fix(edges): unbound k8s label/selector regex repetition (CompiledTooBig)

nikolay-e · nikolay-e · commit 4d0baffe6dc3 · 2026-06-14T00:00:11.000+02:00
Nested bounded Unicode-class repetition compiled past regex's default 10 MiB limit, so the first workload manifest forcing the Lazy static aborted the whole --diff run on any k8s repo. Unbound the value class ([^\n:]{1,200} -> [^\n:]+) in the 3 label/selector patterns; matching is unchanged (regex is linear-time, no ReDoS). Add a regression test forcing every k8s regex to compile, plus a selector-edge YAML case. Also: drop unused/contradictory TREE_SITTER_LANGUAGES map; drop .sass (recognized but had no parser -> zero fragments); align MCP get_diff_context tau default with the documented CLI default (0.08, not engine 0.12). Fixes #58
diff --git a/diffctx/src/edges/config_edges/kubernetes.rs b/diffctx/src/edges/config_edges/kubernetes.rs
@@ -41,12 +41,11 @@ static IMAGE_RE: Lazy<Regex> =
     Lazy::new(|| Regex::new(r##"(?m)^\s{1,20}image:\s?['"]?([^'"#\n]{1,300})"##).unwrap());
 
 static SELECTOR_MATCH_LABELS_RE: Lazy<Regex> = Lazy::new(|| {
-    Regex::new(r"(?m)selector:\s?\n\s{1,20}matchLabels:\s?\n((?:\s{1,20}[a-zA-Z0-9_./-]{1,100}:\s?[^\n:]{1,200}\n){1,50})")
+    Regex::new(r"(?m)selector:\s?\n\s{1,20}matchLabels:\s?\n((?:\s{1,20}[a-zA-Z0-9_./-]{1,100}:\s?[^\n:]+\n){1,50})")
         .unwrap()
 });
 static LABELS_RE: Lazy<Regex> = Lazy::new(|| {
-    Regex::new(r"(?m)labels:\s?\n((?:\s{1,20}[a-zA-Z0-9_./-]{1,100}:\s?[^\n:]{1,200}\n){1,50})")
-        .unwrap()
+    Regex::new(r"(?m)labels:\s?\n((?:\s{1,20}[a-zA-Z0-9_./-]{1,100}:\s?[^\n:]+\n){1,50})").unwrap()
 });
 static LABEL_PAIR_RE: Lazy<Regex> = Lazy::new(|| {
     Regex::new(
@@ -55,7 +54,7 @@ static LABEL_PAIR_RE: Lazy<Regex> = Lazy::new(|| {
     .unwrap()
 });
 static SIMPLE_SELECTOR_RE: Lazy<Regex> = Lazy::new(|| {
-    Regex::new(r"(?m)selector:\s?\n((?:\s{1,20}[a-zA-Z0-9_./-]{1,100}:\s?[^\n:]{1,200}\n){1,50})")
+    Regex::new(r"(?m)selector:\s?\n((?:\s{1,20}[a-zA-Z0-9_./-]{1,100}:\s?[^\n:]+\n){1,50})")
         .unwrap()
 });
 
@@ -515,3 +514,39 @@ impl EdgeBuilder for KubernetesEdgeBuilder {
         discovered
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    // Regression for issue #58: these label/selector patterns nest a Unicode
+    // negated class under bounded repetition, which compiled past regex's
+    // default 10 MiB size limit and made `.unwrap()` abort the whole process
+    // the first time a workload manifest forced the Lazy static. Forcing every
+    // k8s regex here fails CI on any future reintroduction instead of a user.
+    #[test]
+    fn all_kubernetes_regexes_compile() {
+        for re in [
+            &*K8S_API_VERSION_RE,
+            &*K8S_KIND_RE,
+            &*K8S_METADATA_NAME_RE,
+            &*K8S_NAME_RE,
+            &*CONFIGMAP_REF_RE,
+            &*CONFIGMAP_NAME_RE,
+            &*SECRET_REF_RE,
+            &*SECRET_NAME_RE,
+            &*SERVICE_NAME_RE,
+            &*BACKEND_SERVICE_RE,
+            &*IMAGE_RE,
+            &*SELECTOR_MATCH_LABELS_RE,
+            &*LABELS_RE,
+            &*LABEL_PAIR_RE,
+            &*SIMPLE_SELECTOR_RE,
+            &*VOLUME_CONFIGMAP_RE,
+            &*VOLUME_SECRET_RE,
+            &*VOLUME_PVC_RE,
+        ] {
+            let _ = re.is_match("x");
+        }
+    }
+}
diff --git a/diffctx/src/languages.rs b/diffctx/src/languages.rs
@@ -25,7 +25,6 @@ pub static EXTENSION_TO_LANGUAGE: Lazy<FxHashMap<&'static str, &'static str>> =
         (".htm", "html"),
         (".css", "css"),
         (".scss", "scss"),
-        (".sass", "sass"),
         (".less", "less"),
         (".xml", "xml"),
         (".svg", "xml"),
@@ -211,97 +210,6 @@ pub static FILENAME_TO_LANGUAGE: Lazy<FxHashMap<&'static str, &'static str>> = L
     map
 });
 
-pub static TREE_SITTER_LANGUAGES: Lazy<FxHashMap<&'static str, &'static str>> = Lazy::new(|| {
-    let entries: &[(&str, &str)] = &[
-        (".py", "python"),
-        (".pyw", "python"),
-        (".pyi", "python"),
-        (".js", "javascript"),
-        (".jsx", "jsx"),
-        (".mjs", "javascript"),
-        (".cjs", "javascript"),
-        (".ts", "typescript"),
-        (".tsx", "tsx"),
-        (".mts", "typescript"),
-        (".cts", "typescript"),
-        (".go", "go"),
-        (".rs", "rust"),
-        (".java", "java"),
-        (".c", "c"),
-        (".h", "c"),
-        (".cpp", "cpp"),
-        (".hpp", "cpp"),
-        (".cc", "cpp"),
-        (".cxx", "cpp"),
-        (".hh", "cpp"),
-        (".hxx", "cpp"),
-        (".c++", "cpp"),
-        (".h++", "cpp"),
-        (".ipp", "cpp"),
-        (".tpp", "cpp"),
-        (".rb", "ruby"),
-        (".rake", "ruby"),
-        (".gemspec", "ruby"),
-        (".cs", "c_sharp"),
-        (".php", "php"),
-        (".phtml", "php"),
-        (".scala", "scala"),
-        (".sc", "scala"),
-        (".swift", "swift"),
-        (".html", "html"),
-        (".htm", "html"),
-        (".sh", "bash"),
-        (".bash", "bash"),
-        (".zsh", "bash"),
-        (".ksh", "bash"),
-        (".css", "css"),
-        (".scss", "css"),
-        (".less", "css"),
-        (".hs", "haskell"),
-        (".lhs", "haskell"),
-        (".ex", "elixir"),
-        (".exs", "elixir"),
-        (".lua", "lua"),
-        (".r", "r"),
-        (".ml", "ocaml"),
-        (".mli", "ocaml"),
-        (".erl", "erlang"),
-        (".hrl", "erlang"),
-        (".jl", "julia"),
-        (".zig", "zig"),
-        (".clj", "clojure"),
-        (".cljs", "clojure"),
-        (".cljc", "clojure"),
-        (".nix", "nix"),
-        (".groovy", "groovy"),
-        (".gradle", "groovy"),
-        (".m", "objc"),
-        (".mm", "objc"),
-        (".dart", "dart"),
-        (".graphql", "graphql"),
-        (".gql", "graphql"),
-        (".tex", "latex"),
-        (".latex", "latex"),
-        (".sty", "latex"),
-        (".cls", "latex"),
-        (".prisma", "prisma"),
-        (".svelte", "svelte"),
-        (".tf", "hcl"),
-        (".hcl", "hcl"),
-        (".json", "json"),
-        (".yaml", "yaml"),
-        (".yml", "yaml"),
-        (".cmake", "cmake"),
-        (".mk", "make"),
-    ];
-
-    let mut map = FxHashMap::with_capacity_and_hasher(entries.len(), Default::default());
-    for &(ext, lang) in entries {
-        map.insert(ext, lang);
-    }
-    map
-});
-
 pub fn get_language_for_file(path: &str) -> Option<&'static str> {
     let p = Path::new(path);
 
diff --git a/src/diffctx/mcp/server.py b/src/diffctx/mcp/server.py
@@ -15,6 +15,12 @@
 
 logger = logging.getLogger(__name__)
 
+# Keep in sync with diffctx.cli._DEFAULT_TAU. The layering contract forbids
+# mcp -> cli, so this user-facing default is duplicated rather than imported.
+# Without it, build_diff_context falls back to the engine default (0.12),
+# silently selecting less context than the documented CLI default.
+_DEFAULT_TAU = 0.08
+
 mcp = FastMCP("diffctx")
 
 _DIFF_DESCRIPTION = (
@@ -47,6 +53,7 @@ async def get_diff_context(
                 root_dir=validated_path,
                 diff_range=diff_range,
                 budget_tokens=budget_tokens,
+                tau=_DEFAULT_TAU,
             )
         )
     except GitError as e:
diff --git a/tests/cases/diff/kubernetes_001_selector_edge_pulls_workload.yaml b/tests/cases/diff/kubernetes_001_selector_edge_pulls_workload.yaml
@@ -0,0 +1,106 @@
+name: kubernetes_001_selector_edge_pulls_workload
+tags:
+- lang:yaml
+- domain:kubernetes
+- change:single_file
+- context:cross_file
+- distance:1hop
+- difficulty:medium
+- regression:issue_58_compiledtoobig
+fixtures:
+  auto_garbage: true
+repo:
+  initial_files:
+    k8s/deployment.yaml: |
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: web
+      spec:
+        selector:
+          matchLabels:
+            app: web
+        template:
+          metadata:
+            labels:
+              app: web
+              tier: frontend
+          spec:
+            containers:
+            - name: web
+              image: nginx:1.25
+              envFrom:
+              - configMapRef:
+                  name: web-config
+    k8s/service.yaml: |
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: web
+      spec:
+        selector:
+          app: web
+        ports:
+        - port: 80
+          targetPort: 8080
+    k8s/configmap.yaml: |
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: web-config
+      data:
+        LOG_LEVEL: info
+  changed_files:
+    k8s/deployment.yaml: |
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: web
+      spec:
+        selector:
+          matchLabels:
+            app: web
+        template:
+          metadata:
+            labels:
+              app: web
+              tier: frontend
+          spec:
+            containers:
+            - name: web
+              image: nginx:1.25
+              envFrom:
+              - configMapRef:
+                  name: web-config
+    k8s/service.yaml: |
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: web
+      spec:
+        selector:
+          app: web
+        ports:
+        - port: 8080
+          targetPort: 8080
+    k8s/configmap.yaml: |
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: web-config
+      data:
+        LOG_LEVEL: info
+  commit_message: change service port
+fragments:
+- id: deployment_via_selector
+  selector:
+    path: k8s/deployment.yaml
+    anchor: 'tier: frontend'
+- id: service_seed
+  selector:
+    path: k8s/service.yaml
+oracle:
+  required:
+  - deployment_via_selector
+  allowed: []
+  forbidden: []
