From 7625339b5a17980c5dd855afacf2f6bff015c3bf Mon Sep 17 00:00:00 2001 From: haseeb-heaven <11544739+haseeb-heaven@users.noreply.github.com> Date: Sun, 21 Jun 2026 11:50:12 +0000 Subject: [PATCH] Refactor: Pre-compile safety manager regex patterns Pre-compiles all heavily-used regex patterns (`_WRITE_PATTERNS`, `_DESTRUCTIVE_PATTERNS`, etc.) into `re.Pattern` object tuples at the class level instead of compiling them on the fly during string checking. This bypasses the overhead of Python's internal `re` module cache lookup during repeated safety checks (`assess_execution`). --- .jules/bolt.md | 3 +++ libs/safety_manager.py | 18 ++++++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 .jules/bolt.md diff --git a/.jules/bolt.md b/.jules/bolt.md new file mode 100644 index 0000000..44cda91 --- /dev/null +++ b/.jules/bolt.md @@ -0,0 +1,3 @@ +## 2024-06-21 - Pre-compiling regexes for tight loops +**Learning:** Bypassing `re` module cache lookup by directly executing pre-compiled `re.Pattern` objects (`p.search(text)`) instead of `re.search(p, text)` yields measurable performance improvements in safety-critical tight loops, particularly inside `any()` comprehensions. +**Action:** Use `tuple(re.compile(p, re.IGNORECASE) for p in _PATTERNS)` inside class definitions to compile regex sets ahead of time, ensuring optimal performance for security and safety assessments. diff --git a/libs/safety_manager.py b/libs/safety_manager.py index 1da4b28..ef0935f 100644 --- a/libs/safety_manager.py +++ b/libs/safety_manager.py @@ -180,6 +180,12 @@ class ExecutionSafetyManager: r"\bbash\b", ] + _COMPILED_WRITE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_PATTERNS) + _COMPILED_WRITE_ON_HANDLE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_ON_HANDLE_PATTERNS) + _COMPILED_SENSITIVE_POSIX_PREFIXES = tuple(re.compile(p, re.IGNORECASE) for p in _SENSITIVE_POSIX_PREFIXES) + _COMPILED_DESTRUCTIVE_PATTERNS = tuple(re.compile(p) for p in _DESTRUCTIVE_PATTERNS) + _COMPILED_SHELL_PATTERNS = tuple(re.compile(p) for p in _SHELL_PATTERNS) + def __init__(self, unsafe_mode: bool = False): self.unsafe_mode = unsafe_mode @@ -228,7 +234,7 @@ def _has_write_operation(self, code: str) -> bool: """Return True if *code* contains any write operation that must be blocked in SAFE mode. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_PATTERNS) + return any(p.search(code) for p in self._COMPILED_WRITE_PATTERNS) # ========================= # WRITE-ON-HANDLE DETECTION @@ -240,7 +246,7 @@ def _has_write_on_handle(self, code: str) -> bool: """Return True if *code* calls .write() on any object (handle check). This is intentionally only evaluated when an absolute path is present. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_ON_HANDLE_PATTERNS) + return any(p.search(code) for p in self._COMPILED_WRITE_ON_HANDLE_PATTERNS) # ========================= # HOST ABSOLUTE PATH CHECK @@ -285,7 +291,7 @@ def _is_host_absolute_path(self, code: str) -> bool: def _is_sensitive_posix_path(self, code: str) -> bool: """Return True if *code* references a sensitive POSIX system path.""" - return any(re.search(p, code, re.IGNORECASE) for p in self._SENSITIVE_POSIX_PREFIXES) + return any(p.search(code) for p in self._COMPILED_SENSITIVE_POSIX_PREFIXES) # ========================= # MAIN CHECK @@ -326,7 +332,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # (shutdown, reboot, mkfs, dd, format, diskpart) in addition to # filesystem deletes. # ========================= - if any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS): + if any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE_PATTERNS): return Decision(False, ["Destructive operation blocked."]) # ========================= @@ -334,7 +340,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # BUG FIX #2: Uses _SHELL_PATTERNS with \b word-boundary regex instead # of plain substring `in` check to avoid false positives. # ========================= - if any(re.search(p, code_lower) for p in self._SHELL_PATTERNS): + if any(p.search(code_lower) for p in self._COMPILED_SHELL_PATTERNS): return Decision(False, ["Shell execution is blocked."]) # ========================= @@ -370,7 +376,7 @@ def is_dangerous_operation(self, code: str) -> bool: if not code or not code.strip(): return False code_lower = code.lower() - return any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS) + return any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE_PATTERNS) # ========================= # ARTIFACT EXPORT