fix(skills): add depth limits to recursive PowerPoint processing functions

[WilliamBerryiii]

Description

Added depth guards to all recursive call chains in the PowerPoint skill to address CWE-674 (Uncontrolled Recursion). Three production modules — extract_content.py, build_deck.py, and pptx_colors.py — gained configurable _depth and max_depth keyword-only parameters that raise ValueError when nesting exceeds safe limits. A previously missing "group" dispatch in build_element_in_group was fixed alongside the security hardening.

Security Hardening — Recursive Depth Guards

Each recursive path now tracks depth with a consistent guard pattern:

• Group nesting in extract_content.py — extract_group, _extract_shape_by_type, and extract_child_shape respect MAX_GROUP_DEPTH = 20.
• Theme reference resolution in extract_content.py — _resolve_theme_refs_in_content inner resolve_value respects MAX_THEME_REF_DEPTH = 50.
• Group nesting in build_deck.py — add_group_element and build_element_in_group respect MAX_GROUP_DEPTH = 20.
• Color resolution in pptx_colors.py — resolve_color respects MAX_COLOR_DEPTH = 10.

Bug Fix — Missing Group Dispatch

• build_element_in_group previously had no handler for elem_type == "group", causing nested group shapes to be silently dropped. Added an elif branch that delegates to add_group_element with depth propagation.

Test Coverage

Nine new tests validated the depth-limit behavior and confirmed normal nesting still works:

• test_build_deck.py — 3 tests covering depth-limit raises, nested groups within limits, and group dispatch in build_element_in_group.
• test_extract_content.py — 4 tests covering depth-limit raises and normal nesting for extract_group and _resolve_theme_refs_in_content.
• test_pptx_colors.py — 2 tests covering depth-limit raises on nested dicts and single-dict unwrap within limits.

Related Issue(s)

Closes #1015

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

Testing

All 540 existing tests continued to pass. Nine new unit tests verified depth-limit enforcement and confirmed that normal nesting within defined limits works correctly across all three modules. Tests ran via pytest with zero failures.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

• MAX_GROUP_DEPTH = 20 is defined independently in both build_deck.py and extract_content.py to avoid cross-module coupling. This is intentional for a skill-scoped codebase.
• _build_group_element explicitly passes _depth=0 rather than relying on the default, making the entry-point intent clear.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.92%. Comparing base (c50c7a3) to head (03c9501).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1028      +/-   ##
==========================================
- Coverage   86.02%   85.92%   -0.11%     
==========================================
  Files          30       30              
  Lines        5410     5428      +18     
==========================================
+ Hits         4654     4664      +10     
- Misses        756      764       +8     

Flag	Coverage Δ
pester	85.92% <ø> (-0.11%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.