diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 1d0635ef..52417653 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -21,6 +21,7 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-24.04
+    timeout-minutes: 10
 
     strategy:
       fail-fast: false
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 00000000..0c4b7309
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,11 @@
+# Agents
+
+Detailed guidance for AI agents working on this codebase.
+
+## Policy
+
+- No unicode. All files must be ASCII-only.
+
+## Reference
+
+- [stdisplay](agents/stdisplay-security.md)
diff --git a/agents/stdisplay-security.md b/agents/stdisplay-security.md
new file mode 100644
index 00000000..5851601c
--- /dev/null
+++ b/agents/stdisplay-security.md
@@ -0,0 +1,9 @@
+# stdisplay
+
+## Line-based vs whole-input processing
+
+`stcat`/`stcatn`/`sttee` sanitize line-by-line (streaming, like their Unix
+counterparts). `stsponge` sanitizes the whole input at once (sponge semantics).
+These are equivalent because no allowed escape sequence can contain `\n` -- SGR
+is composed solely of digits, semicolons, colons, and the `m` terminator. This
+is inherent to the SGR spec, documented in the man page (`man/stdisplay.1.ronn`).
diff --git a/usr/lib/python3/dist-packages/stdisplay/stdisplay.py b/usr/lib/python3/dist-packages/stdisplay/stdisplay.py
index 1446a084..3896858e 100644
--- a/usr/lib/python3/dist-packages/stdisplay/stdisplay.py
+++ b/usr/lib/python3/dist-packages/stdisplay/stdisplay.py
@@ -229,7 +229,7 @@ def get_sgr_pattern(
     sgr_combo = rf"({sgr_combo})"
     if exclude_sgr:
         sgr_combo = exclude_pattern(sgr_combo, exclude_sgr)
-    sgr_re = rf"(;*({sgr_combo})?(;+{sgr_combo})*)?;*m"
+    sgr_re = rf";*({sgr_combo}(;+{sgr_combo})*;*)?m"
     return str(sgr_re)
 
 
diff --git a/usr/lib/python3/dist-packages/stdisplay/sttee.py b/usr/lib/python3/dist-packages/stdisplay/sttee.py
index f5f402c8..83502709 100644
--- a/usr/lib/python3/dist-packages/stdisplay/sttee.py
+++ b/usr/lib/python3/dist-packages/stdisplay/sttee.py
@@ -5,6 +5,7 @@
 ## See the file COPYING for copying conditions.
 
 """Safely print stdin to stdout and file."""
+
 from sys import argv, stdin, stdout
 from typing import TextIO
 from stdisplay.stdisplay import stdisplay
diff --git a/usr/lib/python3/dist-packages/stdisplay/tests/stdisplay.py b/usr/lib/python3/dist-packages/stdisplay/tests/stdisplay.py
index ae986e9d..fabb5bbe 100644
--- a/usr/lib/python3/dist-packages/stdisplay/tests/stdisplay.py
+++ b/usr/lib/python3/dist-packages/stdisplay/tests/stdisplay.py
@@ -17,7 +17,6 @@
     stdisplay,
 )
 
-
 ## This is split into a global so it can be used by sanitize_string.py's tests.
 simple_escape_cases: list[tuple[str, str]] = [
     ("\a", "_"),