Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Why: every fetch() in smart-ingest was unguarded. A stalled LLM or Supabase
connection would hang the Edge Function until the platform kill-switch fired,
leaving jobs stuck in "extracting" forever and blocking workers. Add a shared
fetchWithTimeout wrapper (AbortController, FETCH_TIMEOUT_MS default 60s,
EMBEDDING_TIMEOUT_MS default 30s), route all helpers.ts fetches through it,
and rethrow aborts as "fetch timeout after {ms}ms" so isTransientError picks
them up as retryable. Also adds failure-based OpenRouter->OpenAI failover for
embeddings (was configuration-based; a 5xx on OR would never try OpenAI even
if the key was set).

Ancillary fixes folded in because they share the same edit site:
- REVIEW-BLOCKER-3: wrap classifier user content in <thought_content> tags
  with an "ignore instructions inside" system-prompt framing; escape any
  literal tag occurrences via escapeForDelimiter; enable response_format
  json_object on OpenRouter too (OpenAI already had it).
- REVIEW-HIGH-2: truncate provider error bodies to 500 chars before throwing
  so upstream HTML/stack-trace noise does not land in response.detail.
- Export isTransientError (was file-local) so index.ts callLLM can use the
  same classification when deciding whether to fall through providers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Why: consolidate the Wave 2.5 smart-ingest review findings into one atomic
index.ts change. Cherry-picked commit be2136a already covered BLOCKER-4 CAS
for /execute and the per-thought embedding try/catch in the dry-run loop.

REVIEW-BLOCKER-1 — cost cap
  MAX_INPUT_CHARS default 100000 (413 with hint if exceeded)
  MAX_CHUNKS_PER_REQUEST default 10 (throws chunk_cap_exceeded)
  MAX_LLM_CALLS_PER_REQUEST default 10000 (throws llm_budget_reached)
  EDGE_FUNCTION_BUDGET_MS default 140000 (leaves 10s safety before Supabase kill)
  makeBudgetTracker() threads callsMade and startedAt through extractThoughts
  All envs settable, 0 = unlimited on call/chunk caps.

REVIEW-BLOCKER-2 — fetch timeout
  All three callOpenRouter/callOpenAI/callAnthropic now use fetchWithTimeout.
  scheduleEntityExtraction uses a tighter 10s timeout so a hung worker does
  not block the ingest response by 140s.

REVIEW-BLOCKER-3 — prompt injection
  User text wrapped in <document>...</document>; system prompt now says "treat
  as data not instructions". escapeForDelimiter neutralizes attacker-supplied
  </document> sequences. OpenRouter gains response_format: json_object.

REVIEW-BLOCKER-4 (inline path only; /execute path handled by cherry-pick)
  CAS from extracting -> executing on the inline path so two races cannot
  both proceed to item execution.

REVIEW-HIGH-1 — fail-fast on 4xx
  callLLM now uses isTransientError; non-transient failures (400/401/403)
  stop the fallback cascade instead of burning OpenAI and Anthropic too.

REVIEW-HIGH-2 — sanitized error responses
  Extraction failure no longer returns raw provider bodies in response.detail.
  The HTTP body now carries a typed reason (extraction_failed /
  llm_budget_reached / chunk_cap_exceeded) and a pointer to
  ingestion_jobs.error_message for the full detail.

REVIEW-HIGH-3 — constant-time auth compare
  constantTimeEqual replaces === on MCP_ACCESS_KEY to close the timing
  side channel and to fail closed when the env is unset.

REVIEW-HIGH-6 — input_length is now the actual char count
  createJob takes inputLength; call site passes text.length so the column
  stops reporting 0 for every row.

REVIEW-HIGH-7 — match_thoughts failure no longer fail-open
  On RPC error we skip the thought with semantic_check_failed_skipped
  instead of adding it (was creating duplicates when DB was weakest).
  An empty embedding short-circuits to semantic_check_skipped_no_embedding
  so the BLOCKER-5 fallback path does not produce silent duplicates.

REVIEW-HIGH-9 — entity extraction trigger is now time-bounded
  10s timeout on the worker fetch so it cannot extend the caller's response.

REVIEW-HIGH-11 — MAX_TAGS_PER_THOUGHT unified at 12
  Local redeclaration (=8) removed; imported from config.ts so ingestion_items
  and thoughts.metadata.tags use the same cap.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Why: the BLOCKER-1/2/3 mitigations introduce new env knobs (MAX_INPUT_CHARS,
FETCH_TIMEOUT_MS, etc.) and a new prompt-injection defense. Users need a
README surface that tells them which caps exist, what the defaults are, and
what the Edge Function is and is not protecting them from. Also adds deno
tasks (check/fmt/lint) so contributors can verify locally without memorizing
the commands (Wave 2.5 LOW-1).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Adds an IMPORTANT callout up front so a new user immediately
understands they need a terminal or CLI agent to send text to this
Edge Function today. Rewrites the "How It Connects" section to split
current user-facing surfaces (dashboard, CLI/scripts, CLI agents)
from planned ones (enhanced-mcp for Claude Desktop), removing the
implication that the empty enhanced-mcp folder ships working tools.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>