diff --git a/.jules/bolt.md b/.jules/bolt.md new file mode 100644 index 0000000..3c4bc33 --- /dev/null +++ b/.jules/bolt.md @@ -0,0 +1,3 @@ +## 2025-02-23 - Pre-compiled Regular Expressions +**Learning:** Python's `re` module internally caches up to 512 compiled regex patterns, but bypassing this cache lookup by directly executing pre-compiled `re.Pattern` objects provides measurable performance improvements in tight loops like safety check validations. Storing them as a tuple of patterns defined via a generator expression avoids scoping issues in class definitions. +**Action:** Use pre-compiled regex `tuple`s at the class level instead of repeatedly calling `re.search()` inside list comprehensions or generators in high-frequency methods. diff --git a/libs/safety_manager.py b/libs/safety_manager.py index 1da4b28..62218de 100644 --- a/libs/safety_manager.py +++ b/libs/safety_manager.py @@ -180,6 +180,12 @@ class ExecutionSafetyManager: r"\bbash\b", ] + _COMPILED_WRITE = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_PATTERNS) + _COMPILED_WRITE_ON_HANDLE = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_ON_HANDLE_PATTERNS) + _COMPILED_SENSITIVE_POSIX = tuple(re.compile(p, re.IGNORECASE) for p in _SENSITIVE_POSIX_PREFIXES) + _COMPILED_DESTRUCTIVE = tuple(re.compile(p) for p in _DESTRUCTIVE_PATTERNS) + _COMPILED_SHELL = tuple(re.compile(p) for p in _SHELL_PATTERNS) + def __init__(self, unsafe_mode: bool = False): self.unsafe_mode = unsafe_mode @@ -228,7 +234,7 @@ def _has_write_operation(self, code: str) -> bool: """Return True if *code* contains any write operation that must be blocked in SAFE mode. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_PATTERNS) + return any(p.search(code) for p in self._COMPILED_WRITE) # ========================= # WRITE-ON-HANDLE DETECTION @@ -240,7 +246,7 @@ def _has_write_on_handle(self, code: str) -> bool: """Return True if *code* calls .write() on any object (handle check). This is intentionally only evaluated when an absolute path is present. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_ON_HANDLE_PATTERNS) + return any(p.search(code) for p in self._COMPILED_WRITE_ON_HANDLE) # ========================= # HOST ABSOLUTE PATH CHECK @@ -285,7 +291,7 @@ def _is_host_absolute_path(self, code: str) -> bool: def _is_sensitive_posix_path(self, code: str) -> bool: """Return True if *code* references a sensitive POSIX system path.""" - return any(re.search(p, code, re.IGNORECASE) for p in self._SENSITIVE_POSIX_PREFIXES) + return any(p.search(code) for p in self._COMPILED_SENSITIVE_POSIX) # ========================= # MAIN CHECK @@ -326,7 +332,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # (shutdown, reboot, mkfs, dd, format, diskpart) in addition to # filesystem deletes. # ========================= - if any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS): + if any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE): return Decision(False, ["Destructive operation blocked."]) # ========================= @@ -334,7 +340,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # BUG FIX #2: Uses _SHELL_PATTERNS with \b word-boundary regex instead # of plain substring `in` check to avoid false positives. # ========================= - if any(re.search(p, code_lower) for p in self._SHELL_PATTERNS): + if any(p.search(code_lower) for p in self._COMPILED_SHELL): return Decision(False, ["Shell execution is blocked."]) # ========================= @@ -370,7 +376,7 @@ def is_dangerous_operation(self, code: str) -> bool: if not code or not code.strip(): return False code_lower = code.lower() - return any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS) + return any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE) # ========================= # ARTIFACT EXPORT