fix(plugin): replace bootstrap marker regex with linear scan to close ReDoS

The non-greedy regex /<SYSTEMATIC_WORKFLOWS>[\s\S]*?<\/SYSTEMATIC_WORKFLOWS>/
was flagged by CodeQL as polynomial-time on uncontrolled input — when the
opening tag repeats and the closing tag is absent, the engine backtracks
through every prefix. With per-load registration now letting any plugin
source contribute system prompt fragments, this regex sees content the
plugin itself didn't author.

Replaces the regex with a small indexOf/slice helper. Fixed literal
delimiters never needed regex; the linear scan is provably immune to ReDoS
and unchanged in behavior for the existing seven marker-replacement tests.
Adds a regression test that runs the helper against 10000 repeated opening
markers with no closing tag and asserts completion in well under 1s.

Closes CodeQL alerts #42 and #43.

Author: marcusrbrown

src/index.ts

@@ -18,17 +18,32 @@ const bundledAgentsDir = path.join(packageRoot, 'agents')
 const bundledCommandsDir = path.join(packageRoot, 'commands')
 const packageJsonPath = path.join(packageRoot, 'package.json')
 
-const BOOTSTRAP_MARKER_PATTERN =
-  /<SYSTEMATIC_WORKFLOWS>[\s\S]*?<\/SYSTEMATIC_WORKFLOWS>/
+const BOOTSTRAP_MARKER_OPEN = '<SYSTEMATIC_WORKFLOWS>'
+const BOOTSTRAP_MARKER_CLOSE = '</SYSTEMATIC_WORKFLOWS>'
+
+const findBootstrapMarkerBlock = (
+  entry: string,
+): { start: number; end: number } | null => {
+  const start = entry.indexOf(BOOTSTRAP_MARKER_OPEN)
+  if (start === -1) return null
+  const closeStart = entry.indexOf(
+    BOOTSTRAP_MARKER_CLOSE,
+    start + BOOTSTRAP_MARKER_OPEN.length,
+  )
+  if (closeStart === -1) return null
+  return { start, end: closeStart + BOOTSTRAP_MARKER_CLOSE.length }
+}
 
 export const applyBootstrapContent = (
   output: { system: string[] },
   content: string,
 ): void => {
   for (let i = 0; i < output.system.length; i++) {
     const entry = output.system[i]
-    if (BOOTSTRAP_MARKER_PATTERN.test(entry)) {
-      output.system[i] = entry.replace(BOOTSTRAP_MARKER_PATTERN, content)
+    const block = findBootstrapMarkerBlock(entry)
+    if (block !== null) {
+      output.system[i] =
+        entry.slice(0, block.start) + content + entry.slice(block.end)
       return
     }
   }

tests/unit/plugin.test.ts

@@ -575,4 +575,24 @@ describe('applyBootstrapContent marker-based idempotency', () => {
     expect(joined).toContain('SECOND REGISTRATION')
     expect(joined).not.toContain('FIRST REGISTRATION')
   })
+
+  test('completes in linear time on malicious input with many opening markers and no closing tag', () => {
+    // Regression: the prior regex implementation was vulnerable to ReDoS on
+    // inputs starting with the opening marker repeated and missing a closing
+    // tag. The linear-scan helper is provably immune; this pins the failure
+    // mode without relying on benchmarking.
+    const malicious = `${MARKER_OPEN.repeat(10000)} trailing content with no close`
+    const output = { system: [malicious] }
+    const startedAt = Date.now()
+    applyBootstrapContent(output, wrap('NEW CONTENT'))
+    const elapsedMs = Date.now() - startedAt
+    // No marker block matched (no closing tag), so content is appended.
+    expect(output.system).toHaveLength(1)
+    expect(output.system[0]).toContain('NEW CONTENT')
+    expect(output.system[0]).toContain(MARKER_OPEN.repeat(10000))
+    // Loose upper bound — linear scan finishes in well under 100ms even on
+    // slow CI runners. A polynomial-backtracking regex would take seconds or
+    // longer on this input shape.
+    expect(elapsedMs).toBeLessThan(1000)
+  })
 })