awesome-slash 4.2.0 → 4.2.2

package/plugins/drift-detect/lib/enhance/prompt-patterns.js

@@ -29,7 +29,7 @@ const LOOKS_LIKE_JSON_CONTENT = /[:,]/;
 const NOT_JSON_KEYWORDS = /(function|const|let|var|if|for|while|class)\b/;
 // JS patterns require syntax context (not just keywords that might appear in JSON strings)
 const LOOKS_LIKE_JS = /\b(function\s*\(|const\s+\w+\s*=|let\s+\w+\s*=|var\s+\w+\s*=|=>\s*[{(]|async\s+function|await\s+\w|class\s+\w+\s*{|import\s+\{|export\s+(const|function|class|default)|require\s*\()/;
-const LOOKS_LIKE_PYTHON = /\b(def\s+\w+|import\s+\w+|from\s+\w+\s+import|class\s+\w+:|if\s+.*:|\s{4}|print\()\b/;
+const LOOKS_LIKE_PYTHON = /\b(def\s+\w+|import\s+\w+|from\s+\w+\s+import|class\s+\w+:|if\s[^:\n]*:|\s{4}|print\()\b/;
 
 // Memoization caches for performance (keyed by content hash)
 let _lastContent = null;
@@ -220,7 +220,7 @@ const promptPatterns = {
         // Skip lines listing vague terms as documentation
         if (/vague\s*(instructions?|terms?|language|patterns?)\s*[:"]/.test(trimmed)) return false;
         // Skip lines with quoted lists of vague words
-        if (/["']usually["'].*["']sometimes["']/.test(trimmed)) return false;
+        if (trimmed.includes('usually') && trimmed.includes('sometimes') && /["']/.test(trimmed)) return false;
         return true;
       });
       const filteredContent = lines.join('\n');
@@ -331,7 +331,11 @@ const promptPatterns = {
       if (!content || typeof content !== 'string') return null;
 
       // Skip workflow orchestrators that spawn agents/skills rather than produce output directly
-      const isOrchestrator = /##\s*Phase\s+\d+|Task\(\{|spawn.*agent|subagent_type|await Task\(|invoke.*skill|Skill\s*tool/i.test(content);
+      const lc = content.toLowerCase();
+      const isOrchestrator = /##\s*Phase\s+\d+/i.test(content) || content.includes('Task({') ||
+        (lc.includes('spawn') && lc.includes('agent')) || content.includes('subagent_type') ||
+        content.includes('await Task(') || (lc.includes('invoke') && lc.includes('skill')) ||
+        (/\bSkill\b/.test(content) && lc.includes('tool'));
       if (isOrchestrator) return null;
 
       // Skip reference docs and hooks (not prompts that produce conversational output)
@@ -590,7 +594,9 @@ const promptPatterns = {
       if (isNonPrompt) return null;
 
       // Skip workflow orchestrators and command files
-      const isOrchestrator = /##\s*Phase\s+\d+|Task\(\{|spawn.*agent|subagent_type/i.test(content);
+      const lc2 = content.toLowerCase();
+      const isOrchestrator = /##\s*Phase\s+\d+/i.test(content) || content.includes('Task({') ||
+        (lc2.includes('spawn') && lc2.includes('agent')) || content.includes('subagent_type');
       if (isOrchestrator) return null;
 
       // Check for example indicators
@@ -793,12 +799,12 @@ const promptPatterns = {
         /\b(?:highest|lowest)\s+priority\b/i,
         /\b(?:first|second|third)\s+priority\b/i,
         // Numbered rules section (implicit priority order)
-        /##\s*(?:critical|important)\s*rules?\s*\n+\s*1\.\s/i,
+        /##[ \t]*(?:critical|important)[ \t]*rules?[ \t]*\n[ \t]*1\.\s/i,
         // Precedence language
         /\btakes?\s+precedence\b/i,
         /\boverride[sd]?\b/i,
         // Ordered constraint list
-        /##\s*constraints?\s*\n+\s*1\.\s/i
+        /##[ \t]*constraints?[ \t]*\n[ \t]*1\.\s/i
       ];
 
       for (const pattern of priorityIndicators) {
@@ -846,7 +852,8 @@ const promptPatterns = {
 
       // Skip if this is documentation ABOUT CoT (describes the anti-pattern)
       // These files explain why step-by-step is redundant, not actually use it
-      if (/step[- ]by[- ]step.*(?:is\s+)?redundant|redundant.*step[- ]by[- ]step/i.test(content)) {
+      const lcContent = content.toLowerCase();
+      if (/step[- ]by[- ]step/i.test(content) && lcContent.includes('redundant')) {
         return null;
       }
 
@@ -961,7 +968,7 @@ const promptPatterns = {
       // Check if requests JSON (exclude CLI flags and function descriptions)
       // Exclude: "--output json", "analyzer returns JSON", "function returns JSON"
       const requestsJson = (
-        (/\b(?:respond|output|return)\s+(?:with|in|as)?\s*JSON\b/i.test(content) &&
+        (/\b(?:respond|output|return)[ \t]+(?:(?:with|in|as)[ \t]+)?JSON\b/i.test(content) &&
          !/--output\s+json/i.test(content) &&
          !/(?:analyzer|function|method)\s+returns?\s+JSON/i.test(content))
       ) ||
@@ -971,18 +978,18 @@ const promptPatterns = {
 
       // Check if provides schema or example
       const hasSchema = /\bproperties\b.{1,200}\btype\b/is.test(content) ||
-                       /```json\s*\n\s*\{/i.test(content) ||
+                       (content.includes('```json') && content.includes('{')) ||
                        /<json[_-]?schema>/i.test(content) ||
                        // JSON in JavaScript/TypeScript code blocks (quoted keys)
-                       /```(?:javascript|js|typescript|ts)\s*\n[\s\S]*?\{\s*\n?\s*"[a-zA-Z]+"/i.test(content) ||
+                       (/```(?:javascript|js|typescript|ts)\b/.test(content) && /\{\s*"[a-zA-Z]+"/i.test(content)) ||
                        // JavaScript object literal assignment (const x = { prop: ... })
-                       /(?:const|let|var)\s+\w+\s*=\s*\{\s*\n\s*[a-zA-Z_]+\s*:/i.test(content) ||
+                       (/\b(?:const|let|var)\b/.test(content) && /=\s*\{/.test(content)) ||
                        // JSON example with quoted property names in prose
-                       /\{\s*\n?\s*"[a-zA-Z_]+"\s*:\s*["\[\{]/i.test(content) ||
+                       /\{"[a-zA-Z_]+"[ \t]*:/i.test(content) || /\{\n[ \t]*"[a-zA-Z_]+"[ \t]*:/i.test(content) ||
                        // Inline schema description: { prop, prop, prop } or { prop: type, ... }
-                       /\{\s*[a-zA-Z_]+\s*,\s*[a-zA-Z_]+\s*,\s*[a-zA-Z_]+/i.test(content) ||
+                       /\{[ \t]*[a-zA-Z_]+[ \t]*,[ \t]*[a-zA-Z_]+[ \t]*,[ \t]*[a-zA-Z_]+/i.test(content) ||
                        // Interface-style: { prop: value } patterns with multiple lines
-                       /\{\s*\n\s+[a-zA-Z_]+\s*:\s*[\[\{"']/i.test(content);
+                       /\{\n[ \t]+[a-zA-Z_]+[ \t]*:[ \t]*[\[\{"']/i.test(content);
 
       if (!hasSchema) {
         return {
@@ -1133,19 +1140,15 @@ const promptPatterns = {
       if (!creationTasks.test(content)) return null;
 
       // Check for pattern reference indicators
-      const patternRefs = [
-        /\blike\s+\S+\b/i,
-        /\bsimilar\s+to\b/i,
-        /\bfollow(?:ing)?\s+(?:the\s+)?(?:same\s+)?pattern\b/i,
-        /\bsee\s+\S+\s+(?:for|as)\s+(?:an?\s+)?example\b/i,
-        /\blook\s+at\s+(?:how|the)\b/i,
-        /\S+\.(?:js|ts|py)\s+(?:is|as)\s+(?:a\s+)?(?:good\s+)?example/i
-      ];
-
-      for (const pattern of patternRefs) {
-        if (pattern.test(content)) {
-          return null;
-        }
+      // Use string-based checks to avoid ReDoS from overlapping optional groups
+      const lcRef = content.toLowerCase();
+      if (/\blike\s+\S+\b/i.test(content) ||
+          lcRef.includes('similar to') ||
+          (lcRef.includes('follow') && lcRef.includes('pattern')) ||
+          (lcRef.includes('see ') && lcRef.includes('example')) ||
+          (lcRef.includes('look at')) ||
+          (/\.(?:js|ts|py)\b/.test(content) && lcRef.includes('example'))) {
+        return null;
       }
 
       return {
@@ -1386,7 +1389,7 @@ const promptPatterns = {
         if (codeBlockLines.has(lineNum)) continue;
 
         const line = lines[i];
-        const match = line.match(/^(#{1,6})\s+(.+)$/);
+        const match = line.match(/^(#{1,6})[ \t]+(\S.*)$/);
         if (match) {
           headings.push({
             level: match[1].length,

package/plugins/drift-detect/lib/enhance/security-patterns.js

@@ -27,7 +27,7 @@ const securityPatterns = {
       if (!frontmatterMatch) return null;
 
       const frontmatter = frontmatterMatch[1];
-      const toolsMatch = frontmatter.match(/^tools:\s*(.*)$/m);
+      const toolsMatch = frontmatter.match(/^tools:[ \t]*(\S.*)?$/m);
       if (!toolsMatch) return null;
 
       const tools = toolsMatch[1];
@@ -60,8 +60,8 @@ const securityPatterns = {
 
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        // Look for shell commands with interpolation
-        if (/(?:exec|spawn|system|shell|`|Bash)\s*[(`].*\$\{/.test(line)) {
+        // Look for shell commands with interpolation (string checks avoid ReDoS)
+        if (/\b(?:exec|spawn|system|shell)\b|`|Bash/i.test(line) && /[(`]/.test(line) && line.includes('${')) {
           issues.push({
             issue: 'Command injection risk via string interpolation',
             fix: 'Validate and escape user input before shell execution',
@@ -91,8 +91,8 @@ const securityPatterns = {
 
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        // Look for user-controlled paths with ../
-        if (/(?:path|file|dir).*\$.*\.\.\/|\.\.\/.*\$/.test(line)) {
+        // Look for user-controlled paths with ../ (string checks avoid ReDoS)
+        if (/\b(?:path|file|dir)\b/i.test(line) && line.includes('$') && line.includes('../')) {
           issues.push({
             issue: 'Path traversal risk - user input may contain ../',
             fix: 'Validate paths and use path.resolve() with base directory check',
@@ -181,7 +181,7 @@ const securityPatterns = {
       if (!frontmatterMatch) return null;
 
       const frontmatter = frontmatterMatch[1];
-      const toolsMatch = frontmatter.match(/^tools:\s*(.*)$/m);
+      const toolsMatch = frontmatter.match(/^tools:[ \t]*(\S.*)?$/m);
       if (!toolsMatch) return null;
 
       const tools = toolsMatch[1];

package/plugins/drift-detect/lib/patterns/slop-analyzers.js

@@ -1803,7 +1803,7 @@ function analyzeDeadCode(content, options = {}) {
     // Skip if termination is part of a one-line conditional (e.g., "if (x) return;")
     // These don't make subsequent code unreachable
     if (/^\s*(if|elif|else\s+if)\s*\(/.test(trimmed) ||
-        /^\s*if\s+.*:/.test(trimmed)) {
+        /^[ \t]*if\s[^:\n]*:/.test(trimmed)) {
       continue;
     }
 

package/plugins/drift-detect/skills/drift-analysis/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: drift-analysis
 description: Use when the user asks about plan drift, reality check, comparing docs to code, project state analysis, roadmap alignment, implementation gaps, or needs guidance on identifying discrepancies between documented plans and actual implementation state.
-version: 4.2.0
+version: 4.2.2
 ---
 
 # Drift Analysis

package/plugins/enhance/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "enhance",
-  "version": "4.2.0",
+  "version": "4.2.2",
   "description": "Plugin structure and tool use analyzer - validates plugin.json, MCP tools, and security patterns",
   "author": {
     "name": "Avi Fenesh",

package/plugins/enhance/lib/enhance/docs-patterns.js

@@ -418,7 +418,7 @@ const docsPatterns = {
       }
 
       // Check for very long lists that could be tables
-      const longLists = content.match(/(?:^[-*]\s+.+\n){10,}/gm);
+      const longLists = content.match(/(?:^[-*][ \t]+\S[^\n]*\n){10,}/gm);
       if (longLists) {
         suggestions.push('Long lists (10+ items) might be more efficient as tables');
       }

package/plugins/enhance/lib/enhance/fixer.js

@@ -179,7 +179,7 @@ function applyAtPath(obj, pathStr, fixFn) {
     const part = parts[i];
     if (part.includes('[')) {
       // Array access
-      const match = part.match(/(\w+)\[(\d+)\]/);
+      const match = part.match(/^((?!__proto__|constructor|prototype)[a-zA-Z_]\w*)\[(\d{1,10})\]$/);
       if (match) {
         current = current[match[1]][parseInt(match[2], 10)];
       }
@@ -190,7 +190,7 @@ function applyAtPath(obj, pathStr, fixFn) {
 
   const lastPart = parts[parts.length - 1];
   if (lastPart.includes('[')) {
-    const match = lastPart.match(/(\w+)\[(\d+)\]/);
+    const match = lastPart.match(/^((?!__proto__|constructor|prototype)[a-zA-Z_]\w*)\[(\d{1,10})\]$/);
     if (match) {
       current[match[1]][parseInt(match[2], 10)] = fixFn(current[match[1]][parseInt(match[2], 10)]);
     }
@@ -403,7 +403,7 @@ function fixInconsistentHeadings(content) {
 
     if (inCodeBlock) continue;
 
-    const headingMatch = line.match(/^(#{1,6})\s+(.+)$/);
+    const headingMatch = line.match(/^(#{1,6})[ \t]+(\S.*)$/);
     if (headingMatch) {
       const currentLevel = headingMatch[1].length;
       const headingText = headingMatch[2];
@@ -535,6 +535,37 @@ Why bad: [explanation]
   return content.trim() + exampleSection;
 }
 
+/**
+ * Wrap a markdown section (heading to next heading/separator) in XML tags.
+ * Uses line-by-line scanning to avoid ReDoS from [\s\S]*? with lookaheads.
+ */
+function wrapSection(text, headingPattern, tagName) {
+  const lines = text.split('\n');
+  let sectionStart = -1;
+  for (let i = 0; i < lines.length; i++) {
+    if (sectionStart === -1) {
+      if (headingPattern.test(lines[i])) {
+        sectionStart = i;
+      }
+    } else {
+      // End section at next heading or horizontal rule
+      if (/^#{1,6}\s/.test(lines[i]) || /^---/.test(lines[i])) {
+        const before = lines.slice(0, sectionStart);
+        const section = lines.slice(sectionStart, i);
+        const after = lines.slice(i);
+        return [...before, `<${tagName}>`, ...section, `</${tagName}>`, ...after].join('\n');
+      }
+    }
+  }
+  // Section runs to end of content
+  if (sectionStart !== -1) {
+    const before = lines.slice(0, sectionStart);
+    const section = lines.slice(sectionStart);
+    return [...before, `<${tagName}>`, ...section, `</${tagName}>`].join('\n');
+  }
+  return text;
+}
+
 /**
  * Add XML structure tags to complex prompt
  * @param {string} content - Prompt content
@@ -551,17 +582,11 @@ function fixMissingXmlStructure(content) {
   // Wrap role section if exists
   let result = content;
 
-  // Find and wrap role section
-  result = result.replace(
-    /^(##\s*(?:your\s+)?role\s*\n)([\s\S]*?)(?=\n##|\n---|\Z)/im,
-    '<role>\n$1$2</role>\n'
-  );
+  // Find and wrap role section (use non-regex approach to avoid ReDoS)
+  result = wrapSection(result, /^##[ \t]*(?:your[ \t]+)?role[ \t]*$/im, 'role');
 
   // Find and wrap constraints section
-  result = result.replace(
-    /^(##\s*(?:constraints?|rules?)\s*\n)([\s\S]*?)(?=\n##|\n---|\Z)/im,
-    '<constraints>\n$1$2</constraints>\n'
-  );
+  result = wrapSection(result, /^##[ \t]*(?:constraints?|rules?)[ \t]*$/im, 'constraints');
 
   return result;
 }
@@ -622,7 +647,7 @@ function fixMissingTriggerPhrase(content) {
     // Check if already has trigger phrase
     if (!/use when user asks/i.test(descLine)) {
       // Extract current description
-      const match = descLine.match(/^description:\s*(.+)$/);
+      const match = descLine.match(/^description:[ \t]*(\S.*)$/);
       if (match) {
         const currentDesc = match[1].trim();
         // Add trigger phrase

package/plugins/enhance/lib/enhance/projectmemory-analyzer.js

@@ -43,17 +43,25 @@ function extractFileReferences(content) {
 
   const references = [];
 
-  // Match markdown links: [text](path)
-  const linkMatches = content.match(/\[([^\]]+)\]\(([^)]+)\)/g) || [];
-  for (const match of linkMatches) {
-    const pathMatch = match.match(/\]\(([^)]+)\)/);
-    if (pathMatch && pathMatch[1]) {
-      const href = pathMatch[1];
-      // Skip URLs and anchors
-      if (!href.startsWith('http') && !href.startsWith('#') && !href.startsWith('mailto:')) {
-        references.push(href.split('#')[0]); // Remove anchor
+  // Extract markdown links [text](path) using indexOf scanning (ReDoS-safe)
+  let pos = 0;
+  while (pos < content.length) {
+    const openBracket = content.indexOf('[', pos);
+    if (openBracket === -1) break;
+    const closeBracket = content.indexOf(']', openBracket + 1);
+    if (closeBracket === -1) break;
+    if (content[closeBracket + 1] === '(') {
+      const closeParen = content.indexOf(')', closeBracket + 2);
+      if (closeParen !== -1 && closeParen - closeBracket - 2 <= 500) {
+        const href = content.substring(closeBracket + 2, closeParen);
+        if (!href.startsWith('http') && !href.startsWith('#') && !href.startsWith('mailto:')) {
+          references.push(href.split('#')[0]); // Remove anchor
+        }
+        pos = closeParen + 1;
+        continue;
       }
     }
+    pos = openBracket + 1;
   }
 
   // Match backtick paths: `path/to/file.ext` or `file.ext` (root files)

package/plugins/enhance/lib/enhance/projectmemory-patterns.js

@@ -57,7 +57,7 @@ const projectMemoryPatterns = {
       const hasArchitecture = /##\s+architecture/i.test(content);
       const hasStructure = /##\s+(?:project\s+)?structure/i.test(content);
       const hasOverview = /##\s+overview/i.test(content);
-      const hasDirectoryTree = /```[\s\S]*?(?:├──|└──|lib\/|src\/)[\s\S]*?```/.test(content);
+      const hasDirectoryTree = content.includes('```') && /├──|└──|lib\/|src\//.test(content);
 
       if (!hasArchitecture && !hasStructure && !hasOverview && !hasDirectoryTree) {
         return {
@@ -85,7 +85,7 @@ const projectMemoryPatterns = {
       const hasCommands = /##\s+(?:key\s+)?commands/i.test(content);
       const hasScripts = /##\s+scripts/i.test(content);
       const hasUsage = /##\s+usage/i.test(content);
-      const hasCodeBlocks = /```(?:bash|sh|shell)[\s\S]*?(?:npm|yarn|pnpm|git|make)/i.test(content);
+      const hasCodeBlocks = /```(?:bash|sh|shell)/i.test(content) && /\b(?:npm|yarn|pnpm|git|make)\b/i.test(content);
 
       if (!hasCommands && !hasScripts && !hasUsage && !hasCodeBlocks) {
         return {

package/plugins/enhance/lib/enhance/prompt-patterns.js

@@ -29,7 +29,7 @@ const LOOKS_LIKE_JSON_CONTENT = /[:,]/;
 const NOT_JSON_KEYWORDS = /(function|const|let|var|if|for|while|class)\b/;
 // JS patterns require syntax context (not just keywords that might appear in JSON strings)
 const LOOKS_LIKE_JS = /\b(function\s*\(|const\s+\w+\s*=|let\s+\w+\s*=|var\s+\w+\s*=|=>\s*[{(]|async\s+function|await\s+\w|class\s+\w+\s*{|import\s+\{|export\s+(const|function|class|default)|require\s*\()/;
-const LOOKS_LIKE_PYTHON = /\b(def\s+\w+|import\s+\w+|from\s+\w+\s+import|class\s+\w+:|if\s+.*:|\s{4}|print\()\b/;
+const LOOKS_LIKE_PYTHON = /\b(def\s+\w+|import\s+\w+|from\s+\w+\s+import|class\s+\w+:|if\s[^:\n]*:|\s{4}|print\()\b/;
 
 // Memoization caches for performance (keyed by content hash)
 let _lastContent = null;
@@ -220,7 +220,7 @@ const promptPatterns = {
         // Skip lines listing vague terms as documentation
         if (/vague\s*(instructions?|terms?|language|patterns?)\s*[:"]/.test(trimmed)) return false;
         // Skip lines with quoted lists of vague words
-        if (/["']usually["'].*["']sometimes["']/.test(trimmed)) return false;
+        if (trimmed.includes('usually') && trimmed.includes('sometimes') && /["']/.test(trimmed)) return false;
         return true;
       });
       const filteredContent = lines.join('\n');
@@ -331,7 +331,11 @@ const promptPatterns = {
       if (!content || typeof content !== 'string') return null;
 
       // Skip workflow orchestrators that spawn agents/skills rather than produce output directly
-      const isOrchestrator = /##\s*Phase\s+\d+|Task\(\{|spawn.*agent|subagent_type|await Task\(|invoke.*skill|Skill\s*tool/i.test(content);
+      const lc = content.toLowerCase();
+      const isOrchestrator = /##\s*Phase\s+\d+/i.test(content) || content.includes('Task({') ||
+        (lc.includes('spawn') && lc.includes('agent')) || content.includes('subagent_type') ||
+        content.includes('await Task(') || (lc.includes('invoke') && lc.includes('skill')) ||
+        (/\bSkill\b/.test(content) && lc.includes('tool'));
       if (isOrchestrator) return null;
 
       // Skip reference docs and hooks (not prompts that produce conversational output)
@@ -590,7 +594,9 @@ const promptPatterns = {
       if (isNonPrompt) return null;
 
       // Skip workflow orchestrators and command files
-      const isOrchestrator = /##\s*Phase\s+\d+|Task\(\{|spawn.*agent|subagent_type/i.test(content);
+      const lc2 = content.toLowerCase();
+      const isOrchestrator = /##\s*Phase\s+\d+/i.test(content) || content.includes('Task({') ||
+        (lc2.includes('spawn') && lc2.includes('agent')) || content.includes('subagent_type');
       if (isOrchestrator) return null;
 
       // Check for example indicators
@@ -793,12 +799,12 @@ const promptPatterns = {
         /\b(?:highest|lowest)\s+priority\b/i,
         /\b(?:first|second|third)\s+priority\b/i,
         // Numbered rules section (implicit priority order)
-        /##\s*(?:critical|important)\s*rules?\s*\n+\s*1\.\s/i,
+        /##[ \t]*(?:critical|important)[ \t]*rules?[ \t]*\n[ \t]*1\.\s/i,
         // Precedence language
         /\btakes?\s+precedence\b/i,
         /\boverride[sd]?\b/i,
         // Ordered constraint list
-        /##\s*constraints?\s*\n+\s*1\.\s/i
+        /##[ \t]*constraints?[ \t]*\n[ \t]*1\.\s/i
       ];
 
       for (const pattern of priorityIndicators) {
@@ -846,7 +852,8 @@ const promptPatterns = {
 
       // Skip if this is documentation ABOUT CoT (describes the anti-pattern)
       // These files explain why step-by-step is redundant, not actually use it
-      if (/step[- ]by[- ]step.*(?:is\s+)?redundant|redundant.*step[- ]by[- ]step/i.test(content)) {
+      const lcContent = content.toLowerCase();
+      if (/step[- ]by[- ]step/i.test(content) && lcContent.includes('redundant')) {
         return null;
       }
 
@@ -961,7 +968,7 @@ const promptPatterns = {
       // Check if requests JSON (exclude CLI flags and function descriptions)
       // Exclude: "--output json", "analyzer returns JSON", "function returns JSON"
       const requestsJson = (
-        (/\b(?:respond|output|return)\s+(?:with|in|as)?\s*JSON\b/i.test(content) &&
+        (/\b(?:respond|output|return)[ \t]+(?:(?:with|in|as)[ \t]+)?JSON\b/i.test(content) &&
          !/--output\s+json/i.test(content) &&
          !/(?:analyzer|function|method)\s+returns?\s+JSON/i.test(content))
       ) ||
@@ -971,18 +978,18 @@ const promptPatterns = {
 
       // Check if provides schema or example
       const hasSchema = /\bproperties\b.{1,200}\btype\b/is.test(content) ||
-                       /```json\s*\n\s*\{/i.test(content) ||
+                       (content.includes('```json') && content.includes('{')) ||
                        /<json[_-]?schema>/i.test(content) ||
                        // JSON in JavaScript/TypeScript code blocks (quoted keys)
-                       /```(?:javascript|js|typescript|ts)\s*\n[\s\S]*?\{\s*\n?\s*"[a-zA-Z]+"/i.test(content) ||
+                       (/```(?:javascript|js|typescript|ts)\b/.test(content) && /\{\s*"[a-zA-Z]+"/i.test(content)) ||
                        // JavaScript object literal assignment (const x = { prop: ... })
-                       /(?:const|let|var)\s+\w+\s*=\s*\{\s*\n\s*[a-zA-Z_]+\s*:/i.test(content) ||
+                       (/\b(?:const|let|var)\b/.test(content) && /=\s*\{/.test(content)) ||
                        // JSON example with quoted property names in prose
-                       /\{\s*\n?\s*"[a-zA-Z_]+"\s*:\s*["\[\{]/i.test(content) ||
+                       /\{"[a-zA-Z_]+"[ \t]*:/i.test(content) || /\{\n[ \t]*"[a-zA-Z_]+"[ \t]*:/i.test(content) ||
                        // Inline schema description: { prop, prop, prop } or { prop: type, ... }
-                       /\{\s*[a-zA-Z_]+\s*,\s*[a-zA-Z_]+\s*,\s*[a-zA-Z_]+/i.test(content) ||
+                       /\{[ \t]*[a-zA-Z_]+[ \t]*,[ \t]*[a-zA-Z_]+[ \t]*,[ \t]*[a-zA-Z_]+/i.test(content) ||
                        // Interface-style: { prop: value } patterns with multiple lines
-                       /\{\s*\n\s+[a-zA-Z_]+\s*:\s*[\[\{"']/i.test(content);
+                       /\{\n[ \t]+[a-zA-Z_]+[ \t]*:[ \t]*[\[\{"']/i.test(content);
 
       if (!hasSchema) {
         return {
@@ -1133,19 +1140,15 @@ const promptPatterns = {
       if (!creationTasks.test(content)) return null;
 
       // Check for pattern reference indicators
-      const patternRefs = [
-        /\blike\s+\S+\b/i,
-        /\bsimilar\s+to\b/i,
-        /\bfollow(?:ing)?\s+(?:the\s+)?(?:same\s+)?pattern\b/i,
-        /\bsee\s+\S+\s+(?:for|as)\s+(?:an?\s+)?example\b/i,
-        /\blook\s+at\s+(?:how|the)\b/i,
-        /\S+\.(?:js|ts|py)\s+(?:is|as)\s+(?:a\s+)?(?:good\s+)?example/i
-      ];
-
-      for (const pattern of patternRefs) {
-        if (pattern.test(content)) {
-          return null;
-        }
+      // Use string-based checks to avoid ReDoS from overlapping optional groups
+      const lcRef = content.toLowerCase();
+      if (/\blike\s+\S+\b/i.test(content) ||
+          lcRef.includes('similar to') ||
+          (lcRef.includes('follow') && lcRef.includes('pattern')) ||
+          (lcRef.includes('see ') && lcRef.includes('example')) ||
+          (lcRef.includes('look at')) ||
+          (/\.(?:js|ts|py)\b/.test(content) && lcRef.includes('example'))) {
+        return null;
       }
 
       return {
@@ -1386,7 +1389,7 @@ const promptPatterns = {
         if (codeBlockLines.has(lineNum)) continue;
 
         const line = lines[i];
-        const match = line.match(/^(#{1,6})\s+(.+)$/);
+        const match = line.match(/^(#{1,6})[ \t]+(\S.*)$/);
         if (match) {
           headings.push({
             level: match[1].length,

package/plugins/enhance/lib/enhance/security-patterns.js

@@ -27,7 +27,7 @@ const securityPatterns = {
       if (!frontmatterMatch) return null;
 
       const frontmatter = frontmatterMatch[1];
-      const toolsMatch = frontmatter.match(/^tools:\s*(.*)$/m);
+      const toolsMatch = frontmatter.match(/^tools:[ \t]*(\S.*)?$/m);
       if (!toolsMatch) return null;
 
       const tools = toolsMatch[1];
@@ -60,8 +60,8 @@ const securityPatterns = {
 
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        // Look for shell commands with interpolation
-        if (/(?:exec|spawn|system|shell|`|Bash)\s*[(`].*\$\{/.test(line)) {
+        // Look for shell commands with interpolation (string checks avoid ReDoS)
+        if (/\b(?:exec|spawn|system|shell)\b|`|Bash/i.test(line) && /[(`]/.test(line) && line.includes('${')) {
           issues.push({
             issue: 'Command injection risk via string interpolation',
             fix: 'Validate and escape user input before shell execution',
@@ -91,8 +91,8 @@ const securityPatterns = {
 
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        // Look for user-controlled paths with ../
-        if (/(?:path|file|dir).*\$.*\.\.\/|\.\.\/.*\$/.test(line)) {
+        // Look for user-controlled paths with ../ (string checks avoid ReDoS)
+        if (/\b(?:path|file|dir)\b/i.test(line) && line.includes('$') && line.includes('../')) {
           issues.push({
             issue: 'Path traversal risk - user input may contain ../',
             fix: 'Validate paths and use path.resolve() with base directory check',
@@ -181,7 +181,7 @@ const securityPatterns = {
       if (!frontmatterMatch) return null;
 
       const frontmatter = frontmatterMatch[1];
-      const toolsMatch = frontmatter.match(/^tools:\s*(.*)$/m);
+      const toolsMatch = frontmatter.match(/^tools:[ \t]*(\S.*)?$/m);
       if (!toolsMatch) return null;
 
       const tools = toolsMatch[1];

package/plugins/enhance/lib/patterns/slop-analyzers.js

@@ -1803,7 +1803,7 @@ function analyzeDeadCode(content, options = {}) {
     // Skip if termination is part of a one-line conditional (e.g., "if (x) return;")
     // These don't make subsequent code unreachable
     if (/^\s*(if|elif|else\s+if)\s*\(/.test(trimmed) ||
-        /^\s*if\s+.*:/.test(trimmed)) {
+        /^[ \t]*if\s[^:\n]*:/.test(trimmed)) {
       continue;
     }
 

package/plugins/enhance/skills/enhance-agent-prompts/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: enhance-agent-prompts
 description: "Use when improving agent prompts, frontmatter, and tool restrictions."
-version: 4.2.0
+version: 4.2.2
 argument-hint: "[path] [--fix] [--verbose]"
 ---
 

package/plugins/enhance/skills/enhance-claude-memory/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: enhance-claude-memory
 description: "Use when improving CLAUDE.md or AGENTS.md project memory files."
-version: 4.2.0
+version: 4.2.2
 ---
 
 # enhance-claude-memory

package/plugins/enhance/skills/enhance-cross-file/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: enhance-cross-file
 description: "Use when checking cross-file consistency: tools vs frontmatter, agent references, duplicate rules, contradictions."
-version: 4.2.0
+version: 4.2.2
 argument-hint: "[path]"
 ---
 

package/plugins/enhance/skills/enhance-docs/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: enhance-docs
 description: "Use when improving documentation structure, accuracy, and RAG readiness."
-version: 4.2.0
+version: 4.2.2
 argument-hint: "[path] [--fix] [--ai]"
 ---
 

package/plugins/enhance/skills/enhance-hooks/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: enhance-hooks
 description: "Use when reviewing hooks for safety, timeouts, and correct frontmatter."
-version: 4.2.0
+version: 4.2.2
 argument-hint: "[path] [--fix]"
 ---
 

package/plugins/enhance/skills/enhance-orchestrator/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: enhance-orchestrator
 description: "Use when coordinating multiple enhancers for /enhance command. Runs analyzers in parallel and produces unified report."
-version: 4.2.0
+version: 4.2.2
 argument-hint: "[path] [--apply] [--focus=TYPE]"
 ---
 

package/plugins/enhance/skills/enhance-plugins/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: enhance-plugins
 description: "Use when analyzing plugin structures, MCP tools, and plugin security patterns."
-version: 4.2.0
+version: 4.2.2
 argument-hint: "[path] [--fix]"
 ---
 

package/plugins/enhance/skills/enhance-prompts/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: enhance-prompts
 description: "Use when improving general prompts for structure, examples, and constraints."
-version: 4.2.0
+version: 4.2.2
 argument-hint: "[path] [--fix]"
 ---