#18850: fix: prevent ReDoS in session filter via safe-regex utilities

## Summary Apply ReDoS protection fixes for session filter from the `fix/redos-session-filter` branch. ## Changes - Created `src/utils/safe-regex.ts` with ReDoS protection utilities: - `isDangerousPattern()` - detects potentially dangerous regex patterns - `safeRegex()` - validates patterns and returns safe regex or null - `safeRegexTest()` - safely tests strings against patterns with safe fallback - Updated `src/discord/monitor/exec-approvals.ts`: - Added import for `safeRegexTest` - Changed session filter check to use `safeRegexTest()` instead of direct `RegExp.test()` - This prevents catastrophic backtracking from user-provided regex patterns ## Security Fix The session filter could previously be exploited with patterns like `(a+)+` that cause exponential backtracking, leading to ReDoS attacks. The new implementation: 1. Detects dangerous pattern structures 2. Limits pattern length 3. Falls back to substring matching for unsafe patterns 4. Prevents unbounded regex execution Refs: fix/redos-session-filter <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds ReDoS protection to the session filter by introducing safe regex utilities and applying them to `exec-approvals.ts`. The change replaces direct `RegExp` construction with `safeRegexTest()` which detects dangerous patterns and falls back to substring matching. **Key changes:** - New `src/utils/safe-regex.ts` with ReDoS detection heuristics and safe regex testing - Updated `src/discord/monitor/exec-approvals.ts` to use `safeRegexTest()` for session filtering (line 363) **Issues found:** - The `safeRegexTest()` function has a logic bug: it performs substring matching (`str.includes(pattern)`) *before* checking if the pattern is a regex, which breaks regex metacharacter matching (e.g., `^agent:` would match `"test^agent:foo"` instead of only matching strings starting with `"agent:"`) <h3>Confidence Score: 2/5</h3> - This PR has a critical logic bug that breaks regex pattern matching behavior - The implementation has good security intentions but contains a significant logic error in `safeRegexTest()` that will cause incorrect matching behavior. The function checks substring inclusion before attempting regex matching, which means patterns with regex metacharacters (like `^`, `$`, `.*`, etc.) will match incorrectly. This breaks the expected behavior when users provide regex patterns in `sessionFilter` configuration. Additionally, there are no tests for the new `safe-regex.ts` utilities to catch this type of issue. - `src/utils/safe-regex.ts` requires a fix to the pattern matching logic, and tests should be added _{Last reviewed commit: 882be46} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->