diff --git a/.jules/bolt.md b/.jules/bolt.md new file mode 100644 index 00000000..cd2df658 --- /dev/null +++ b/.jules/bolt.md @@ -0,0 +1,3 @@ +## 2024-05-24 - Pre-compile Regex Patterns for Performance +**Learning:** Python's `re` module internally caches compiled regex patterns, but bypassing this cache lookup by directly executing pre-compiled `re.Pattern` objects (e.g., `p.search(text)`) yields measurable performance improvements in tight loops, especially in safety-critical code executed frequently like `ExecutionSafetyManager.assess_execution`. +**Action:** When repeatedly applying multiple regex patterns (like in list comprehensions with `any()`), pre-compile them into a tuple of `re.Pattern` objects as class-level attributes using generator expressions. Note that list comprehensions inside a class body don't have access to the class's scope in Python 3, so a generator expression like `tuple(re.compile(p) for p in _PATTERNS)` is required. diff --git a/libs/safety_manager.py b/libs/safety_manager.py index 1da4b289..ffa96f85 100644 --- a/libs/safety_manager.py +++ b/libs/safety_manager.py @@ -180,6 +180,13 @@ class ExecutionSafetyManager: r"\bbash\b", ] + # Pre-compiled regex patterns for performance optimization + _WRITE_PATTERNS_COMPILED = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_PATTERNS) + _WRITE_ON_HANDLE_PATTERNS_COMPILED = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_ON_HANDLE_PATTERNS) + _SENSITIVE_POSIX_PREFIXES_COMPILED = tuple(re.compile(p, re.IGNORECASE) for p in _SENSITIVE_POSIX_PREFIXES) + _DESTRUCTIVE_PATTERNS_COMPILED = tuple(re.compile(p) for p in _DESTRUCTIVE_PATTERNS) + _SHELL_PATTERNS_COMPILED = tuple(re.compile(p) for p in _SHELL_PATTERNS) + def __init__(self, unsafe_mode: bool = False): self.unsafe_mode = unsafe_mode @@ -228,7 +235,7 @@ def _has_write_operation(self, code: str) -> bool: """Return True if *code* contains any write operation that must be blocked in SAFE mode. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_PATTERNS) + return any(p.search(code) for p in self._WRITE_PATTERNS_COMPILED) # ========================= # WRITE-ON-HANDLE DETECTION @@ -240,7 +247,7 @@ def _has_write_on_handle(self, code: str) -> bool: """Return True if *code* calls .write() on any object (handle check). This is intentionally only evaluated when an absolute path is present. """ - return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_ON_HANDLE_PATTERNS) + return any(p.search(code) for p in self._WRITE_ON_HANDLE_PATTERNS_COMPILED) # ========================= # HOST ABSOLUTE PATH CHECK @@ -285,7 +292,7 @@ def _is_host_absolute_path(self, code: str) -> bool: def _is_sensitive_posix_path(self, code: str) -> bool: """Return True if *code* references a sensitive POSIX system path.""" - return any(re.search(p, code, re.IGNORECASE) for p in self._SENSITIVE_POSIX_PREFIXES) + return any(p.search(code) for p in self._SENSITIVE_POSIX_PREFIXES_COMPILED) # ========================= # MAIN CHECK @@ -326,7 +333,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # (shutdown, reboot, mkfs, dd, format, diskpart) in addition to # filesystem deletes. # ========================= - if any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS): + if any(p.search(code_lower) for p in self._DESTRUCTIVE_PATTERNS_COMPILED): return Decision(False, ["Destructive operation blocked."]) # ========================= @@ -334,7 +341,7 @@ def assess_execution(self, code: str, mode: str) -> Decision: # BUG FIX #2: Uses _SHELL_PATTERNS with \b word-boundary regex instead # of plain substring `in` check to avoid false positives. # ========================= - if any(re.search(p, code_lower) for p in self._SHELL_PATTERNS): + if any(p.search(code_lower) for p in self._SHELL_PATTERNS_COMPILED): return Decision(False, ["Shell execution is blocked."]) # ========================= @@ -370,7 +377,7 @@ def is_dangerous_operation(self, code: str) -> bool: if not code or not code.strip(): return False code_lower = code.lower() - return any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS) + return any(p.search(code_lower) for p in self._DESTRUCTIVE_PATTERNS_COMPILED) # ========================= # ARTIFACT EXPORT