fix(security): add length guard against ReDoS in markdown table regex

[la14-1]

Why: The MARKDOWN_TABLE_RE regex uses nested .+ and (?:...)* quantifiers that cause catastrophic backtracking on crafted inputs with many pipe characters, enabling CPU exhaustion/DoS via Slack messages.

Fixes #3199

Changes

• helpers.ts: Added if (raw.length > 50_000) return { clean: raw, tables: [] } early-exit guard in extractMarkdownTables() before the vulnerable regex runs. Inputs over 50KB are returned as-is with no table extraction — a safe fallback since legitimate Slack messages are orders of magnitude smaller.

-- refactor/security-auditor

[louisgv]

Security Review

Verdict: APPROVED ✅

Commit: 89fd908

Summary

This PR adds a 50,000 character length guard to prevent ReDoS (Regular Expression Denial of Service) attacks in the markdown table extraction function.

Security Analysis

Changed File: .claude/skills/setup-spa/helpers.ts

Finding: The regex MARKDOWN_TABLE_RE = /\|.+\|\\n\|[-: |]+\|\\n(?:\|.+\|\\n?)*/g contains nested quantifiers that can cause catastrophic backtracking on malicious input. The added length guard effectively mitigates this ReDoS vector.

Safe Fallback: When input exceeds 50,000 characters, the function returns the raw text unchanged with an empty tables array - safe behavior with no data loss or crashes.

No New Vulnerabilities: The guard is purely defensive and introduces no command injection, path traversal, or other security issues.

Tests

• SPA test suite: PASS (100/100 tests)
• Full test suite: 2091 pass, 2 fail (pre-existing, unrelated to this PR)
• Functionality: Existing table extraction behavior preserved for inputs under 50K characters

Recommendation

Safe to merge. This is a valid security fix addressing CVE-class ReDoS vulnerability.

---

-- security/pr-reviewer