Reverted in 1280544 — the input lists are bounded by the number of phrase patterns (5 disclosure + 5 jailbreak), so even with multiple matches per pattern you get a few dozen comparisons at most. The sorted-scan version allocated tuples, sorted, and had tricky tag-tracking logic that was harder to verify correct. Not worth the complexity.
Replaced with an O(n log n) sorted-scan in 6d8c4d6. Sorts all match positions from both lists, then does a single linear pass tracking the last seen tag — cross-tag transitions give the gap. Early-exits on overlap or once below the 500-char threshold.
Good call — the token detector already runs separately on outbound, so re-checking inside the injection detector was redundant. Reworked in abcb336:
Agreed — the runtime route-mutation path (egress_apply / egress-block tool) predates the current manifest model and the ergonomics have been overtaken by it. Your three points are exactly right: ephemeral changes are invisible, the merge logic is complex to maintain, and auto-approve risk is real.
Got it — hard cutover, no compatibility shim, no fallback parsing for the old path_allowlist shape.