fix(auto-triage): avoid regex code fence parsing

[kilo-code-bot]

Summary

• Replaces the classification parser's markdown code block regex with linear fence scanning to avoid polynomial ReDoS on uncontrolled agent output.
• Preserves the existing last-code-block-first parse order, JSON validation, label filtering, and tail fallback behavior.

Verification

N/A; parser-only change with no manual UI flow.

Visual Changes

N/A

Reviewer Notes

• Resolves CodeQL alert 421: https://github.com/Kilo-Org/cloud/security/code-scanning/421
• Local automated checks were run outside manual PR verification: focused formatting, scoped auto-triage lint, and a parser smoke test.

[kilo-code-bot]

WARNING: Windows \r\n line endings are not stripped — extracted JSON content will contain trailing \r on every line, breaking JSON.parse.

The old regex used \r?\n at both boundaries to strip carriage returns. Here, text.substring(..., lineEndIndex) keeps the \r before the \n, so when the extracted block content is passed to JSON.parse it will fail on Windows-generated or mixed-EOL text.

Fix: strip the trailing \r from each line:

Suggested change

	const line = text.substring(lineStartIndex, lineEndIndex === -1 ? text.length : lineEndIndex);
	const line = text.substring(lineStartIndex, lineEndIndex === -1 ? text.length : lineEndIndex).replace(/\r$/, '');

[kilo-code-bot]

WARNING: The check line.startsWith('```', leadingWhitespaceLength) matches any line whose trimmed content begins with three backticks — including ```end, ```json, ``` some text, etc. This means a non-closing fence (e.g. a nested opening fence or an annotated fence) would be incorrectly treated as the closing fence, causing the block content to be truncated early.

The old regex implicitly required the closing fence to consist of only backticks (possibly with surrounding whitespace). The fix is to require the remainder of the line after the backticks to be empty:

Suggested change

	if (line.startsWith('```', leadingWhitespaceLength)) {
	if (line.trimStart().startsWith('```') && line.trimStart().slice(3).trim() === '') {

[kilo-code-bot]

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Executive Summary

The linear fence scanner correctly eliminates the ReDoS risk but introduces two edge-case regressions: incorrect closing-fence detection on lines with trailing content, and loss of \r stripping on Windows/mixed-EOL input that will break downstream JSON.parse.

Overview

Severity	Count
CRITICAL	0
WARNING	2
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
services/auto-triage-infra/src/parsers/classification-parser.ts	178	\r\n line endings not stripped — trailing \r bleeds into extracted JSON content, breaking JSON.parse on Windows-generated or mixed-EOL text
services/auto-triage-infra/src/parsers/classification-parser.ts	181	line.startsWith('\``', leadingWhitespaceLength)` matches any line starting with three backticks, including nested opening fences (```json) or annotated fences (`` ```end ``), causing premature block termination

Files Reviewed (1 file)

• services/auto-triage-infra/src/parsers/classification-parser.ts — 2 issues

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-4.6-sonnet-20260217 · 399,127 tokens}

_{Review guidance: REVIEW.md from base branch main}