1C,IAAI,SAAS,GAAG,KAAK,CAAC;AACtB,SAAS,QAAQ;IACf,IAAI,SAAS;QAAE,OAAO,OAAO,CAAC;IAC9B,SAAS,GAAG,IAAI,CAAC;IACjB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAiD,CAAC;QAC5E,OAAO;YACL,OAAO,GAAG,KAAK,UAAU;gBACvB,CAAC,CAAC,GAAG;gBACL,CAAC,CAAC,SAAS,IAAI,GAAG;oBAClB,CAAC,CAAC,GAAG,CAAC,OAAO;oBACb,CAAC,CAAE,GAAiC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,IAAI,CAAC;IACjB,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,IAAI,aAAa,GAAwB,IAAI,CAAC;AAE9C;;;;;;;GAOG;AACH,MAAM,UAAU,yBAAyB,CAAC,OAA4B;IACpE,aAAa,GAAG,OAAO,CAAC;AAC1B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,eAAe;IAC7B,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC;IACjD,OAAO,QAAQ,EAAE,KAAK,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC;AACpD,CAAC;AAED,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAChC,MAAM,kBAAkB,GAAG,GAAG,GAAG,IAAI,CAAC;AACtC,MAAM,mBAAmB,GAAG,IAAI,CAAC;AACjC,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAC7B,MAAM,uBAAuB,GAAG,IAAI,CAAC;AAErC;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,kBAAkB,EAAE,CAAC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,kBAAkB,aAAa,EAAE,CAAC;IACnF,CAAC;IACD,IAAI,CAAC;QACH,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAmB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;IAC3E,CAAC;IACD,iCAAiC;IACjC,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAClC,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,QAAQ,EAAE,CAAC;QACvB,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;gBACtB,6DAA6D;gBAC7D,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;YACtB,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;gBAC9D,6DAA6D;gBAC7D,4DAA4D;gBAC5D,6DAA6D;YAC/D,CAAC;QACH,CAAC;IACH,CAAC;IACD,iEAAiE;IACjE,gEAAgE;IAChE,uEAAuE;IACvE,oEAAoE;IACpE,gDAAgD;IAChD,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,CAAC,EAAE,CAAC;QACpE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EACJ,iBAAiB,gBAAgB,qBAAqB;gBACtD,6DAA6D;SAChE,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAaD;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAkB,EAClB,OAAgC,EAAE;IAElC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,OAAO,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,OAAO,GAA0C,EAAE,CAAC;IAC1D,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,CAAC,CAAC,EAAE;YAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;;YACnB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAC7B,QAAkB;IAElB,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAE7D,kEAAkE;IAClE,mCAAmC;IACnC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,OAAO,GAA0C,EAAE,CAAC;IAC1D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5C,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;YACtD,SAAS;QACX,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,GAAG,kBAAkB,EAAE,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,CAAC;gBACV,MAAM,EAAE,mBAAmB,kBAAkB,aAAa;aAC3D,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QACD,IAAI,CAAC;YACH,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACrB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,kBAAmB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YACjF,SAAS;QACX,CAAC;QACD,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACvB,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,MAAM,GAAG;;;;;;;;;;;;;;;;;;;;;;;;CAwBhB,CAAC;IACA,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE;QACzD,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC;YACpB,QAAQ,EAAE,YAAY;YACtB,YAAY,EAAE,mBAAmB;YACjC,kBAAkB,EAAE,gBAAgB;SACrC,CAAC;QACF,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;KAC5B,CAAC,CAAC;IAEH,mDAAmD;IACnD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAmC,CAAC;IAC/D,KAAK,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACrD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;YAAE,SAAS;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAgD,CAAC;YAC5E,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7D,CAAC;QAAC,MAAM,CAAC;YACP,yBAAyB;QAC3B,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC;IAE5E,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,MAAM,CAAC,GAAG,YAAY,CAAC,CAAC,CAAE,CAAC;QAC3B,MAAM,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,CAAC,EAAE,CAAC;YACN,IAAI,CAAC,CAAC,EAAE;gBAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;;gBACnB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;QACnE,CAAC;aAAM,CAAC;YACN,6DAA6D;YAC7D,kEAAkE;YAClE,MAAM,MAAM,GAAG,QAAQ;gBACrB,CAAC,CAAC,gFAAgF;gBAClF,CAAC,CAAC,sCAAsC,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;AAC5B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB;IACnD,IAAI,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,GAAG,kBAAkB,EAAE,CAAC;QAC7D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,0BAA0B,kBAAkB,QAAQ;SAC7D,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAS,cAAc,CAAC,OAAe,EAAE,YAAoB,EAAE,QAAgB;IAC7E,2EAA2E;IAC3E,yEAAyE;IACzE,2EAA2E;IAC3E,sEAAsE;IACtE,sEAAsE;IACtE,uEAAuE;IACvE,0DAA0D;IAC1D,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,IAAI,CAAC;QACH,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;IACnC,OAAO,OAAO,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC,wCAAwC;AAC3E,CAAC"}

package/dist/regex-safety.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=regex-safety.test.d.ts.map

package/dist/regex-safety.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex-safety.test.d.ts","sourceRoot":"","sources":["../src/regex-safety.test.ts"],"names":[],"mappings":""}

package/dist/regex-safety.test.js

@@ -0,0 +1,149 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// Copyright (C) 2026 Richard Myers and contributors.
+import { describe, it, after } from "node:test";
+import assert from "node:assert/strict";
+import { validatePattern, validatePatterns, getRegexBackend, setRegexBackendForTesting, } from "./regex-safety.js";
+describe("validatePattern", () => {
+    it("accepts ordinary patterns", () => {
+        assert.equal(validatePattern("acme-corp").ok, true);
+        assert.equal(validatePattern("\\d{12}").ok, true);
+        assert.equal(validatePattern("[a-z]+@example\\.com").ok, true);
+    });
+    it("rejects empty patterns", () => {
+        const r = validatePattern("");
+        assert.equal(r.ok, false);
+        assert.match(r.reason, /empty/);
+    });
+    it("rejects non-string input", () => {
+        const r = validatePattern(undefined);
+        assert.equal(r.ok, false);
+    });
+    it("rejects syntactically invalid regex", () => {
+        const r = validatePattern("(unclosed");
+        assert.equal(r.ok, false);
+        assert.match(r.reason, /invalid regex/);
+    });
+    it("rejects patterns over the length cap", () => {
+        const r = validatePattern("a".repeat(2049));
+        assert.equal(r.ok, false);
+        assert.match(r.reason, /exceeds|length/i);
+    });
+    it("accepts patterns just under the length cap", () => {
+        const r = validatePattern("a".repeat(2000));
+        assert.equal(r.ok, true);
+    });
+});
+describe("validatePatterns", () => {
+    it("splits valid and invalid patterns", () => {
+        const r = validatePatterns(["acme-corp", "(unclosed", "\\d+"]);
+        assert.equal(r.valid.length, 2);
+        assert.equal(r.invalid.length, 1);
+        assert.equal(r.invalid[0].pattern, "(unclosed");
+    });
+    it("returns empty when all patterns are valid", () => {
+        const r = validatePatterns(["a", "b", "c"]);
+        assert.equal(r.valid.length, 3);
+        assert.equal(r.invalid.length, 0);
+    });
+    it("returns empty when no patterns provided", () => {
+        const r = validatePatterns([]);
+        assert.equal(r.valid.length, 0);
+        assert.equal(r.invalid.length, 0);
+    });
+});
+describe("validatePatterns({ strict: true })", () => {
+    it("accepts ordinary patterns", () => {
+        const r = validatePatterns(["acme-corp", "\\d{12}"], { strict: true });
+        assert.equal(r.valid.length, 2);
+        assert.equal(r.invalid.length, 0);
+    });
+    it("rejects syntactically invalid regex without spawning", () => {
+        const r = validatePatterns(["(unclosed"], { strict: true });
+        assert.equal(r.invalid.length, 1);
+        assert.match(r.invalid[0].reason, /invalid regex/);
+    });
+    it("rejects patterns over the length cap without spawning", () => {
+        const r = validatePatterns(["a".repeat(3000)], { strict: true });
+        assert.equal(r.invalid.length, 1);
+        assert.match(r.invalid[0].reason, /exceeds/);
+    });
+    it("flags catastrophic-backtracking patterns via subprocess", () => {
+        // Classic ReDoS shape: nested unbounded quantifier with a literal
+        // that the all-'a' stress input cannot satisfy, forcing the regex
+        // engine to try every possible split.
+        const r = validatePatterns(["^(a+)+b$"], { strict: true });
+        assert.equal(r.invalid.length, 1, `expected the pattern to be rejected; got valid=${JSON.stringify(r.valid)}`);
+        assert.match(r.invalid[0].reason, /catastrophic|timed out|>/i);
+    });
+    it("returns empty for empty input without spawning", () => {
+        const r = validatePatterns([], { strict: true });
+        assert.equal(r.valid.length, 0);
+        assert.equal(r.invalid.length, 0);
+    });
+    it("preserves order across mixed valid/invalid input", () => {
+        const r = validatePatterns(["acme-corp", "(bad", "\\d+", ""], { strict: true });
+        assert.deepEqual(r.valid, ["acme-corp", "\\d+"]);
+        assert.equal(r.invalid.length, 2);
+    });
+    it("reports trailing patterns when subprocess is killed mid-batch", () => {
+        // Strict-batch truncation contract: if the worker subprocess hangs on
+        // a catastrophic pattern and gets SIGTERMed, we must still report the
+        // patterns it never got to. The first pattern is fine and should be
+        // valid, the second is catastrophic-backtracking and should be in
+        // invalid (with a "timed out" or "catastrophic" reason), and the
+        // third — which the subprocess likely never reached — must also be
+        // reported (most likely as "produced no result" if truncation
+        // occurred mid-batch).
+        const r = validatePatterns(["acme-corp", "^(a+)+b$", "\\d{12}"], { strict: true });
+        // The first pattern is well-formed; it should always come back valid.
+        assert.ok(r.valid.includes("acme-corp"), `expected first pattern to validate; got valid=${JSON.stringify(r.valid)}`);
+        // The catastrophic pattern must end up in the invalid bucket with a
+        // reason that names the failure mode.
+        const cata = r.invalid.find(x => x.pattern === "^(a+)+b$");
+        assert.ok(cata, `expected ^(a+)+b$ in invalid; got invalid=${JSON.stringify(r.invalid)}`);
+        assert.match(cata.reason, /timed out|catastrophic|>/i);
+        // The third pattern is well-formed *but* may have been trampled by
+        // the kill-on-timeout. It must show up in *one* of the result sets:
+        // valid (if the worker got that far before timeout), or invalid with
+        // a "no result" / "timed out" reason (if truncation hit it).
+        const reported = r.valid.includes("\\d{12}") ||
+            r.invalid.some(x => x.pattern === "\\d{12}");
+        assert.ok(reported, `third pattern must be reported in valid or invalid; ` +
+            `valid=${JSON.stringify(r.valid)} invalid=${JSON.stringify(r.invalid)}`);
+        // Total accounting: every input pattern must show up exactly once
+        // across the two buckets.
+        assert.equal(r.valid.length + r.invalid.length, 3);
+    });
+});
+describe("getRegexBackend", () => {
+    after(() => setRegexBackendForTesting(null));
+    it("returns 're2' or 'in-process' depending on optional dep availability", () => {
+        setRegexBackendForTesting(null);
+        const backend = getRegexBackend();
+        assert.ok(backend === "re2" || backend === "in-process", `unexpected backend: ${backend}`);
+    });
+    it("respects setRegexBackendForTesting override", () => {
+        setRegexBackendForTesting("in-process");
+        assert.equal(getRegexBackend(), "in-process");
+        setRegexBackendForTesting("re2");
+        assert.equal(getRegexBackend(), "re2");
+        setRegexBackendForTesting(null);
+    });
+    it("validatePattern accepts ordinary patterns under both backends", () => {
+        setRegexBackendForTesting("in-process");
+        assert.equal(validatePattern("acme-corp").ok, true);
+        setRegexBackendForTesting("re2");
+        assert.equal(validatePattern("acme-corp").ok, true);
+        setRegexBackendForTesting(null);
+    });
+    it("validatePattern falls back to time-budget when re2 rejects (e.g. lookahead)", () => {
+        // Lookahead is a re2-incompatible feature. Whether re2 is installed
+        // or not, validatePattern must still accept this pattern because
+        // the scanner uses native RegExp, which supports lookahead.
+        setRegexBackendForTesting("re2");
+        const r = validatePattern("foo(?=bar)");
+        assert.equal(r.ok, true, `expected lookahead pattern to validate; reason=${r.reason}`);
+        setRegexBackendForTesting(null);
+    });
+});
+//# sourceMappingURL=regex-safety.test.js.map

package/dist/regex-safety.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex-safety.test.js","sourceRoot":"","sources":["../src/regex-safety.test.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,qDAAqD;AACrD,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,WAAW,CAAC;AAChD,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,yBAAyB,GAC1B,MAAM,mBAAmB,CAAC;AAE3B,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACpD,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAClD,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,sBAAsB,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,GAAG,eAAe,CAAC,EAAE,CAAC,CAAC;QAC9B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAO,EAAE,OAAO,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,CAAC,GAAG,eAAe,CAAC,SAA8B,CAAC,CAAC;QAC1D,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAO,EAAE,eAAe,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAO,EAAE,iBAAiB,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC,WAAW,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;QAC/D,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,GAAG,gBAAgB,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC,WAAW,EAAE,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QACvE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC,WAAW,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,kEAAkE;QAClE,kEAAkE;QAClE,sCAAsC;QACtC,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,kDAAkD,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC/G,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,CAAC,GAAG,gBAAgB,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,CAAC,GAAG,gBAAgB,CACxB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC,EACjC,EAAE,MAAM,EAAE,IAAI,EAAE,CACjB,CAAC;QACF,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,sEAAsE;QACtE,sEAAsE;QACtE,oEAAoE;QACpE,kEAAkE;QAClE,iEAAiE;QACjE,mEAAmE;QACnE,8DAA8D;QAC9D,uBAAuB;QACvB,MAAM,CAAC,GAAG,gBAAgB,CACxB,CAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,EACpC,EAAE,MAAM,EAAE,IAAI,EAAE,CACjB,CAAC;QAEF,sEAAsE;QACtE,MAAM,CAAC,EAAE,CACP,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,EAC7B,iDAAiD,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAC3E,CAAC;QAEF,oEAAoE;QACpE,sCAAsC;QACtC,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,UAAU,CAAC,CAAC;QAC3D,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,6CAA6C,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC1F,MAAM,CAAC,KAAK,CAAC,IAAK,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAC;QAExD,mEAAmE;QACnE,oEAAoE;QACpE,qEAAqE;QACrE,6DAA6D;QAC7D,MAAM,QAAQ,GACZ,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC3B,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC;QAC/C,MAAM,CAAC,EAAE,CACP,QAAQ,EACR,sDAAsD;YACpD,SAAS,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAC1E,CAAC;QAEF,kEAAkE;QAClE,0BAA0B;QAC1B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,KAAK,CAAC,GAAG,EAAE,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC;IAE7C,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,yBAAyB,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,MAAM,CAAC,EAAE,CACP,OAAO,KAAK,KAAK,IAAI,OAAO,KAAK,YAAY,EAC7C,uBAAuB,OAAO,EAAE,CACjC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,yBAAyB,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,YAAY,CAAC,CAAC;QAC9C,yBAAyB,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,KAAK,CAAC,CAAC;QACvC,yBAAyB,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,yBAAyB,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACpD,yBAAyB,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACpD,yBAAyB,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,GAAG,EAAE;QACrF,oEAAoE;QACpE,iEAAiE;QACjE,4DAA4D;QAC5D,yBAAyB,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,kDAAkD,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACvF,yBAAyB,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/registry-mutate.d.ts

@@ -0,0 +1,35 @@
+export interface AddMarkerPatternOptions {
+    /** Override the registry path (defaults to ~/.config/repo-aegis/engagements.yaml). */
+    registryPath?: string;
+    /**
+     * When true, audit-log writes record the source the pattern came from
+     * (e.g. `"suggest-markers"`). Caller-provided so the caller's verb
+     * shows up in the trail. Default: `"manual"`.
+     */
+    source?: string;
+}
+export interface AddMarkerPatternResult {
+    added: string[];
+    skipped: string[];
+    rendered: {
+        written: number;
+        removed: number;
+    };
+}
+/**
+ * Append one or more validated regex patterns to an engagement's
+ * markers. Held under a single registry lock for the entire
+ * load-modify-write-render cycle (see [SEC M-3]). Idempotent: patterns
+ * already present are reported in `skipped`, not re-added.
+ *
+ * Throws:
+ *   - `EngagementNotFoundError` if no engagement with that id exists.
+ *   - `PatternValidationError` if any pattern fails `validatePattern`.
+ */
+export declare function addMarkerPatterns(engagementId: string, patterns: string[], opts?: AddMarkerPatternOptions): AddMarkerPatternResult;
+/**
+ * Convenience wrapper: append a single pattern. Same semantics as
+ * `addMarkerPatterns([pattern])`.
+ */
+export declare function addMarkerPattern(engagementId: string, pattern: string, opts?: AddMarkerPatternOptions): AddMarkerPatternResult;
+//# sourceMappingURL=registry-mutate.d.ts.map

package/dist/registry-mutate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry-mutate.d.ts","sourceRoot":"","sources":["../src/registry-mutate.ts"],"names":[],"mappings":"AAyBA,MAAM,WAAW,uBAAuB;IACtC,sFAAsF;IACtF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAChD;AA0BD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAAE,EAClB,IAAI,GAAE,uBAA4B,GACjC,sBAAsB,CA4FxB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,uBAA4B,GACjC,sBAAsB,CAExB"}