From 70f679f73122ec8fd0f3fcc13afb4fb1b6d60879 Mon Sep 17 00:00:00 2001 From: haseeb-heaven <11544739+haseeb-heaven@users.noreply.github.com> Date: Mon, 15 Jun 2026 12:14:55 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9A=A1=20Bolt:=20[performance=20improvement]?= =?UTF-8?q?=20Pre-compiled=20safety=20regexes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pre-compiled all regular expression patterns in `ExecutionSafetyManager` as class attributes to bypass the internal lookup overhead of the `re` module's cache during repeated evaluation in tight code blocks. --- .jules/bolt.md | 3 ++ libs/safety_manager.py | 68 +++++++++++++++++++++++++----------------- 2 files changed, 44 insertions(+), 27 deletions(-) create mode 100644 .jules/bolt.md diff --git a/.jules/bolt.md b/.jules/bolt.md new file mode 100644 index 0000000..da28b51 --- /dev/null +++ b/.jules/bolt.md @@ -0,0 +1,3 @@ +## 2024-05-24 - Pre-compiling Regexes inside Python Class Bodies +**Learning:** Re-compiling regexes internally inside tight loops like safety checks degrades performance, caching them directly bypasses the `re` internal cache lookup. However, list comprehensions inside a class body don't have access to class scope variables, causing a NameError. +**Action:** Use a generator expression converted to a tuple (e.g., `tuple(re.compile(p) for p in _PATTERNS)`) instead of list comprehensions when pre-compiling regexes as class attributes. diff --git a/libs/safety_manager.py b/libs/safety_manager.py index 1da4b28..cfccaf5 100644 --- a/libs/safety_manager.py +++ b/libs/safety_manager.py @@ -180,6 +180,35 @@ class ExecutionSafetyManager: r"\bbash\b", ] + _COMPILED_WRITE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_PATTERNS) + _COMPILED_WRITE_ON_HANDLE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_ON_HANDLE_PATTERNS) + _COMPILED_SENSITIVE_POSIX_PREFIXES = tuple(re.compile(p, re.IGNORECASE) for p in _SENSITIVE_POSIX_PREFIXES) + _COMPILED_DESTRUCTIVE_PATTERNS = tuple(re.compile(p) for p in _DESTRUCTIVE_PATTERNS) + _COMPILED_SHELL_PATTERNS = tuple(re.compile(p) for p in _SHELL_PATTERNS) + + _COMPILED_WINDOWS_DRIVE = re.compile(r"[a-z]:[\\/]") + _COMPILED_QUOTED_POSIX = re.compile(r"""["']/[^"'\s]""") + + _POSIX_SYSTEM_PREFIXES_LIST = [ + r"/etc/\w+", + r"/tmp/\w+", + r"/var/\w+", + r"/usr/\w+", + r"/root/\w+", + r"/home/\w+/", + r"/proc/\w+", + r"/sys/\w+", + r"/dev/\w+", + r"/boot/\w+", + r"/opt/\w+", + r"/mnt/\w+", + r"/media/\w+", + ] + _COMPILED_POSIX_SYSTEM_PREFIXES = tuple(re.compile(p, re.IGNORECASE) for p in _POSIX_SYSTEM_PREFIXES_LIST) + _COMPILED_OPEN_ARGS = re.compile(r"open\s*\(\s*([\"'][^\"']+[\"'])", re.IGNORECASE) + _COMPILED_WINDOWS_DRIVE_EXACT = re.compile(r"[a-zA-Z]:[\\/]") + _COMPILED_WINDOWS_RD_DELETE = re.compile(r"\brd\s+/s\s+/q\b") + def __init__(self, unsafe_mode: bool = False): self.unsafe_mode = unsafe_mode @@ -228,7 +257,7 @@ def _has_write_operation(self, code: str) -> bool: """Return True if *code* contains any write operation that must be blocked in SAFE mode. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_PATTERNS) + return any(p.search(code) for p in self._COMPILED_WRITE_PATTERNS) # ========================= # WRITE-ON-HANDLE DETECTION @@ -240,7 +269,7 @@ def _has_write_on_handle(self, code: str) -> bool: """Return True if *code* calls .write() on any object (handle check). This is intentionally only evaluated when an absolute path is present. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_ON_HANDLE_PATTERNS) + return any(p.search(code) for p in self._COMPILED_WRITE_ON_HANDLE_PATTERNS) # ========================= # HOST ABSOLUTE PATH CHECK @@ -248,44 +277,29 @@ def _has_write_on_handle(self, code: str) -> bool: def _is_host_absolute_path(self, code: str) -> bool: """Return True if *code* references a host absolute path.""" # Windows drive-letter path - if re.search(r"[a-z]:[\\/]", code.lower()): + if self._COMPILED_WINDOWS_DRIVE.search(code.lower()): return True # Quoted POSIX absolute path: '/...' or "/..." - if re.search(r"""["']/[^"'\s]""", code): + if self._COMPILED_QUOTED_POSIX.search(code): return True # Unquoted well-known POSIX system directory prefixes - _posix_system_prefixes = [ - r"/etc/\w+", - r"/tmp/\w+", - r"/var/\w+", - r"/usr/\w+", - r"/root/\w+", - r"/home/\w+/", - r"/proc/\w+", - r"/sys/\w+", - r"/dev/\w+", - r"/boot/\w+", - r"/opt/\w+", - r"/mnt/\w+", - r"/media/\w+", - ] - if any(re.search(p, code, re.IGNORECASE) for p in _posix_system_prefixes): + if any(p.search(code) for p in self._COMPILED_POSIX_SYSTEM_PREFIXES): return True # open() call whose first positional argument is an absolute path string - open_args = re.findall(r"open\s*\(\s*([\"'][^\"']+[\"'])", code, re.IGNORECASE) + open_args = self._COMPILED_OPEN_ARGS.findall(code) for arg in open_args: path = arg.strip("'\"") - if path.startswith("/") or re.match(r"[a-zA-Z]:[\\/]", path): + if path.startswith("/") or self._COMPILED_WINDOWS_DRIVE_EXACT.match(path): return True return False def _is_sensitive_posix_path(self, code: str) -> bool: """Return True if *code* references a sensitive POSIX system path.""" - return any(re.search(p, code, re.IGNORECASE) for p in self._SENSITIVE_POSIX_PREFIXES) + return any(p.search(code) for p in self._COMPILED_SENSITIVE_POSIX_PREFIXES) # ========================= # MAIN CHECK @@ -297,7 +311,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: code_lower = code.lower() # HARD BLOCK WINDOWS RECURSIVE DELETE (CRITICAL FIX) - if re.search(r"\brd\s+/s\s+/q\b", code_lower): + if self._COMPILED_WINDOWS_RD_DELETE.search(code_lower): return Decision(False, ["Recursive deletion is blocked."]) # UNSAFE MODE - still detect dangerous operations but allow with warnings @@ -326,7 +340,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # (shutdown, reboot, mkfs, dd, format, diskpart) in addition to # filesystem deletes. # ========================= - if any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS): + if any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE_PATTERNS): return Decision(False, ["Destructive operation blocked."]) # ========================= @@ -334,7 +348,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # BUG FIX #2: Uses _SHELL_PATTERNS with \b word-boundary regex instead # of plain substring `in` check to avoid false positives. # ========================= - if any(re.search(p, code_lower) for p in self._SHELL_PATTERNS): + if any(p.search(code_lower) for p in self._COMPILED_SHELL_PATTERNS): return Decision(False, ["Shell execution is blocked."]) # ========================= @@ -370,7 +384,7 @@ def is_dangerous_operation(self, code: str) -> bool: if not code or not code.strip(): return False code_lower = code.lower() - return any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS) + return any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE_PATTERNS) # ========================= # ARTIFACT EXPORT