awesome-slash 4.2.0 → 4.2.2

package/plugins/audit-project/lib/enhance/security-patterns.js

@@ -27,7 +27,7 @@ const securityPatterns = {
       if (!frontmatterMatch) return null;
 
       const frontmatter = frontmatterMatch[1];
-      const toolsMatch = frontmatter.match(/^tools:\s*(.*)$/m);
+      const toolsMatch = frontmatter.match(/^tools:[ \t]*(\S.*)?$/m);
       if (!toolsMatch) return null;
 
       const tools = toolsMatch[1];
@@ -60,8 +60,8 @@ const securityPatterns = {
 
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        // Look for shell commands with interpolation
-        if (/(?:exec|spawn|system|shell|`|Bash)\s*[(`].*\$\{/.test(line)) {
+        // Look for shell commands with interpolation (string checks avoid ReDoS)
+        if (/\b(?:exec|spawn|system|shell)\b|`|Bash/i.test(line) && /[(`]/.test(line) && line.includes('${')) {
           issues.push({
             issue: 'Command injection risk via string interpolation',
             fix: 'Validate and escape user input before shell execution',
@@ -91,8 +91,8 @@ const securityPatterns = {
 
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        // Look for user-controlled paths with ../
-        if (/(?:path|file|dir).*\$.*\.\.\/|\.\.\/.*\$/.test(line)) {
+        // Look for user-controlled paths with ../ (string checks avoid ReDoS)
+        if (/\b(?:path|file|dir)\b/i.test(line) && line.includes('$') && line.includes('../')) {
           issues.push({
             issue: 'Path traversal risk - user input may contain ../',
             fix: 'Validate paths and use path.resolve() with base directory check',
@@ -181,7 +181,7 @@ const securityPatterns = {
       if (!frontmatterMatch) return null;
 
       const frontmatter = frontmatterMatch[1];
-      const toolsMatch = frontmatter.match(/^tools:\s*(.*)$/m);
+      const toolsMatch = frontmatter.match(/^tools:[ \t]*(\S.*)?$/m);
       if (!toolsMatch) return null;
 
       const tools = toolsMatch[1];

package/plugins/audit-project/lib/patterns/slop-analyzers.js

@@ -1803,7 +1803,7 @@ function analyzeDeadCode(content, options = {}) {
     // Skip if termination is part of a one-line conditional (e.g., "if (x) return;")
     // These don't make subsequent code unreachable
     if (/^\s*(if|elif|else\s+if)\s*\(/.test(trimmed) ||
-        /^\s*if\s+.*:/.test(trimmed)) {
+        /^[ \t]*if\s[^:\n]*:/.test(trimmed)) {
       continue;
     }
 

package/plugins/consult/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "consult",
-  "version": "4.2.0",
+  "version": "4.2.2",
   "description": "Cross-tool AI consultation: get second opinions from Gemini, Codex, Claude, OpenCode, or Copilot CLI",
   "author": {
     "name": "Avi Fenesh",

package/plugins/consult/skills/consult/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: consult
 description: "Cross-tool AI consultation. Use when user asks to 'consult gemini', 'ask codex', 'get second opinion', 'cross-check with claude', 'consult another AI', 'ask opencode', 'copilot opinion', or wants a second opinion from a different AI tool."
-version: 4.2.0
+version: 4.2.2
 argument-hint: "[question] [--tool] [--effort] [--model] [--context] [--continue]"
 ---
 

package/plugins/deslop/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "deslop",
-  "version": "4.2.0",
+  "version": "4.2.2",
   "description": "AI slop cleanup with minimal diffs and behavior preservation",
   "author": {
     "name": "Avi Fenesh",

package/plugins/deslop/lib/enhance/docs-patterns.js

@@ -418,7 +418,7 @@ const docsPatterns = {
       }
 
       // Check for very long lists that could be tables
-      const longLists = content.match(/(?:^[-*]\s+.+\n){10,}/gm);
+      const longLists = content.match(/(?:^[-*][ \t]+\S[^\n]*\n){10,}/gm);
       if (longLists) {
         suggestions.push('Long lists (10+ items) might be more efficient as tables');
       }

package/plugins/deslop/lib/enhance/fixer.js

@@ -179,7 +179,7 @@ function applyAtPath(obj, pathStr, fixFn) {
     const part = parts[i];
     if (part.includes('[')) {
       // Array access
-      const match = part.match(/(\w+)\[(\d+)\]/);
+      const match = part.match(/^((?!__proto__|constructor|prototype)[a-zA-Z_]\w*)\[(\d{1,10})\]$/);
       if (match) {
         current = current[match[1]][parseInt(match[2], 10)];
       }
@@ -190,7 +190,7 @@ function applyAtPath(obj, pathStr, fixFn) {
 
   const lastPart = parts[parts.length - 1];
   if (lastPart.includes('[')) {
-    const match = lastPart.match(/(\w+)\[(\d+)\]/);
+    const match = lastPart.match(/^((?!__proto__|constructor|prototype)[a-zA-Z_]\w*)\[(\d{1,10})\]$/);
     if (match) {
       current[match[1]][parseInt(match[2], 10)] = fixFn(current[match[1]][parseInt(match[2], 10)]);
     }
@@ -403,7 +403,7 @@ function fixInconsistentHeadings(content) {
 
     if (inCodeBlock) continue;
 
-    const headingMatch = line.match(/^(#{1,6})\s+(.+)$/);
+    const headingMatch = line.match(/^(#{1,6})[ \t]+(\S.*)$/);
     if (headingMatch) {
       const currentLevel = headingMatch[1].length;
       const headingText = headingMatch[2];
@@ -535,6 +535,37 @@ Why bad: [explanation]
   return content.trim() + exampleSection;
 }
 
+/**
+ * Wrap a markdown section (heading to next heading/separator) in XML tags.
+ * Uses line-by-line scanning to avoid ReDoS from [\s\S]*? with lookaheads.
+ */
+function wrapSection(text, headingPattern, tagName) {
+  const lines = text.split('\n');
+  let sectionStart = -1;
+  for (let i = 0; i < lines.length; i++) {
+    if (sectionStart === -1) {
+      if (headingPattern.test(lines[i])) {
+        sectionStart = i;
+      }
+    } else {
+      // End section at next heading or horizontal rule
+      if (/^#{1,6}\s/.test(lines[i]) || /^---/.test(lines[i])) {
+        const before = lines.slice(0, sectionStart);
+        const section = lines.slice(sectionStart, i);
+        const after = lines.slice(i);
+        return [...before, `<${tagName}>`, ...section, `</${tagName}>`, ...after].join('\n');
+      }
+    }
+  }
+  // Section runs to end of content
+  if (sectionStart !== -1) {
+    const before = lines.slice(0, sectionStart);
+    const section = lines.slice(sectionStart);
+    return [...before, `<${tagName}>`, ...section, `</${tagName}>`].join('\n');
+  }
+  return text;
+}
+
 /**
  * Add XML structure tags to complex prompt
  * @param {string} content - Prompt content
@@ -551,17 +582,11 @@ function fixMissingXmlStructure(content) {
   // Wrap role section if exists
   let result = content;
 
-  // Find and wrap role section
-  result = result.replace(
-    /^(##\s*(?:your\s+)?role\s*\n)([\s\S]*?)(?=\n##|\n---|\Z)/im,
-    '<role>\n$1$2</role>\n'
-  );
+  // Find and wrap role section (use non-regex approach to avoid ReDoS)
+  result = wrapSection(result, /^##[ \t]*(?:your[ \t]+)?role[ \t]*$/im, 'role');
 
   // Find and wrap constraints section
-  result = result.replace(
-    /^(##\s*(?:constraints?|rules?)\s*\n)([\s\S]*?)(?=\n##|\n---|\Z)/im,
-    '<constraints>\n$1$2</constraints>\n'
-  );
+  result = wrapSection(result, /^##[ \t]*(?:constraints?|rules?)[ \t]*$/im, 'constraints');
 
   return result;
 }
@@ -622,7 +647,7 @@ function fixMissingTriggerPhrase(content) {
     // Check if already has trigger phrase
     if (!/use when user asks/i.test(descLine)) {
       // Extract current description
-      const match = descLine.match(/^description:\s*(.+)$/);
+      const match = descLine.match(/^description:[ \t]*(\S.*)$/);
       if (match) {
         const currentDesc = match[1].trim();
         // Add trigger phrase

package/plugins/deslop/lib/enhance/projectmemory-analyzer.js

@@ -43,17 +43,25 @@ function extractFileReferences(content) {
 
   const references = [];
 
-  // Match markdown links: [text](path)
-  const linkMatches = content.match(/\[([^\]]+)\]\(([^)]+)\)/g) || [];
-  for (const match of linkMatches) {
-    const pathMatch = match.match(/\]\(([^)]+)\)/);
-    if (pathMatch && pathMatch[1]) {
-      const href = pathMatch[1];
-      // Skip URLs and anchors
-      if (!href.startsWith('http') && !href.startsWith('#') && !href.startsWith('mailto:')) {
-        references.push(href.split('#')[0]); // Remove anchor
+  // Extract markdown links [text](path) using indexOf scanning (ReDoS-safe)
+  let pos = 0;
+  while (pos < content.length) {
+    const openBracket = content.indexOf('[', pos);
+    if (openBracket === -1) break;
+    const closeBracket = content.indexOf(']', openBracket + 1);
+    if (closeBracket === -1) break;
+    if (content[closeBracket + 1] === '(') {
+      const closeParen = content.indexOf(')', closeBracket + 2);
+      if (closeParen !== -1 && closeParen - closeBracket - 2 <= 500) {
+        const href = content.substring(closeBracket + 2, closeParen);
+        if (!href.startsWith('http') && !href.startsWith('#') && !href.startsWith('mailto:')) {
+          references.push(href.split('#')[0]); // Remove anchor
+        }
+        pos = closeParen + 1;
+        continue;
       }
     }
+    pos = openBracket + 1;
   }
 
   // Match backtick paths: `path/to/file.ext` or `file.ext` (root files)

package/plugins/deslop/lib/enhance/projectmemory-patterns.js

@@ -57,7 +57,7 @@ const projectMemoryPatterns = {
       const hasArchitecture = /##\s+architecture/i.test(content);
       const hasStructure = /##\s+(?:project\s+)?structure/i.test(content);
       const hasOverview = /##\s+overview/i.test(content);
-      const hasDirectoryTree = /```[\s\S]*?(?:├──|└──|lib\/|src\/)[\s\S]*?```/.test(content);
+      const hasDirectoryTree = content.includes('```') && /├──|└──|lib\/|src\//.test(content);
 
       if (!hasArchitecture && !hasStructure && !hasOverview && !hasDirectoryTree) {
         return {
@@ -85,7 +85,7 @@ const projectMemoryPatterns = {
       const hasCommands = /##\s+(?:key\s+)?commands/i.test(content);
       const hasScripts = /##\s+scripts/i.test(content);
       const hasUsage = /##\s+usage/i.test(content);
-      const hasCodeBlocks = /```(?:bash|sh|shell)[\s\S]*?(?:npm|yarn|pnpm|git|make)/i.test(content);
+      const hasCodeBlocks = /```(?:bash|sh|shell)/i.test(content) && /\b(?:npm|yarn|pnpm|git|make)\b/i.test(content);
 
       if (!hasCommands && !hasScripts && !hasUsage && !hasCodeBlocks) {
         return {

package/plugins/deslop/lib/enhance/prompt-patterns.js

@@ -29,7 +29,7 @@ const LOOKS_LIKE_JSON_CONTENT = /[:,]/;
 const NOT_JSON_KEYWORDS = /(function|const|let|var|if|for|while|class)\b/;
 // JS patterns require syntax context (not just keywords that might appear in JSON strings)
 const LOOKS_LIKE_JS = /\b(function\s*\(|const\s+\w+\s*=|let\s+\w+\s*=|var\s+\w+\s*=|=>\s*[{(]|async\s+function|await\s+\w|class\s+\w+\s*{|import\s+\{|export\s+(const|function|class|default)|require\s*\()/;
-const LOOKS_LIKE_PYTHON = /\b(def\s+\w+|import\s+\w+|from\s+\w+\s+import|class\s+\w+:|if\s+.*:|\s{4}|print\()\b/;
+const LOOKS_LIKE_PYTHON = /\b(def\s+\w+|import\s+\w+|from\s+\w+\s+import|class\s+\w+:|if\s[^:\n]*:|\s{4}|print\()\b/;
 
 // Memoization caches for performance (keyed by content hash)
 let _lastContent = null;
@@ -220,7 +220,7 @@ const promptPatterns = {
         // Skip lines listing vague terms as documentation
         if (/vague\s*(instructions?|terms?|language|patterns?)\s*[:"]/.test(trimmed)) return false;
         // Skip lines with quoted lists of vague words
-        if (/["']usually["'].*["']sometimes["']/.test(trimmed)) return false;
+        if (trimmed.includes('usually') && trimmed.includes('sometimes') && /["']/.test(trimmed)) return false;
         return true;
       });
       const filteredContent = lines.join('\n');
@@ -331,7 +331,11 @@ const promptPatterns = {
       if (!content || typeof content !== 'string') return null;
 
       // Skip workflow orchestrators that spawn agents/skills rather than produce output directly
-      const isOrchestrator = /##\s*Phase\s+\d+|Task\(\{|spawn.*agent|subagent_type|await Task\(|invoke.*skill|Skill\s*tool/i.test(content);
+      const lc = content.toLowerCase();
+      const isOrchestrator = /##\s*Phase\s+\d+/i.test(content) || content.includes('Task({') ||
+        (lc.includes('spawn') && lc.includes('agent')) || content.includes('subagent_type') ||
+        content.includes('await Task(') || (lc.includes('invoke') && lc.includes('skill')) ||
+        (/\bSkill\b/.test(content) && lc.includes('tool'));
       if (isOrchestrator) return null;
 
       // Skip reference docs and hooks (not prompts that produce conversational output)
@@ -590,7 +594,9 @@ const promptPatterns = {
       if (isNonPrompt) return null;
 
       // Skip workflow orchestrators and command files
-      const isOrchestrator = /##\s*Phase\s+\d+|Task\(\{|spawn.*agent|subagent_type/i.test(content);
+      const lc2 = content.toLowerCase();
+      const isOrchestrator = /##\s*Phase\s+\d+/i.test(content) || content.includes('Task({') ||
+        (lc2.includes('spawn') && lc2.includes('agent')) || content.includes('subagent_type');
       if (isOrchestrator) return null;
 
       // Check for example indicators
@@ -793,12 +799,12 @@ const promptPatterns = {
         /\b(?:highest|lowest)\s+priority\b/i,
         /\b(?:first|second|third)\s+priority\b/i,
         // Numbered rules section (implicit priority order)
-        /##\s*(?:critical|important)\s*rules?\s*\n+\s*1\.\s/i,
+        /##[ \t]*(?:critical|important)[ \t]*rules?[ \t]*\n[ \t]*1\.\s/i,
         // Precedence language
         /\btakes?\s+precedence\b/i,
         /\boverride[sd]?\b/i,
         // Ordered constraint list
-        /##\s*constraints?\s*\n+\s*1\.\s/i
+        /##[ \t]*constraints?[ \t]*\n[ \t]*1\.\s/i
       ];
 
       for (const pattern of priorityIndicators) {
@@ -846,7 +852,8 @@ const promptPatterns = {
 
       // Skip if this is documentation ABOUT CoT (describes the anti-pattern)
       // These files explain why step-by-step is redundant, not actually use it
-      if (/step[- ]by[- ]step.*(?:is\s+)?redundant|redundant.*step[- ]by[- ]step/i.test(content)) {
+      const lcContent = content.toLowerCase();
+      if (/step[- ]by[- ]step/i.test(content) && lcContent.includes('redundant')) {
         return null;
       }
 
@@ -961,7 +968,7 @@ const promptPatterns = {
       // Check if requests JSON (exclude CLI flags and function descriptions)
       // Exclude: "--output json", "analyzer returns JSON", "function returns JSON"
       const requestsJson = (
-        (/\b(?:respond|output|return)\s+(?:with|in|as)?\s*JSON\b/i.test(content) &&
+        (/\b(?:respond|output|return)[ \t]+(?:(?:with|in|as)[ \t]+)?JSON\b/i.test(content) &&
          !/--output\s+json/i.test(content) &&
          !/(?:analyzer|function|method)\s+returns?\s+JSON/i.test(content))
       ) ||
@@ -971,18 +978,18 @@ const promptPatterns = {
 
       // Check if provides schema or example
       const hasSchema = /\bproperties\b.{1,200}\btype\b/is.test(content) ||
-                       /```json\s*\n\s*\{/i.test(content) ||
+                       (content.includes('```json') && content.includes('{')) ||
                        /<json[_-]?schema>/i.test(content) ||
                        // JSON in JavaScript/TypeScript code blocks (quoted keys)
-                       /```(?:javascript|js|typescript|ts)\s*\n[\s\S]*?\{\s*\n?\s*"[a-zA-Z]+"/i.test(content) ||
+                       (/```(?:javascript|js|typescript|ts)\b/.test(content) && /\{\s*"[a-zA-Z]+"/i.test(content)) ||
                        // JavaScript object literal assignment (const x = { prop: ... })
-                       /(?:const|let|var)\s+\w+\s*=\s*\{\s*\n\s*[a-zA-Z_]+\s*:/i.test(content) ||
+                       (/\b(?:const|let|var)\b/.test(content) && /=\s*\{/.test(content)) ||
                        // JSON example with quoted property names in prose
-                       /\{\s*\n?\s*"[a-zA-Z_]+"\s*:\s*["\[\{]/i.test(content) ||
+                       /\{"[a-zA-Z_]+"[ \t]*:/i.test(content) || /\{\n[ \t]*"[a-zA-Z_]+"[ \t]*:/i.test(content) ||
                        // Inline schema description: { prop, prop, prop } or { prop: type, ... }
-                       /\{\s*[a-zA-Z_]+\s*,\s*[a-zA-Z_]+\s*,\s*[a-zA-Z_]+/i.test(content) ||
+                       /\{[ \t]*[a-zA-Z_]+[ \t]*,[ \t]*[a-zA-Z_]+[ \t]*,[ \t]*[a-zA-Z_]+/i.test(content) ||
                        // Interface-style: { prop: value } patterns with multiple lines
-                       /\{\s*\n\s+[a-zA-Z_]+\s*:\s*[\[\{"']/i.test(content);
+                       /\{\n[ \t]+[a-zA-Z_]+[ \t]*:[ \t]*[\[\{"']/i.test(content);
 
       if (!hasSchema) {
         return {
@@ -1133,19 +1140,15 @@ const promptPatterns = {
       if (!creationTasks.test(content)) return null;
 
       // Check for pattern reference indicators
-      const patternRefs = [
-        /\blike\s+\S+\b/i,
-        /\bsimilar\s+to\b/i,
-        /\bfollow(?:ing)?\s+(?:the\s+)?(?:same\s+)?pattern\b/i,
-        /\bsee\s+\S+\s+(?:for|as)\s+(?:an?\s+)?example\b/i,
-        /\blook\s+at\s+(?:how|the)\b/i,
-        /\S+\.(?:js|ts|py)\s+(?:is|as)\s+(?:a\s+)?(?:good\s+)?example/i
-      ];
-
-      for (const pattern of patternRefs) {
-        if (pattern.test(content)) {
-          return null;
-        }
+      // Use string-based checks to avoid ReDoS from overlapping optional groups
+      const lcRef = content.toLowerCase();
+      if (/\blike\s+\S+\b/i.test(content) ||
+          lcRef.includes('similar to') ||
+          (lcRef.includes('follow') && lcRef.includes('pattern')) ||
+          (lcRef.includes('see ') && lcRef.includes('example')) ||
+          (lcRef.includes('look at')) ||
+          (/\.(?:js|ts|py)\b/.test(content) && lcRef.includes('example'))) {
+        return null;
       }
 
       return {
@@ -1386,7 +1389,7 @@ const promptPatterns = {
         if (codeBlockLines.has(lineNum)) continue;
 
         const line = lines[i];
-        const match = line.match(/^(#{1,6})\s+(.+)$/);
+        const match = line.match(/^(#{1,6})[ \t]+(\S.*)$/);
         if (match) {
           headings.push({
             level: match[1].length,

package/plugins/deslop/lib/enhance/security-patterns.js

@@ -27,7 +27,7 @@ const securityPatterns = {
       if (!frontmatterMatch) return null;
 
       const frontmatter = frontmatterMatch[1];
-      const toolsMatch = frontmatter.match(/^tools:\s*(.*)$/m);
+      const toolsMatch = frontmatter.match(/^tools:[ \t]*(\S.*)?$/m);
       if (!toolsMatch) return null;
 
       const tools = toolsMatch[1];
@@ -60,8 +60,8 @@ const securityPatterns = {
 
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        // Look for shell commands with interpolation
-        if (/(?:exec|spawn|system|shell|`|Bash)\s*[(`].*\$\{/.test(line)) {
+        // Look for shell commands with interpolation (string checks avoid ReDoS)
+        if (/\b(?:exec|spawn|system|shell)\b|`|Bash/i.test(line) && /[(`]/.test(line) && line.includes('${')) {
           issues.push({
             issue: 'Command injection risk via string interpolation',
             fix: 'Validate and escape user input before shell execution',
@@ -91,8 +91,8 @@ const securityPatterns = {
 
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        // Look for user-controlled paths with ../
-        if (/(?:path|file|dir).*\$.*\.\.\/|\.\.\/.*\$/.test(line)) {
+        // Look for user-controlled paths with ../ (string checks avoid ReDoS)
+        if (/\b(?:path|file|dir)\b/i.test(line) && line.includes('$') && line.includes('../')) {
           issues.push({
             issue: 'Path traversal risk - user input may contain ../',
             fix: 'Validate paths and use path.resolve() with base directory check',
@@ -181,7 +181,7 @@ const securityPatterns = {
       if (!frontmatterMatch) return null;
 
       const frontmatter = frontmatterMatch[1];
-      const toolsMatch = frontmatter.match(/^tools:\s*(.*)$/m);
+      const toolsMatch = frontmatter.match(/^tools:[ \t]*(\S.*)?$/m);
       if (!toolsMatch) return null;
 
       const tools = toolsMatch[1];

package/plugins/deslop/lib/patterns/slop-analyzers.js

@@ -1803,7 +1803,7 @@ function analyzeDeadCode(content, options = {}) {
     // Skip if termination is part of a one-line conditional (e.g., "if (x) return;")
     // These don't make subsequent code unreachable
     if (/^\s*(if|elif|else\s+if)\s*\(/.test(trimmed) ||
-        /^\s*if\s+.*:/.test(trimmed)) {
+        /^[ \t]*if\s[^:\n]*:/.test(trimmed)) {
       continue;
     }
 

package/plugins/deslop/skills/deslop/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: deslop
 description: "Use when user wants to clean AI slop from code. Use for cleanup, remove debug statements, find ghost code, repo hygiene."
-version: 4.2.0
+version: 4.2.2
 argument-hint: "[report|apply] [--scope=all|diff|path] [--thoroughness=quick|normal|deep]"
 ---
 

package/plugins/drift-detect/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "drift-detect",
-  "version": "4.2.0",
+  "version": "4.2.2",
   "description": "Deep repository analysis to realign project plans with actual code reality - discovers drift, gaps, and produces prioritized reconstruction plans",
   "author": {
     "name": "Avi Fenesh",

package/plugins/drift-detect/lib/enhance/docs-patterns.js

@@ -418,7 +418,7 @@ const docsPatterns = {
       }
 
       // Check for very long lists that could be tables
-      const longLists = content.match(/(?:^[-*]\s+.+\n){10,}/gm);
+      const longLists = content.match(/(?:^[-*][ \t]+\S[^\n]*\n){10,}/gm);
       if (longLists) {
         suggestions.push('Long lists (10+ items) might be more efficient as tables');
       }

package/plugins/drift-detect/lib/enhance/fixer.js

@@ -179,7 +179,7 @@ function applyAtPath(obj, pathStr, fixFn) {
     const part = parts[i];
     if (part.includes('[')) {
       // Array access
-      const match = part.match(/(\w+)\[(\d+)\]/);
+      const match = part.match(/^((?!__proto__|constructor|prototype)[a-zA-Z_]\w*)\[(\d{1,10})\]$/);
       if (match) {
         current = current[match[1]][parseInt(match[2], 10)];
       }
@@ -190,7 +190,7 @@ function applyAtPath(obj, pathStr, fixFn) {
 
   const lastPart = parts[parts.length - 1];
   if (lastPart.includes('[')) {
-    const match = lastPart.match(/(\w+)\[(\d+)\]/);
+    const match = lastPart.match(/^((?!__proto__|constructor|prototype)[a-zA-Z_]\w*)\[(\d{1,10})\]$/);
     if (match) {
       current[match[1]][parseInt(match[2], 10)] = fixFn(current[match[1]][parseInt(match[2], 10)]);
     }
@@ -403,7 +403,7 @@ function fixInconsistentHeadings(content) {
 
     if (inCodeBlock) continue;
 
-    const headingMatch = line.match(/^(#{1,6})\s+(.+)$/);
+    const headingMatch = line.match(/^(#{1,6})[ \t]+(\S.*)$/);
     if (headingMatch) {
       const currentLevel = headingMatch[1].length;
       const headingText = headingMatch[2];
@@ -535,6 +535,37 @@ Why bad: [explanation]
   return content.trim() + exampleSection;
 }
 
+/**
+ * Wrap a markdown section (heading to next heading/separator) in XML tags.
+ * Uses line-by-line scanning to avoid ReDoS from [\s\S]*? with lookaheads.
+ */
+function wrapSection(text, headingPattern, tagName) {
+  const lines = text.split('\n');
+  let sectionStart = -1;
+  for (let i = 0; i < lines.length; i++) {
+    if (sectionStart === -1) {
+      if (headingPattern.test(lines[i])) {
+        sectionStart = i;
+      }
+    } else {
+      // End section at next heading or horizontal rule
+      if (/^#{1,6}\s/.test(lines[i]) || /^---/.test(lines[i])) {
+        const before = lines.slice(0, sectionStart);
+        const section = lines.slice(sectionStart, i);
+        const after = lines.slice(i);
+        return [...before, `<${tagName}>`, ...section, `</${tagName}>`, ...after].join('\n');
+      }
+    }
+  }
+  // Section runs to end of content
+  if (sectionStart !== -1) {
+    const before = lines.slice(0, sectionStart);
+    const section = lines.slice(sectionStart);
+    return [...before, `<${tagName}>`, ...section, `</${tagName}>`].join('\n');
+  }
+  return text;
+}
+
 /**
  * Add XML structure tags to complex prompt
  * @param {string} content - Prompt content
@@ -551,17 +582,11 @@ function fixMissingXmlStructure(content) {
   // Wrap role section if exists
   let result = content;
 
-  // Find and wrap role section
-  result = result.replace(
-    /^(##\s*(?:your\s+)?role\s*\n)([\s\S]*?)(?=\n##|\n---|\Z)/im,
-    '<role>\n$1$2</role>\n'
-  );
+  // Find and wrap role section (use non-regex approach to avoid ReDoS)
+  result = wrapSection(result, /^##[ \t]*(?:your[ \t]+)?role[ \t]*$/im, 'role');
 
   // Find and wrap constraints section
-  result = result.replace(
-    /^(##\s*(?:constraints?|rules?)\s*\n)([\s\S]*?)(?=\n##|\n---|\Z)/im,
-    '<constraints>\n$1$2</constraints>\n'
-  );
+  result = wrapSection(result, /^##[ \t]*(?:constraints?|rules?)[ \t]*$/im, 'constraints');
 
   return result;
 }
@@ -622,7 +647,7 @@ function fixMissingTriggerPhrase(content) {
     // Check if already has trigger phrase
     if (!/use when user asks/i.test(descLine)) {
       // Extract current description
-      const match = descLine.match(/^description:\s*(.+)$/);
+      const match = descLine.match(/^description:[ \t]*(\S.*)$/);
       if (match) {
         const currentDesc = match[1].trim();
         // Add trigger phrase

package/plugins/drift-detect/lib/enhance/projectmemory-analyzer.js

@@ -43,17 +43,25 @@ function extractFileReferences(content) {
 
   const references = [];
 
-  // Match markdown links: [text](path)
-  const linkMatches = content.match(/\[([^\]]+)\]\(([^)]+)\)/g) || [];
-  for (const match of linkMatches) {
-    const pathMatch = match.match(/\]\(([^)]+)\)/);
-    if (pathMatch && pathMatch[1]) {
-      const href = pathMatch[1];
-      // Skip URLs and anchors
-      if (!href.startsWith('http') && !href.startsWith('#') && !href.startsWith('mailto:')) {
-        references.push(href.split('#')[0]); // Remove anchor
+  // Extract markdown links [text](path) using indexOf scanning (ReDoS-safe)
+  let pos = 0;
+  while (pos < content.length) {
+    const openBracket = content.indexOf('[', pos);
+    if (openBracket === -1) break;
+    const closeBracket = content.indexOf(']', openBracket + 1);
+    if (closeBracket === -1) break;
+    if (content[closeBracket + 1] === '(') {
+      const closeParen = content.indexOf(')', closeBracket + 2);
+      if (closeParen !== -1 && closeParen - closeBracket - 2 <= 500) {
+        const href = content.substring(closeBracket + 2, closeParen);
+        if (!href.startsWith('http') && !href.startsWith('#') && !href.startsWith('mailto:')) {
+          references.push(href.split('#')[0]); // Remove anchor
+        }
+        pos = closeParen + 1;
+        continue;
       }
     }
+    pos = openBracket + 1;
   }
 
   // Match backtick paths: `path/to/file.ext` or `file.ext` (root files)

package/plugins/drift-detect/lib/enhance/projectmemory-patterns.js

@@ -57,7 +57,7 @@ const projectMemoryPatterns = {
       const hasArchitecture = /##\s+architecture/i.test(content);
       const hasStructure = /##\s+(?:project\s+)?structure/i.test(content);
       const hasOverview = /##\s+overview/i.test(content);
-      const hasDirectoryTree = /```[\s\S]*?(?:├──|└──|lib\/|src\/)[\s\S]*?```/.test(content);
+      const hasDirectoryTree = content.includes('```') && /├──|└──|lib\/|src\//.test(content);
 
       if (!hasArchitecture && !hasStructure && !hasOverview && !hasDirectoryTree) {
         return {
@@ -85,7 +85,7 @@ const projectMemoryPatterns = {
       const hasCommands = /##\s+(?:key\s+)?commands/i.test(content);
       const hasScripts = /##\s+scripts/i.test(content);
       const hasUsage = /##\s+usage/i.test(content);
-      const hasCodeBlocks = /```(?:bash|sh|shell)[\s\S]*?(?:npm|yarn|pnpm|git|make)/i.test(content);
+      const hasCodeBlocks = /```(?:bash|sh|shell)/i.test(content) && /\b(?:npm|yarn|pnpm|git|make)\b/i.test(content);
 
       if (!hasCommands && !hasScripts && !hasUsage && !hasCodeBlocks) {
         return {