@remnic/core 9.3.622 → 9.3.623

package/dist/summarizer.js

@@ -1,15 +1,15 @@
 import {
   HourlySummarizer
-} from "./chunk-XAZOWLW4.js";
+} from "./chunk-3VONWEQB.js";
 import "./chunk-XJNBEDFE.js";
 import "./chunk-XZ4WBBB5.js";
 import "./chunk-77NAFXUD.js";
 import "./chunk-FF4KLI5W.js";
-import "./chunk-DEVUWMME.js";
+import "./chunk-KGIGRNR6.js";
 import "./chunk-B5XMS73R.js";
 import "./chunk-7SI52C65.js";
 import "./chunk-L2EXJQJP.js";
-import "./chunk-UZB5KHKX.js";
+import "./chunk-RGMVMVMF.js";
 import "./chunk-RK6F44Y6.js";
 import "./chunk-NNVTUXEB.js";
 import "./chunk-EYIEWJNI.js";

package/dist/temporal-supersession.js

@@ -6,7 +6,7 @@ import {
   shouldFilterSupersededFromRecall,
   shouldSupersedeExisting,
   supersessionKeysForFact
-} from "./chunk-K5O2QY6T.js";
+} from "./chunk-YTWNKQ2G.js";
 import "./chunk-MDYG7VI7.js";
 import "./chunk-2ODBA7MQ.js";
 import "./chunk-PZ5AY32C.js";

package/dist/transfer/types.d.ts

@@ -313,13 +313,13 @@ declare const CapsuleBlockSchema: z.ZodObject<{
         peerProfiles: boolean;
     }>;
 }, "strip", z.ZodTypeAny, {
-    schemaVersion: string;
     includes: {
         procedural: boolean;
         taxonomy: boolean;
         identityAnchors: boolean;
         peerProfiles: boolean;
     };
+    schemaVersion: string;
     id: string;
     description: string;
     version: string;
@@ -334,13 +334,13 @@ declare const CapsuleBlockSchema: z.ZodObject<{
         directAnswerEnabled: boolean;
     };
 }, {
-    schemaVersion: string;
     includes: {
         procedural: boolean;
         taxonomy: boolean;
         identityAnchors: boolean;
         peerProfiles: boolean;
     };
+    schemaVersion: string;
     id: string;
     description: string;
     version: string;
@@ -464,13 +464,13 @@ declare const ExportManifestV2Schema: z.ZodObject<{
             peerProfiles: boolean;
         }>;
     }, "strip", z.ZodTypeAny, {
-        schemaVersion: string;
         includes: {
             procedural: boolean;
             taxonomy: boolean;
             identityAnchors: boolean;
             peerProfiles: boolean;
         };
+        schemaVersion: string;
         id: string;
         description: string;
         version: string;
@@ -485,13 +485,13 @@ declare const ExportManifestV2Schema: z.ZodObject<{
             directAnswerEnabled: boolean;
         };
     }, {
-        schemaVersion: string;
         includes: {
             procedural: boolean;
             taxonomy: boolean;
             identityAnchors: boolean;
             peerProfiles: boolean;
         };
+        schemaVersion: string;
         id: string;
         description: string;
         version: string;
@@ -518,13 +518,13 @@ declare const ExportManifestV2Schema: z.ZodObject<{
     pluginVersion: string;
     includesTranscripts: boolean;
     capsule: {
-        schemaVersion: string;
         includes: {
             procedural: boolean;
             taxonomy: boolean;
             identityAnchors: boolean;
             peerProfiles: boolean;
         };
+        schemaVersion: string;
         id: string;
         description: string;
         version: string;
@@ -551,13 +551,13 @@ declare const ExportManifestV2Schema: z.ZodObject<{
     pluginVersion: string;
     includesTranscripts: boolean;
     capsule: {
-        schemaVersion: string;
         includes: {
             procedural: boolean;
             taxonomy: boolean;
             identityAnchors: boolean;
             peerProfiles: boolean;
         };
+        schemaVersion: string;
         id: string;
         description: string;
         version: string;
@@ -683,13 +683,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
                 peerProfiles: boolean;
             }>;
         }, "strip", z.ZodTypeAny, {
-            schemaVersion: string;
             includes: {
                 procedural: boolean;
                 taxonomy: boolean;
                 identityAnchors: boolean;
                 peerProfiles: boolean;
             };
+            schemaVersion: string;
             id: string;
             description: string;
             version: string;
@@ -704,13 +704,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
                 directAnswerEnabled: boolean;
             };
         }, {
-            schemaVersion: string;
             includes: {
                 procedural: boolean;
                 taxonomy: boolean;
                 identityAnchors: boolean;
                 peerProfiles: boolean;
             };
+            schemaVersion: string;
             id: string;
             description: string;
             version: string;
@@ -737,13 +737,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
         pluginVersion: string;
         includesTranscripts: boolean;
         capsule: {
-            schemaVersion: string;
             includes: {
                 procedural: boolean;
                 taxonomy: boolean;
                 identityAnchors: boolean;
                 peerProfiles: boolean;
             };
+            schemaVersion: string;
             id: string;
             description: string;
             version: string;
@@ -770,13 +770,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
         pluginVersion: string;
         includesTranscripts: boolean;
         capsule: {
-            schemaVersion: string;
             includes: {
                 procedural: boolean;
                 taxonomy: boolean;
                 identityAnchors: boolean;
                 peerProfiles: boolean;
             };
+            schemaVersion: string;
             id: string;
             description: string;
             version: string;
@@ -815,13 +815,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
         pluginVersion: string;
         includesTranscripts: boolean;
         capsule: {
-            schemaVersion: string;
             includes: {
                 procedural: boolean;
                 taxonomy: boolean;
                 identityAnchors: boolean;
                 peerProfiles: boolean;
             };
+            schemaVersion: string;
             id: string;
             description: string;
             version: string;
@@ -854,13 +854,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
         pluginVersion: string;
         includesTranscripts: boolean;
         capsule: {
-            schemaVersion: string;
             includes: {
                 procedural: boolean;
                 taxonomy: boolean;
                 identityAnchors: boolean;
                 peerProfiles: boolean;
             };
+            schemaVersion: string;
             id: string;
             description: string;
             version: string;

package/dist/verified-recall.js

@@ -1,10 +1,10 @@
 import {
   searchVerifiedEpisodes
-} from "./chunk-CCNZM5UM.js";
+} from "./chunk-R3OQGYOU.js";
 import "./chunk-HQ6NIBL6.js";
-import "./chunk-DXBCNDVD.js";
+import "./chunk-PJGB7XRR.js";
 import "./chunk-5UZXUTVO.js";
-import "./chunk-4H5ZJHEN.js";
+import "./chunk-J6A3CX5N.js";
 import "./chunk-4R4KTDIE.js";
 import "./chunk-RULE4VG5.js";
 import "./chunk-SCU65EZI.js";
@@ -12,7 +12,7 @@ import "./chunk-MB5RSUW6.js";
 import "./chunk-6KYMPV2O.js";
 import "./chunk-CPPS65WS.js";
 import "./chunk-DM2T26WE.js";
-import "./chunk-QSVPYQPG.js";
+import "./chunk-LDXUBPMO.js";
 import "./chunk-FVQJYWH7.js";
 import "./chunk-G7D6GZ5J.js";
 import "./chunk-ALEPI75L.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@remnic/core",
-  "version": "9.3.622",
+  "version": "9.3.623",
   "description": "Framework-agnostic Remnic memory engine — orchestrator, storage, extraction, search, trust zones",
   "type": "module",
   "main": "dist/index.js",

package/src/chunking.ts

@@ -50,32 +50,47 @@ function estimateTokens(text: string): number {
  * Handles common abbreviations and edge cases.
  */
 function splitSentences(text: string): string[] {
-  // Split on sentence-ending punctuation followed by whitespace or end of string
-  // Preserve the punctuation with the sentence
+  // Split on sentence-ending punctuation (. ! ?) that is followed by whitespace
+  // or end of string; the punctuation stays with the sentence.
+  //
+  // Implemented as a single linear scan rather than a regex. Every regex form of
+  // this split is either polynomial (CodeQL js/polynomial-redos) or — once
+  // bounded/anchored to satisfy CodeQL — mishandles long runs or non-boundary
+  // punctuation (a global match silently drops a skipped prefix; a sticky match
+  // stops at the first interior `.` that is not a real boundary, e.g. "v1.2.3"
+  // or "example.com", emitting the whole document as one chunk). A character
+  // scan is O(n), allocation-free, drops nothing, and treats interior
+  // punctuation correctly. Normal prose splits identically to the previous
+  // /[^.!?]*[.!?]+(?:\s+|$)/g form.
   const sentences: string[] = [];
-
-  // Regex to match sentence boundaries
-  // Match: period/exclamation/question followed by space or end, but not abbreviations
-  const sentenceRegex = /[^.!?]*[.!?]+(?:\s+|$)/g;
-
-  let match: RegExpExecArray | null;
-  let lastIndex = 0;
-
-  while ((match = sentenceRegex.exec(text)) !== null) {
-    sentences.push(match[0].trim());
-    lastIndex = sentenceRegex.lastIndex;
-  }
-
-  // Handle remaining text without sentence-ending punctuation
-  if (lastIndex < text.length) {
-    const remaining = text.slice(lastIndex).trim();
-    if (remaining) {
-      sentences.push(remaining);
+  let start = 0;
+  for (let i = 0; i < text.length; i++) {
+    const ch = text[i];
+    if (ch !== "." && ch !== "!" && ch !== "?") continue;
+    // Consume a run of terminators (e.g. "?!", "...").
+    let end = i;
+    while (end + 1 < text.length) {
+      const n = text[end + 1];
+      if (n !== "." && n !== "!" && n !== "?") break;
+      end++;
+    }
+    const after = text[end + 1];
+    // A real boundary only if the terminator run ends the string or is followed
+    // by whitespace. Interior punctuation (no following whitespace) is left in
+    // place and the scan continues.
+    if (after === undefined || /\s/.test(after)) {
+      const sentence = text.slice(start, end + 1).trim();
+      if (sentence.length > 0) sentences.push(sentence);
+      start = end + 1;
     }
+    i = end;
   }
-
-  // Filter out empty sentences
-  return sentences.filter((s) => s.length > 0);
+  // Trailing text without a closing terminator.
+  if (start < text.length) {
+    const remaining = text.slice(start).trim();
+    if (remaining.length > 0) sentences.push(remaining);
+  }
+  return sentences;
 }
 
 /**

package/src/coding/review-context.ts

@@ -142,7 +142,13 @@ export function parseTouchedFiles(diff: string | null | undefined): string[] {
     // everything after the first whitespace in a quoted path.
     const headerPrefix = line.match(/^(?:---|\+\+\+)[ \t]+/);
     if (headerPrefix) {
-      const tail = line.slice(headerPrefix[0].length).replace(/[ \t]+$/, "");
+      // Linear trailing space/tab trim instead of /[ \t]+$/, whose anchored
+      // quantifier backtracks polynomially on a long diff line (CodeQL
+      // js/polynomial-redos).
+      const sliced = line.slice(headerPrefix[0].length);
+      let tailEnd = sliced.length;
+      while (tailEnd > 0 && (sliced[tailEnd - 1] === " " || sliced[tailEnd - 1] === "\t")) tailEnd--;
+      const tail = sliced.slice(0, tailEnd);
       const raw = extractSingleDiffPathToken(tail);
       if (raw) {
         const stripped = stripDiffPathPrefix(raw);

package/src/connectors/codex-materialize.ts

@@ -550,7 +550,12 @@ export function renderMemorySummary(ctx: SummaryRenderContext): string {
     lines.push("");
   }
 
-  const full = lines.join("\n").replace(/\n+$/u, "\n");
+  // Collapse trailing newlines to one without the anchored /\n+$/ quantifier,
+  // which backtracks polynomially (CodeQL js/polynomial-redos).
+  const joined = lines.join("\n");
+  let joinedEnd = joined.length;
+  while (joinedEnd > 0 && joined[joinedEnd - 1] === "\n") joinedEnd--;
+  const full = joinedEnd === joined.length ? joined : `${joined.slice(0, joinedEnd)}\n`;
   return truncateToTokenBudget(full, ctx.maxTokens);
 }
 

package/src/explicit-capture.ts

@@ -40,8 +40,13 @@ export type ValidExplicitCapture = {
 export type ExplicitCaptureSource = "memory_store" | "memory_capture" | "suggestion_submit" | "inline";
 type ExplicitCaptureValidationMode = "legacy_tool" | "strict_explicit";
 
-const INLINE_NOTE_RE = /<memory_note>\s*([\s\S]*?)\s*<\/memory_note>/gi;
-const INLINE_NOTE_MARKUP_RE = /<memory_note>\s*[\s\S]*?\s*<\/memory_note>/i;
+// Bounded body {0,100000} instead of an unbounded lazy *? so scanning for the
+// closing tag cannot backtrack polynomially on unterminated <memory_note>
+// markup in hostile turn text (CodeQL js/polynomial-redos). 100 000 chars far
+// exceeds any real inline note, so matching is behavior-preserving; the outer
+// \s* groups were also dropped (body absorbs whitespace; captures are trimmed).
+const INLINE_NOTE_RE = /<memory_note>([\s\S]{0,100000}?)<\/memory_note>/gi;
+const INLINE_NOTE_MARKUP_RE = /<memory_note>[\s\S]{0,100000}?<\/memory_note>/i;
 const INLINE_ALLOWED_CATEGORIES = new Set<MemoryCategory>([
   "fact",
   "preference",

package/src/identity-continuity.ts

@@ -200,7 +200,13 @@ function splitLoopMarkdown(raw: string | null): { header: string; sections: Mark
   let current: MarkdownSection | null = null;
 
   for (const line of lines) {
-    const sectionMatch = line.match(/^##\s+(.+?)\s*$/);
+    // /^##\s(.+)$/ + the trim below is exactly equivalent to the original
+    // /^##\s+(.+?)\s*$/ (same match/no-match and same trimmed title across all
+    // inputs, including "## " → no-match and "##  " → empty title) but has no
+    // adjacent overlapping quantifiers, so it cannot backtrack polynomially
+    // (CodeQL js/polynomial-redos). \s matches a single fixed-width char and
+    // .+ runs greedily to the line end — no \s+/.* overlap.
+    const sectionMatch = line.match(/^##\s(.+)$/);
     if (sectionMatch) {
       if (current) sections.push({ title: current.title, body: current.body.trimEnd() });
       current = { title: sectionMatch[1].trim(), body: "" };

package/src/json-extract.ts

@@ -10,7 +10,10 @@
  */
 
 export function stripCodeFences(text: string): string {
-  return text.replace(/```(?:json)?\s*([\s\S]*?)```/gi, (_m, inner) => String(inner).trim());
+  // Drop the leading \s* before the lazy body: it overlapped the body and caused
+  // polynomial backtracking on unterminated fences (CodeQL js/polynomial-redos).
+  // inner is trimmed, so captured content is identical.
+  return text.replace(/```(?:json)?([\s\S]*?)```/gi, (_m, inner) => String(inner).trim());
 }
 
 export function extractJsonCandidates(text: string): string[] {

package/src/orchestrator.ts

@@ -943,7 +943,11 @@ export function formatCompressionGuidelinesForRecall(
 ): string | null {
   if (typeof raw !== "string" || raw.trim().length === 0) return null;
   const sectionMatch = raw.match(
-    /## Suggested Guidelines\s*\n([\s\S]*?)(?:\n##\s+|\s*$)/i,
+    // End the section at `\n## ` or end-of-string. Plain $ (not \s*$): the
+    // \s* branch overlapped the lazy body and backtracked polynomially
+    // (CodeQL js/polynomial-redos). Captured lines are trimmed/filtered below,
+    // so trailing whitespace handling is unchanged.
+    /## Suggested Guidelines\s*\n([\s\S]*?)(?:\n##\s+|$)/i,
   );
   if (!sectionMatch) return null;
 

package/src/peers/profile-reasoner.ts

@@ -262,7 +262,10 @@ export function parsePeerProfileReasonerResponse(
 ): PeerProfileReasonerProposal[] {
   if (typeof raw !== "string" || raw.trim() === "") return [];
   const trimmed = raw.trim();
-  const fenced = /^```(?:json)?\s*([\s\S]*?)```\s*$/u.exec(trimmed);
+  // Dropped the \s* groups around the lazy body (they overlapped it and
+  // backtracked polynomially — CodeQL js/polynomial-redos). Input is already
+  // trimmed and fenced[1] is trimmed below, so matches are identical.
+  const fenced = /^```(?:json)?([\s\S]*?)```$/u.exec(trimmed);
   const payload = fenced ? fenced[1].trim() : trimmed;
   let parsed: unknown;
   try {

package/src/semantic-chunking.ts

@@ -185,25 +185,41 @@ export function findLocalMinima(
  * Preserves punctuation with the preceding sentence.
  */
 function splitSentences(text: string): string[] {
+  // Linear character scan instead of a regex. Every regex form of this split is
+  // either polynomial (CodeQL js/polynomial-redos) or — once bounded/anchored to
+  // satisfy CodeQL — mishandles long runs or interior punctuation (a global
+  // match drops a skipped prefix; a sticky match stops at the first non-boundary
+  // `.`, e.g. "v1.2.3" / "example.com", returning the whole document as one
+  // sentence and bypassing chunking). The scan is O(n), drops nothing, and
+  // handles interior punctuation correctly; normal prose splits identically to
+  // the previous /[^.!?]*[.!?]+(?:\s+|$)/g form.
   const sentences: string[] = [];
-  const sentenceRegex = /[^.!?]*[.!?]+(?:\s+|$)/g;
-
-  let match: RegExpExecArray | null;
-  let lastIndex = 0;
-
-  while ((match = sentenceRegex.exec(text)) !== null) {
-    sentences.push(match[0].trim());
-    lastIndex = sentenceRegex.lastIndex;
-  }
-
-  if (lastIndex < text.length) {
-    const remaining = text.slice(lastIndex).trim();
-    if (remaining) {
-      sentences.push(remaining);
+  let start = 0;
+  for (let i = 0; i < text.length; i++) {
+    const ch = text[i];
+    if (ch !== "." && ch !== "!" && ch !== "?") continue;
+    let end = i;
+    while (end + 1 < text.length) {
+      const n = text[end + 1];
+      if (n !== "." && n !== "!" && n !== "?") break;
+      end++;
+    }
+    const after = text[end + 1];
+    // A real boundary only if the terminator run ends the string or is followed
+    // by whitespace. Interior punctuation (no following whitespace) is left in
+    // place and the scan continues.
+    if (after === undefined || /\s/.test(after)) {
+      const sentence = text.slice(start, end + 1).trim();
+      if (sentence.length > 0) sentences.push(sentence);
+      start = end + 1;
     }
+    i = end;
   }
-
-  return sentences.filter((s) => s.length > 0);
+  if (start < text.length) {
+    const remaining = text.slice(start).trim();
+    if (remaining.length > 0) sentences.push(remaining);
+  }
+  return sentences;
 }
 
 // ---------------------------------------------------------------------------

package/src/semantic-consolidation.ts

@@ -289,7 +289,10 @@ export function parseOperatorAwareConsolidationResponse(
   if (trimmed.length === 0) return fallback;
 
   // Strip a fenced code block if present.
-  const fenced = /^```(?:json)?\s*([\s\S]*?)```\s*$/u.exec(trimmed);
+  // Dropped the \s* groups around the lazy body (they overlapped it and
+  // backtracked polynomially — CodeQL js/polynomial-redos). Input is already
+  // trimmed and fenced[1] is trimmed below, so matches are identical.
+  const fenced = /^```(?:json)?([\s\S]*?)```$/u.exec(trimmed);
   const payload = fenced ? fenced[1].trim() : trimmed;
 
   // Find a balanced brace-delimited JSON object that has an `operator`

package/src/source-attribution.test.ts

@@ -1431,3 +1431,24 @@ test("hasCitationForTemplate: multi-separator template detects citation when int
     "multi-colon citation where intermediate value contains the separator should be detected",
   );
 });
+
+test("citation matcher resists polynomial ReDoS on hostile unterminated input (CodeQL js/polynomial-redos)", () => {
+  // A "[Source:" with a long run of whitespace and no closing "]" is the
+  // backtracking trigger for the old /\[Source:\s*([^\]\n]+?)\]/ pattern.
+  const hostile = `prefix [Source:${" ".repeat(100000)}no closing bracket`;
+  const start = process.hrtime.bigint();
+  const detected = hasCitation(hostile);
+  const parsed = parseAllCitations(hostile);
+  const elapsedMs = Number(process.hrtime.bigint() - start) / 1e6;
+
+  // No complete citation token (no closing "]"), so nothing should be detected.
+  assert.equal(detected, false);
+  assert.deepEqual(parsed, []);
+  // Linear scan: completes near-instantly. Generous bound guards against the
+  // quadratic blowup the old regex exhibited (seconds-to-minutes on this input).
+  assert.ok(elapsedMs < 1000, `citation scan took ${elapsedMs.toFixed(1)}ms (expected < 1000ms)`);
+
+  // A well-formed citation with surrounding whitespace is still parsed correctly.
+  const valid = parseAllCitations("body [Source:  doc-1 , 2026-06-08 ]");
+  assert.equal(valid.length, 1);
+});

package/src/source-attribution.ts

@@ -71,7 +71,22 @@ export interface ParsedCitation {
  * the text. Kept as a getter factory so callers do not share regex state.
  */
 function defaultCitationMatcher(): RegExp {
-  return /\[Source:\s*([^\]\n]+?)\]/gi;
+  // Bounded repetition {1,1024} instead of + so the match cannot backtrack
+  // polynomially over hostile memory text (CodeQL js/polynomial-redos). A real
+  // citation is far shorter than 1024 chars, so this is behavior-preserving for
+  // any genuine [Source: …] block; only pathological/oversized input is excluded.
+  return /\[Source:([^\]\n]{1,1024})\]/gi;
+}
+
+// Linear trailing-whitespace trim. Replaces text.replace(/\s+$/u, ""), whose
+// anchored quantifier backtracks polynomially on long inputs (CodeQL
+// js/polynomial-redos). Matches the exact \s (with u flag) semantics one char
+// at a time, so the trailing-content preservation logic in attachCitation is
+// unaffected.
+function trimTrailingWhitespace(text: string): string {
+  let end = text.length;
+  while (end > 0 && /\s/u.test(text[end - 1]!)) end--;
+  return text.slice(0, end);
 }
 
 /**
@@ -444,7 +459,7 @@ export function attachCitation(
 ): string {
   if (typeof text !== "string") return text as unknown as string;
   if (hasCitationForTemplate(text, template)) return text;
-  const trimmedEnd = text.replace(/\s+$/u, "");
+  const trimmedEnd = trimTrailingWhitespace(text);
   if (trimmedEnd.length === 0) return text;
   const citation = formatCitation(ctx, template);
   // Preserve any trailing newline that callers rely on for markdown rendering.

package/src/storage.ts

@@ -1905,7 +1905,12 @@ export function parseEntityFile(
         break;
       case "connected to": {
         // Format: [[target-entity]] — relationship label
-        const relMatch = bullet.match(/^\[\[([^\]]+)\]\]\s*[—–-]\s*(.+)$/);
+        // Drop the \s* after the dash and let (.+) capture the rest (trimmed
+        // below). This removes the \s*/(.+) overlap that backtracks polynomially
+        // (CodeQL js/polynomial-redos) while staying exactly equivalent to the
+        // original /…\s*[—–-]\s*(.+)$/ — including whitespace-only labels, which
+        // still match and trim to "" (unlike a \S-anchored capture).
+        const relMatch = bullet.match(/^\[\[([^\]]+)\]\]\s*[—–-](.+)$/);
         if (relMatch) {
           relationships.push({ target: relMatch[1].trim(), label: relMatch[2].trim() });
         }
@@ -1913,7 +1918,11 @@ export function parseEntityFile(
       }
       case "activity": {
         // Format: YYYY-MM-DD: note
-        const actMatch = bullet.match(/^(\d{4}-\d{2}-\d{2}):\s*(.+)$/);
+        // Drop the \s* after the colon and let (.+) capture the rest (trimmed
+        // below): removes the \s*/(.+) overlap (CodeQL js/polynomial-redos) and
+        // stays exactly equivalent to the original, including whitespace-only
+        // notes which still match and trim to "".
+        const actMatch = bullet.match(/^(\d{4}-\d{2}-\d{2}):(.+)$/);
         if (actMatch) {
           activity.push({ date: actMatch[1], note: actMatch[2].trim() });
         }

package/src/temporal-supersession.ts

@@ -37,7 +37,10 @@ export function normalizeSupersessionKey(raw: string): string {
     .trim()
     .toLowerCase()
     .replace(/[\s\-]+/g, "-")
-    .replace(/^-+|-+$/g, "");
+    // The previous line already collapsed runs to single hyphens, so ^-|-$ is
+    // equivalent to ^-+|-+$ here and drops the anchored quantifier flagged by
+    // CodeQL js/polynomial-redos.
+    .replace(/^-|-$/g, "");
 }
 
 /**