fix: eliminate ReDoS-vulnerable regex in _json_utils.py

Replace backtracking-prone regex with string find() for markdown fence stripping. SonarQube flagged the DOTALL+.*? pattern as polynomial backtracking risk.

Author: sunbos

plugins/sqlseed-ai/src/sqlseed_ai/_json_utils.py

@@ -19,16 +19,26 @@ def parse_json_response(content: str) -> dict[str, Any]:
 
     # Strategy 2: Strip markdown code fences
     # Handles: ```json\n{...}\n``` or ```\n{...}\n```
-    # Use non-greedy match with explicit fence boundary to avoid polynomial backtracking
-    fence_match = re.search(r"```(?:json)?[ \t]*\n(.*?)\n\s*```", cleaned, re.DOTALL)
-    if fence_match:
-        try:
-            result = json.loads(fence_match.group(1).strip())
-            if isinstance(result, dict):
-                _sanitize_names(result)
-                return result
-        except json.JSONDecodeError:
-            pass
+    # Split on fence markers instead of using backtracking-prone regex with DOTALL
+    open_idx = cleaned.find("```")
+    if open_idx >= 0:
+        # Skip the opening fence and optional language tag
+        after_open = cleaned[open_idx + 3 :]
+        # Skip "json" or other language identifier on the same line
+        nl_pos = after_open.find("\n")
+        if nl_pos >= 0:
+            content_start = nl_pos + 1
+            # Find closing fence
+            close_idx = after_open.find("```", content_start)
+            if close_idx >= 0:
+                fence_content = after_open[content_start:close_idx].strip()
+                try:
+                    result = json.loads(fence_content)
+                    if isinstance(result, dict):
+                        _sanitize_names(result)
+                        return result
+                except json.JSONDecodeError:
+                    pass
 
     # Strategy 3: Find first '{' and use json.JSONDecoder.raw_decode()
     # Handles: explanatory text before/after JSON, no code fences