Pre-compile regex patterns in ExecutionSafetyManager

haseeb-heaven · haseeb-heaven · commit 3f6a2f72cd51 · 2026-05-29T12:17:42.000Z
Convert static lists of raw string regex patterns to tuples of
pre-compiled `re.Pattern` objects (`re.compile`) to reduce overhead
during continuous `re.search` calls in `ExecutionSafetyManager`
methods.

This affects:
- `_WRITE_PATTERNS`
- `_WRITE_ON_HANDLE_PATTERNS`
- `_SENSITIVE_POSIX_PREFIXES`
- `_DESTRUCTIVE_PATTERNS`
- `_SHELL_PATTERNS`
diff --git a/.jules/bolt.md b/.jules/bolt.md
@@ -0,0 +1,3 @@
+## 2024-05-29 - Pre-compiling Regex Patterns for Performance
+**Learning:** In the `libs/safety_manager.py`, repeated string-based `re.search()` calls inside hot paths create significant overhead compared to using pre-compiled regex objects (`re.compile`). While building a massive combined `|` joined regex might theoretically be faster, in Python 3, pre-compiling individual patterns into a tuple of `re.Pattern` objects provides the most reliable and readable speedup for list comprehensions with `any()`.
+**Action:** Pre-compile regex lists as class attributes using `tuple(re.compile(p) for p in RAW_PATTERNS)` to optimize hot paths without sacrificing readability.
diff --git a/libs/safety_manager.py b/libs/safety_manager.py
@@ -4,7 +4,7 @@
 import shutil
 import tempfile
 from dataclasses import dataclass, field
-from typing import Dict, List, Optional
+from typing import Dict, Optional
 
 
 # =========================
@@ -74,7 +74,7 @@ class ExecutionSafetyManager:
 	# single-quoted raw strings  r'...'  so that ['"] is unambiguous.
 	# Using r"...['\""]..." caused the bare trailing `"` to prematurely close
 	# the outer double-quoted string → E999 SyntaxError at line 74.
-	_WRITE_PATTERNS = [
+	_WRITE_PATTERNS_RAW = [
 		# open() explicit write modes — text and binary variants with optional '+'
 		r'open\s*\([^)]*[\'"]w[btax]?\+?[\'"]',
 		r'open\s*\([^)]*[\'"]a[btx]?\+?[\'"]',
@@ -100,6 +100,7 @@ class ExecutionSafetyManager:
 		r'\.to_excel\s*\([^)]*[\'"/]',
 		r'\.to_parquet\s*\([^)]*[\'"/]',
 	]
+	_WRITE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_PATTERNS_RAW)
 
 	# BUG FIX (test_blocks_write_function_with_absolute_path):
 	# When code opens a file handle (any mode, including 'r') and then calls
@@ -108,19 +109,21 @@ class ExecutionSafetyManager:
 	# _WRITE_PATTERNS so it is only evaluated in the combined absolute-path
 	# write check — preventing false positives like sys.stdout.write() on
 	# purely relative / non-file code paths.
-	_WRITE_ON_HANDLE_PATTERNS = [
+	_WRITE_ON_HANDLE_PATTERNS_RAW = [
 		r"\.write\s*\(",
 	]
+	_WRITE_ON_HANDLE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_ON_HANDLE_PATTERNS_RAW)
 
 	# Sensitive POSIX system path prefixes that are ALWAYS blocked (even for reads).
-	_SENSITIVE_POSIX_PREFIXES = [
+	_SENSITIVE_POSIX_PREFIXES_RAW = [
 		r"/etc/\w+",
 		r"/root/\w+",
 		r"/proc/\w+",
 		r"/sys/\w+",
 		r"/dev/\w+",
 		r"/boot/\w+",
 	]
+	_SENSITIVE_POSIX_PREFIXES = tuple(re.compile(p, re.IGNORECASE) for p in _SENSITIVE_POSIX_PREFIXES_RAW)
 
 	# Known-dangerous call targets for .remove() / .unlink() / .rmtree().
 	_DANGEROUS_ATTR_OWNERS = frozenset({"os", "shutil", "pathlib", "path"})
@@ -142,7 +145,7 @@ class ExecutionSafetyManager:
 	# false-positives on SQL DELETE keyword used as a string literal in
 	# data-analysis code (e.g. cursor.execute("DELETE FROM ...")).
 	# =========================
-	_DESTRUCTIVE_PATTERNS = [
+	_DESTRUCTIVE_PATTERNS_RAW = [
 		# Filesystem deletes
 		r"\bunlink\b",
 		r"\bunlinksync\b",
@@ -166,19 +169,21 @@ class ExecutionSafetyManager:
 		r"\bformat\s+[a-z]:",
 		r"\bdiskpart\b",
 	]
+	_DESTRUCTIVE_PATTERNS = tuple(re.compile(p) for p in _DESTRUCTIVE_PATTERNS_RAW)
 
 	# =========================
 	# BUG FIX #2: Shell patterns now use re.search() with \b word boundaries
 	# instead of plain `in` substring matching. Previously "bash" matched
 	# any identifier containing "bash" (e.g. "rehash", "bashful").
 	# =========================
-	_SHELL_PATTERNS = [
+	_SHELL_PATTERNS_RAW = [
 		r"\bsubprocess\b",
 		r"\bos\.system\b",
 		r"\bpowershell\b",
 		r"\bcmd\.exe\b",
 		r"\bbash\b",
 	]
+	_SHELL_PATTERNS = tuple(re.compile(p) for p in _SHELL_PATTERNS_RAW)
 
 	def __init__(self, unsafe_mode: bool = False):
 		self.unsafe_mode = unsafe_mode
@@ -228,7 +233,7 @@ def _has_write_operation(self, code: str) -> bool:
 		"""Return True if *code* contains any write operation that must be
 		blocked in SAFE mode.
 		"""
-		return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_PATTERNS)
+		return any(p.search(code) for p in self._WRITE_PATTERNS)
 
 	# =========================
 	# WRITE-ON-HANDLE DETECTION
@@ -240,7 +245,7 @@ def _has_write_on_handle(self, code: str) -> bool:
 		"""Return True if *code* calls .write() on any object (handle check).
 		This is intentionally only evaluated when an absolute path is present.
 		"""
-		return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_ON_HANDLE_PATTERNS)
+		return any(p.search(code) for p in self._WRITE_ON_HANDLE_PATTERNS)
 
 	# =========================
 	# HOST ABSOLUTE PATH CHECK
@@ -285,7 +290,7 @@ def _is_host_absolute_path(self, code: str) -> bool:
 
 	def _is_sensitive_posix_path(self, code: str) -> bool:
 		"""Return True if *code* references a sensitive POSIX system path."""
-		return any(re.search(p, code, re.IGNORECASE) for p in self._SENSITIVE_POSIX_PREFIXES)
+		return any(p.search(code) for p in self._SENSITIVE_POSIX_PREFIXES)
 
 	# =========================
 	# MAIN CHECK
@@ -326,15 +331,15 @@ def assess_execution(self, code: str, mode: str) -> Decision:
 		# (shutdown, reboot, mkfs, dd, format, diskpart) in addition to
 		# filesystem deletes.
 		# =========================
-		if any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS):
+		if any(p.search(code_lower) for p in self._DESTRUCTIVE_PATTERNS):
 			return Decision(False, ["Destructive operation blocked."])
 
 		# =========================
 		# SHELL BLOCK
 		# BUG FIX #2: Uses _SHELL_PATTERNS with \b word-boundary regex instead
 		# of plain substring `in` check to avoid false positives.
 		# =========================
-		if any(re.search(p, code_lower) for p in self._SHELL_PATTERNS):
+		if any(p.search(code_lower) for p in self._SHELL_PATTERNS):
 			return Decision(False, ["Shell execution is blocked."])
 
 		# =========================
@@ -370,7 +375,7 @@ def is_dangerous_operation(self, code: str) -> bool:
 		if not code or not code.strip():
 			return False
 		code_lower = code.lower()
-		return any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS)
+		return any(p.search(code_lower) for p in self._DESTRUCTIVE_PATTERNS)
 
 	# =========================
 	# ARTIFACT EXPORT

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## 2024-05-29 - Pre-compiling Regex Patterns for Performance`
	`2`	+Learning: In the `libs/safety_manager.py`, repeated string-based `re.search()` calls inside hot paths create significant overhead compared to using pre-compiled regex objects (`re.compile`). While building a massive combined `\|` joined regex might theoretically be faster, in Python 3, pre-compiling individual patterns into a tuple of `re.Pattern` objects provides the most reliable and readable speedup for list comprehensions with `any()`.
	`3`	+Action: Pre-compile regex lists as class attributes using `tuple(re.compile(p) for p in RAW_PATTERNS)` to optimize hot paths without sacrificing readability.