@mmnto/totem 1.15.2 → 1.15.3

package/dist/regex-safety/apply-rules-bounded.js

@@ -0,0 +1,114 @@
+/**
+ * Bounded-execution variant of `applyRulesToAdditions` (mmnto-ai/totem#1641).
+ *
+ * Routes every regex rule through the persistent-worker `RegexEvaluator`
+ * so a catastrophic-backtracking pattern terminates at the configured
+ * timeout rather than hanging the lint process indefinitely. Engine layer
+ * is policy-free: it records `RuleTimeoutOutcome` entries and lets the
+ * caller (CLI) decide whether to surface them as exit-code contributors
+ * (strict) or as skipped warnings (lenient).
+ *
+ * Scope: regex-engine rules only. ast / ast-grep rules are not ReDoS-
+ * susceptible and are evaluated by `applyAstRulesToAdditions` / the
+ * compound-rule pipeline under separate bounds.
+ */
+import { TotemParseError } from '../errors.js';
+import { extractJustification, isSuppressed, matchesGlob, } from '../rule-engine.js';
+import { redactPath } from './telemetry.js';
+function fileMatchesGlobs(filePath, globs) {
+    const hasIncludes = globs.some((g) => !g.startsWith('!'));
+    let matched = !hasIncludes;
+    for (const glob of globs) {
+        if (glob.startsWith('!')) {
+            if (matchesGlob(filePath, glob.slice(1)))
+                return false;
+        }
+        else if (matchesGlob(filePath, glob)) {
+            matched = true;
+        }
+    }
+    return matched;
+}
+export async function applyRulesToAdditionsBounded(ctx, rules, additions, options, onRuleEvent) {
+    const violations = [];
+    const timeoutOutcomes = [];
+    if (additions.length === 0 || rules.length === 0) {
+        return { violations, timeoutOutcomes };
+    }
+    const regexRules = rules.filter((r) => r.engine === 'regex' || !r.engine);
+    for (const rule of regexRules) {
+        // Partition additions by file so the evaluator can batch one rule per
+        // file at a time. File granularity matches the fileGlobs scoping and
+        // keeps timeout isolation per rule-file pair.
+        const byFile = new Map();
+        for (const addition of additions) {
+            if (rule.fileGlobs && rule.fileGlobs.length > 0) {
+                if (!fileMatchesGlobs(addition.file, rule.fileGlobs))
+                    continue;
+            }
+            const bucket = byFile.get(addition.file) ?? [];
+            bucket.push(addition);
+            byFile.set(addition.file, bucket);
+        }
+        for (const [file, fileAdditions] of byFile) {
+            const result = await options.evaluator.evaluate({
+                ruleHash: rule.lessonHash,
+                pattern: rule.pattern,
+                flags: '',
+                lines: fileAdditions.map((a) => a.line),
+                redactedPath: redactPath(file, options.repoRoot),
+            });
+            if (result.kind === 'error') {
+                // Fail loud (matches rule-engine.ts pre-#1641 contract at line
+                // 247). An uncompilable compiled rule means the validator was
+                // bypassed or the manifest was edited by hand; silently skipping
+                // would mark the diff "compliant" while a load-bearing rule is
+                // mute.
+                throw new TotemParseError(`Rule ${rule.lessonHash} has an invalid regex pattern and cannot be evaluated.`, `Re-run 'totem lesson compile' to regenerate the rule, or archive it via 'totem doctor --pr' if the source lesson cannot produce a valid pattern. Pattern: ${JSON.stringify(rule.pattern)} — worker reported: ${result.message}`);
+            }
+            if (result.kind === 'timeout') {
+                timeoutOutcomes.push({
+                    ruleHash: rule.lessonHash,
+                    file,
+                    elapsedMs: result.elapsedMs,
+                    mode: options.timeoutMode,
+                });
+                onRuleEvent?.('failure', rule.lessonHash, {
+                    file,
+                    line: 0,
+                    failureReason: `timeout after ${result.elapsedMs}ms (mode: ${options.timeoutMode})`,
+                });
+                continue;
+            }
+            for (const matchedIndex of result.matchedIndices) {
+                const addition = fileAdditions[matchedIndex];
+                if (!addition)
+                    continue;
+                if (isSuppressed(ctx, addition.line, addition.precedingLine)) {
+                    onRuleEvent?.('suppress', rule.lessonHash, {
+                        file: addition.file,
+                        line: addition.lineNumber,
+                        justification: extractJustification(ctx, addition.line, addition.precedingLine),
+                        immutable: rule.immutable,
+                    });
+                    continue;
+                }
+                onRuleEvent?.('trigger', rule.lessonHash, {
+                    file: addition.file,
+                    line: addition.lineNumber,
+                    astContext: addition.astContext,
+                });
+                if (!addition.astContext || addition.astContext === 'code') {
+                    violations.push({
+                        rule,
+                        file: addition.file,
+                        line: addition.line,
+                        lineNumber: addition.lineNumber,
+                    });
+                }
+            }
+        }
+    }
+    return { violations, timeoutOutcomes };
+}
+//# sourceMappingURL=apply-rules-bounded.js.map

package/dist/regex-safety/apply-rules-bounded.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apply-rules-bounded.js","sourceRoot":"","sources":["../../src/regex-safety/apply-rules-bounded.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAQH,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EACL,oBAAoB,EACpB,YAAY,EACZ,WAAW,GAEZ,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAsB5C,SAAS,gBAAgB,CAAC,QAAgB,EAAE,KAAwB;IAClE,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,IAAI,OAAO,GAAG,CAAC,WAAW,CAAC;IAC3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,IAAI,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAAE,OAAO,KAAK,CAAC;QACzD,CAAC;aAAM,IAAI,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC;YACvC,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,GAAsB,EACtB,KAA8B,EAC9B,SAAkC,EAClC,OAA4B,EAC5B,WAA+B;IAE/B,MAAM,UAAU,GAAgB,EAAE,CAAC;IACnC,MAAM,eAAe,GAAyB,EAAE,CAAC;IAEjD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjD,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAE1E,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,sEAAsE;QACtE,qEAAqE;QACrE,8CAA8C;QAC9C,MAAM,MAAM,GAAG,IAAI,GAAG,EAA0B,CAAC;QACjD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChD,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBAAE,SAAS;YACjE,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACtB,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QAED,KAAK,MAAM,CAAC,IAAI,EAAE,aAAa,CAAC,IAAI,MAAM,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC;gBAC9C,QAAQ,EAAE,IAAI,CAAC,UAAU;gBACzB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,KAAK,EAAE,EAAE;gBACT,KAAK,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBACvC,YAAY,EAAE,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC;aACjD,CAAC,CAAC;YAEH,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,+DAA+D;gBAC/D,8DAA8D;gBAC9D,iEAAiE;gBACjE,+DAA+D;gBAC/D,QAAQ;gBACR,MAAM,IAAI,eAAe,CACvB,QAAQ,IAAI,CAAC,UAAU,wDAAwD,EAC/E,6JAA6J,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,uBAAuB,MAAM,CAAC,OAAO,EAAE,CACjO,CAAC;YACJ,CAAC;YAED,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC9B,eAAe,CAAC,IAAI,CAAC;oBACnB,QAAQ,EAAE,IAAI,CAAC,UAAU;oBACzB,IAAI;oBACJ,SAAS,EAAE,MAAM,CAAC,SAAS;oBAC3B,IAAI,EAAE,OAAO,CAAC,WAAW;iBAC1B,CAAC,CAAC;gBACH,WAAW,EAAE,CAAC,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE;oBACxC,IAAI;oBACJ,IAAI,EAAE,CAAC;oBACP,aAAa,EAAE,iBAAiB,MAAM,CAAC,SAAS,aAAa,OAAO,CAAC,WAAW,GAAG;iBACpF,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,KAAK,MAAM,YAAY,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;gBACjD,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;gBAC7C,IAAI,CAAC,QAAQ;oBAAE,SAAS;gBAExB,IAAI,YAAY,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;oBAC7D,WAAW,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE;wBACzC,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,IAAI,EAAE,QAAQ,CAAC,UAAU;wBACzB,aAAa,EAAE,oBAAoB,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,aAAa,CAAC;wBAC/E,SAAS,EAAE,IAAI,CAAC,SAAS;qBAC1B,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBAED,WAAW,EAAE,CAAC,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE;oBACxC,IAAI,EAAE,QAAQ,CAAC,IAAI;oBACnB,IAAI,EAAE,QAAQ,CAAC,UAAU;oBACzB,UAAU,EAAE,QAAQ,CAAC,UAAU;iBAChC,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;oBAC3D,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI;wBACJ,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,IAAI,EAAE,QAAQ,CAAC,IAAI;wBACnB,UAAU,EAAE,QAAQ,CAAC,UAAU;qBAChC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,CAAC;AACzC,CAAC"}

package/dist/regex-safety/apply-rules-bounded.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=apply-rules-bounded.test.d.ts.map

package/dist/regex-safety/apply-rules-bounded.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apply-rules-bounded.test.d.ts","sourceRoot":"","sources":["../../src/regex-safety/apply-rules-bounded.test.ts"],"names":[],"mappings":""}

package/dist/regex-safety/apply-rules-bounded.test.js

@@ -0,0 +1,136 @@
+import { describe, expect, it } from 'vitest';
+import { makeRuleEngineCtx } from '../test-utils.js';
+import { applyRulesToAdditionsBounded } from './apply-rules-bounded.js';
+import { RegexEvaluator } from './evaluator.js';
+function addition(file, line, lineNumber) {
+    return { file, line, lineNumber, precedingLine: null };
+}
+function regexRule(lessonHash, pattern, engine = 'regex') {
+    return {
+        lessonHash,
+        lessonHeading: `rule ${lessonHash}`,
+        pattern,
+        message: `violation for ${lessonHash}`,
+        engine,
+        compiledAt: '2026-04-23T00:00:00Z',
+    };
+}
+describe('applyRulesToAdditionsBounded — happy path', () => {
+    it('flags matching additions under a sync evaluator', async () => {
+        const evaluator = new RegexEvaluator();
+        try {
+            const rules = [regexRule('h1', 'console\\.log')];
+            const additions = [
+                addition('foo.ts', 'console.log("a")', 10),
+                addition('foo.ts', 'logger.info("b")', 11),
+            ];
+            const result = await applyRulesToAdditionsBounded(makeRuleEngineCtx(), rules, additions, {
+                evaluator,
+                timeoutMode: 'strict',
+                repoRoot: '/tmp/repo',
+            });
+            expect(result.violations).toHaveLength(1);
+            expect(result.violations[0]?.rule.lessonHash).toBe('h1');
+            expect(result.violations[0]?.lineNumber).toBe(10);
+            expect(result.timeoutOutcomes).toEqual([]);
+        }
+        finally {
+            await evaluator.dispose();
+        }
+    });
+    it('respects fileGlobs when evaluating additions', async () => {
+        const evaluator = new RegexEvaluator();
+        try {
+            const rule = {
+                ...regexRule('scoped', 'foo'),
+                fileGlobs: ['**/*.md'],
+            };
+            const additions = [
+                addition('readme.md', 'foo', 1),
+                addition('app.ts', 'foo', 1),
+            ];
+            const result = await applyRulesToAdditionsBounded(makeRuleEngineCtx(), [rule], additions, {
+                evaluator,
+                timeoutMode: 'strict',
+                repoRoot: '/tmp/repo',
+            });
+            expect(result.violations).toHaveLength(1);
+            expect(result.violations[0]?.file).toBe('readme.md');
+        }
+        finally {
+            await evaluator.dispose();
+        }
+    });
+});
+describe('applyRulesToAdditionsBounded — timeout strict', () => {
+    it('returns a RuleTimeoutOutcome and excludes violations for the timing-out rule', async () => {
+        const evaluator = new RegexEvaluator({ timeoutMs: 150, softWarningMs: 50 });
+        try {
+            const rules = [regexRule('redos', '(a+)+b'), regexRule('healthy', 'foo')];
+            const additions = [
+                addition('a.ts', 'a'.repeat(50000) + 'c', 1),
+                addition('b.ts', 'foo', 2),
+            ];
+            const result = await applyRulesToAdditionsBounded(makeRuleEngineCtx(), rules, additions, {
+                evaluator,
+                timeoutMode: 'strict',
+                repoRoot: '/tmp/repo',
+            });
+            const timeoutHashes = result.timeoutOutcomes.map((o) => o.ruleHash);
+            expect(timeoutHashes).toContain('redos');
+            // Healthy rule should still produce its violation.
+            const healthyViolation = result.violations.find((v) => v.rule.lessonHash === 'healthy');
+            expect(healthyViolation).toBeDefined();
+        }
+        finally {
+            await evaluator.dispose();
+        }
+    });
+});
+describe('applyRulesToAdditionsBounded — timeout lenient', () => {
+    it('records timeout outcomes but does not differ from strict at the engine layer', async () => {
+        // The strict/lenient semantics are enforced at the CLI layer based on
+        // the timeoutOutcomes array this function returns. The engine itself
+        // is policy-free — it records the outcome and lets the caller decide
+        // the exit-code effect. Locking this in prevents future drift where
+        // the engine starts making policy decisions instead of surfacing them.
+        const evaluator = new RegexEvaluator({ timeoutMs: 150, softWarningMs: 50 });
+        try {
+            const rules = [regexRule('redos', '(a+)+b')];
+            const additions = [addition('a.ts', 'a'.repeat(50000) + 'c', 1)];
+            const strict = await applyRulesToAdditionsBounded(makeRuleEngineCtx(), rules, additions, {
+                evaluator,
+                timeoutMode: 'strict',
+                repoRoot: '/tmp/repo',
+            });
+            const lenient = await applyRulesToAdditionsBounded(makeRuleEngineCtx(), rules, additions, {
+                evaluator,
+                timeoutMode: 'lenient',
+                repoRoot: '/tmp/repo',
+            });
+            expect(strict.timeoutOutcomes).toHaveLength(1);
+            expect(lenient.timeoutOutcomes).toHaveLength(1);
+        }
+        finally {
+            await evaluator.dispose();
+        }
+    });
+});
+describe('applyRulesToAdditionsBounded — invalid pattern', () => {
+    it('fails loud on a compiled rule with an invalid regex (matches existing rule-engine contract)', async () => {
+        const evaluator = new RegexEvaluator();
+        try {
+            const rules = [regexRule('broken', '(unclosed')];
+            const additions = [addition('a.ts', 'foo', 1)];
+            await expect(applyRulesToAdditionsBounded(makeRuleEngineCtx(), rules, additions, {
+                evaluator,
+                timeoutMode: 'strict',
+                repoRoot: '/tmp/repo',
+            })).rejects.toThrow(/invalid regex|cannot be evaluated/i);
+        }
+        finally {
+            await evaluator.dispose();
+        }
+    });
+});
+//# sourceMappingURL=apply-rules-bounded.test.js.map

package/dist/regex-safety/apply-rules-bounded.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apply-rules-bounded.test.js","sourceRoot":"","sources":["../../src/regex-safety/apply-rules-bounded.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAG9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,4BAA4B,EAA2B,MAAM,0BAA0B,CAAC;AACjG,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD,SAAS,QAAQ,CAAC,IAAY,EAAE,IAAY,EAAE,UAAkB;IAC9D,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,SAAS,CAAC,UAAkB,EAAE,OAAe,EAAE,SAAkB,OAAO;IAC/E,OAAO;QACL,UAAU;QACV,aAAa,EAAE,QAAQ,UAAU,EAAE;QACnC,OAAO;QACP,OAAO,EAAE,iBAAiB,UAAU,EAAE;QACtC,MAAM;QACN,UAAU,EAAE,sBAAsB;KACnC,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,2CAA2C,EAAE,GAAG,EAAE;IACzD,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,SAAS,GAAG,IAAI,cAAc,EAAE,CAAC;QACvC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC;YACjD,MAAM,SAAS,GAAmB;gBAChC,QAAQ,CAAC,QAAQ,EAAE,kBAAkB,EAAE,EAAE,CAAC;gBAC1C,QAAQ,CAAC,QAAQ,EAAE,kBAAkB,EAAE,EAAE,CAAC;aAC3C,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;gBACvF,SAAS;gBACT,WAAW,EAAE,QAAQ;gBACrB,QAAQ,EAAE,WAAW;aACtB,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACzD,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC7C,CAAC;gBAAS,CAAC;YACT,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,SAAS,GAAG,IAAI,cAAc,EAAE,CAAC;QACvC,IAAI,CAAC;YACH,MAAM,IAAI,GAAiB;gBACzB,GAAG,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC;gBAC7B,SAAS,EAAE,CAAC,SAAS,CAAC;aACvB,CAAC;YACF,MAAM,SAAS,GAAmB;gBAChC,QAAQ,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC/B,QAAQ,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;aAC7B,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC,iBAAiB,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE;gBACxF,SAAS;gBACT,WAAW,EAAE,QAAQ;gBACrB,QAAQ,EAAE,WAAW;aACtB,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACvD,CAAC;gBAAS,CAAC;YACT,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,+CAA+C,EAAE,GAAG,EAAE;IAC7D,EAAE,CAAC,8EAA8E,EAAE,KAAK,IAAI,EAAE;QAC5F,MAAM,SAAS,GAAG,IAAI,cAAc,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;YAC1E,MAAM,SAAS,GAAmB;gBAChC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC;gBAC5C,QAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;aAC3B,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;gBACvF,SAAS;gBACT,WAAW,EAAE,QAAQ;gBACrB,QAAQ,EAAE,WAAW;aACtB,CAAC,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAqB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;YACxF,MAAM,CAAC,aAAa,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YACzC,mDAAmD;YACnD,MAAM,gBAAgB,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC;YACxF,MAAM,CAAC,gBAAgB,CAAC,CAAC,WAAW,EAAE,CAAC;QACzC,CAAC;gBAAS,CAAC;YACT,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,gDAAgD,EAAE,GAAG,EAAE;IAC9D,EAAE,CAAC,8EAA8E,EAAE,KAAK,IAAI,EAAE;QAC5F,sEAAsE;QACtE,qEAAqE;QACrE,qEAAqE;QACrE,oEAAoE;QACpE,uEAAuE;QACvE,MAAM,SAAS,GAAG,IAAI,cAAc,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;YAC7C,MAAM,SAAS,GAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;YACjF,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;gBACvF,SAAS;gBACT,WAAW,EAAE,QAAQ;gBACrB,QAAQ,EAAE,WAAW;aACtB,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,4BAA4B,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;gBACxF,SAAS;gBACT,WAAW,EAAE,SAAS;gBACtB,QAAQ,EAAE,WAAW;aACtB,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC/C,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAClD,CAAC;gBAAS,CAAC;YACT,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,gDAAgD,EAAE,GAAG,EAAE;IAC9D,EAAE,CAAC,6FAA6F,EAAE,KAAK,IAAI,EAAE;QAC3G,MAAM,SAAS,GAAG,IAAI,cAAc,EAAE,CAAC;QACvC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,CAAC,SAAS,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC;YACjD,MAAM,SAAS,GAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;YAC/D,MAAM,MAAM,CACV,4BAA4B,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;gBAClE,SAAS;gBACT,WAAW,EAAE,QAAQ;gBACrB,QAAQ,EAAE,WAAW;aACtB,CAAC,CACH,CAAC,OAAO,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;QAC1D,CAAC;gBAAS,CAAC;YACT,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/regex-safety/evaluator.d.ts

@@ -0,0 +1,95 @@
+/**
+ * Persistent-worker regex evaluator with per-batch timeout (mmnto-ai/totem#1641).
+ *
+ * Spawns one Node worker thread on construction, serializes batches onto
+ * it, and enforces a main-thread timeout. If a pattern catastrophic-
+ * backtracks inside the worker, the main-thread timer fires, calls
+ * `worker.terminate()`, and respawns a fresh worker for the next batch.
+ * Every evaluation resolves with one of three outcomes — `ok` (matched
+ * indices + elapsed + softWarning flag), `timeout` (the worker was
+ * terminated), or `error` (the pattern was syntactically invalid; the
+ * worker is still alive). The caller decides strict vs lenient handling.
+ *
+ * Invariants:
+ * - At most one `Worker` alive per evaluator instance.
+ * - `pending` never holds stale entries past a batch's terminal state.
+ * - Batches are serialized (one in-flight at a time) — no multiplexing.
+ * - Telemetry is emitted on every terminal outcome via the
+ *   `onTelemetry` callback the caller supplies; if absent, telemetry
+ *   is silently dropped (safe — the evaluator itself never fails on
+ *   telemetry-sink failure).
+ */
+import type { RegexTelemetry } from './telemetry.js';
+export interface RegexEvaluatorConfig {
+    /** Hard timeout per batch (ms). Exceeded batches terminate the worker. */
+    timeoutMs: number;
+    /** Soft-warning threshold (ms). Sub-timeout but slow; sets the flag on telemetry. */
+    softWarningMs: number;
+}
+export interface EvaluateInput {
+    ruleHash: string;
+    pattern: string;
+    flags: string;
+    lines: readonly string[];
+}
+export type EvaluateResult = {
+    kind: 'ok';
+    matchedIndices: number[];
+    elapsedMs: number;
+    softWarningTriggered: boolean;
+} | {
+    kind: 'timeout';
+    elapsedMs: number;
+} | {
+    kind: 'error';
+    message: string;
+    elapsedMs: number;
+};
+export declare class RegexEvaluator {
+    private worker;
+    private readonly pending;
+    private readonly config;
+    private readonly onTelemetry;
+    private queue;
+    private disposed;
+    /**
+     * Coalesces concurrent respawn requests (mmnto-ai/totem#1641 Shield review
+     * round-1). Without this, a timeout event firing at roughly the same
+     * moment as a worker `error` event can call `spawnWorker()` twice,
+     * leaking a thread. `evaluate()` also awaits this promise before
+     * `postMessage` so a batch scheduled during a respawn waits for the
+     * new worker instead of silently dropping against a null handle.
+     */
+    private respawnPromise;
+    /**
+     * Worker-online gate (mmnto-ai/totem#1641, CI round-1 fix). The Node
+     * `Worker` constructor returns before the thread is actually running
+     * (thread-spawn takes ~30-50ms). If `evaluate()` starts its timeout
+     * timer before the worker is online, a slow CI box can trip a
+     * spurious timeout on the first batch. Gate postMessage on this
+     * promise so cold-start cost never counts against the budget.
+     */
+    private workerReady;
+    /**
+     * Consecutive-respawn counter (Shield review round-1). If the worker
+     * keeps dying at spawn time (missing worker.js, syntax error in the
+     * worker script, etc.), unbounded respawn becomes a CPU-pegging loop.
+     * The counter increments on each respawn, resets on every successful
+     * evaluation, and flips `permanentlyFailed` once the budget is spent.
+     */
+    private consecutiveRespawns;
+    private permanentlyFailed;
+    private static readonly MAX_CONSECUTIVE_RESPAWNS;
+    constructor(config?: Partial<RegexEvaluatorConfig>, onTelemetry?: (record: RegexTelemetry) => void);
+    evaluate(input: EvaluateInput & {
+        redactedPath?: string;
+    }): Promise<EvaluateResult>;
+    dispose(): Promise<void>;
+    private evaluateOnce;
+    private spawnWorker;
+    private respawnWorker;
+    private handleMessage;
+    private rejectAllPendingAsCrash;
+    private emitTelemetry;
+}
+//# sourceMappingURL=evaluator.d.ts.map

package/dist/regex-safety/evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluator.d.ts","sourceRoot":"","sources":["../../src/regex-safety/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AASH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGrD,MAAM,WAAW,oBAAoB;IACnC,0EAA0E;IAC1E,SAAS,EAAE,MAAM,CAAC;IAClB,qFAAqF;IACrF,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,MAAM,cAAc,GACtB;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,cAAc,EAAE,MAAM,EAAE,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,oBAAoB,EAAE,OAAO,CAAA;CAAE,GAC1F;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GACtC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC;AAkC1D,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAmC;IAC3D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuB;IAC9C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAiD;IAC7E,OAAO,CAAC,KAAK,CAAoC;IACjD,OAAO,CAAC,QAAQ,CAAS;IACzB;;;;;;;OAOG;IACH,OAAO,CAAC,cAAc,CAA8B;IACpD;;;;;;;OAOG;IACH,OAAO,CAAC,WAAW,CAAoC;IACvD;;;;;;OAMG;IACH,OAAO,CAAC,mBAAmB,CAAK;IAChC,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,CAAK;gBAGnD,MAAM,GAAE,OAAO,CAAC,oBAAoB,CAAM,EAC1C,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,cAAc,KAAK,IAAI;IAO1C,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,cAAc,CAAC;IA6CnF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAa9B,OAAO,CAAC,YAAY;IAgDpB,OAAO,CAAC,WAAW;YAsCL,aAAa;IAkC3B,OAAO,CAAC,aAAa;IAkCrB,OAAO,CAAC,uBAAuB;IAiB/B,OAAO,CAAC,aAAa;CAQtB"}