From 0d3cd8cf31cf82a3f3c1552374cf2157545639df Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Tue, 7 Jul 2026 14:16:31 +0000 Subject: [PATCH 1/2] =?UTF-8?q?=E2=9A=A1=20Bolt:=20[=EC=84=B1=EB=8A=A5=20?= =?UTF-8?q?=EA=B0=9C=EC=84=A0]=20validate=5Fopencode=5Ffailed=5Fcheck=5Fre?= =?UTF-8?q?view.sh=20=EB=82=B4=20Python=20=EC=A0=95=EA=B7=9C=EC=8B=9D=20?= =?UTF-8?q?=EC=B5=9C=EC=A0=81=ED=99=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit validate_opencode_failed_check_review.sh 스크립트 내부의 Python 코드에서 반복적으로 호출되는 `clean`, `starts_new_field`, `_handle_window_start`, `_handle_continuation`, `_parse_field` 함수 내의 정규식(`re.sub`, `re.match` 등)을 모듈 레벨에서 미리 컴파일(`re.compile`)하도록 개선하여 반복적인 텍스트 파싱 과정의 성능을 향상시켰습니다. --- .jules/bolt.md | 3 ++ .../validate_opencode_failed_check_review.sh | 54 +++++++++++-------- 2 files changed, 35 insertions(+), 22 deletions(-) diff --git a/.jules/bolt.md b/.jules/bolt.md index 4bc70515..05d55ede 100644 --- a/.jules/bolt.md +++ b/.jules/bolt.md @@ -28,3 +28,6 @@ ## 2026-07-02 - Credential Masking Security Hole in Subprocess Environments **Learning:** Found a critical missing credential masking pattern in `scripts/ci/noema_review_gate.py`'s `scrub_sensitive_data` which didn't mask `Authorization: Basic` or `Proxy-Authorization: Basic` tokens unlike its analogous helper in `scripts/ci/pr_review_merge_scheduler.py`. This leaves exception messages and logs vulnerable to exposing sensitive credentials when HTTP operations fail. **Action:** When implementing credential masking functions that sanitize tracebacks and log messages, ensure the masking scope includes all relevant headers, particularly `Authorization` and `Proxy-Authorization`. Ensure parity across masking helpers across CI scripts to prevent blind spots. +## 2026-07-07 - Pre-compile Regex Patterns in Python Scripts Embedded in Bash +**Learning:** Found an anti-pattern in `scripts/ci/validate_opencode_failed_check_review.sh` where a Python script injected via HEREDOC repeatedly recompiled regex patterns using `re.sub` and `re.match` within tight loops for cleaning and parsing CI logs. This caused measurable overhead. +**Action:** Always pre-compile regex patterns at the module level using `re.compile()` in Python scripts, even those embedded inside Bash scripts via HEREDOCs, to prevent redundant compilations when processing large inputs. diff --git a/scripts/ci/validate_opencode_failed_check_review.sh b/scripts/ci/validate_opencode_failed_check_review.sh index a500e5fb..c16eb166 100755 --- a/scripts/ci/validate_opencode_failed_check_review.sh +++ b/scripts/ci/validate_opencode_failed_check_review.sh @@ -213,26 +213,40 @@ location_re = re.compile( re.IGNORECASE, ) +# ⚡ Bolt: Pre-compiled regex patterns to avoid recompilation on every line processed. +CLEAN_PREFIX_RE = re.compile(r"^.*?│\s*") +CLEAN_SUFFIX_RE = re.compile(r"\s*│.*$") +CLEAN_TIMESTAMP_RE = re.compile(r"^.*?[0-9]Z\s+") +CLEAN_WHITESPACE_RE = re.compile(r"\s+") +NEW_FIELD_RE = re.compile( + r"^(Title|Severity|CVSS Score|CVSS Vector|Target|Endpoint|Method|Description|Impact|Technical Analysis|PoC Description|PoC Code|Code Locations|Remediation)\b", + re.IGNORECASE, +) +DECORATION_RE = re.compile(r"^[╭╰─]+$") +WINDOW_MODEL_RE = re.compile( + r"(?:model|for model)\s+((?:github[-_]models|openai|deepseek|vertex_ai)/[A-Za-z0-9._/-]+)", + re.IGNORECASE, +) +TITLE_FIELD_RE = re.compile(r"^Title:\s+(.+)", re.IGNORECASE) +SEVERITY_FIELD_RE = re.compile(r"^Severity:\s+(CRITICAL|HIGH|MEDIUM|LOW|NONE)\b", re.IGNORECASE) +ENDPOINT_FIELD_RE = re.compile(r"^Endpoint:\s+(.+)", re.IGNORECASE) +METHOD_FIELD_RE = re.compile(r"^Method:\s+(.+)", re.IGNORECASE) +TARGET_FIELD_RE = re.compile(r"^Target:\s+(.+)", re.IGNORECASE) + def clean(raw_line: str) -> str: line = ansi_re.sub("", raw_line).replace("\r", "") if "│" in line: - line = re.sub(r"^.*?│\s*", "", line) - line = re.sub(r"\s*│.*$", "", line) + line = CLEAN_PREFIX_RE.sub("", line) + line = CLEAN_SUFFIX_RE.sub("", line) else: - line = re.sub(r"^.*?[0-9]Z\s+", "", line) - line = re.sub(r"\s+", " ", line).strip() + line = CLEAN_TIMESTAMP_RE.sub("", line) + line = CLEAN_WHITESPACE_RE.sub(" ", line).strip() return line def starts_new_field(line: str) -> bool: - return bool( - re.match( - r"^(Title|Severity|CVSS Score|CVSS Vector|Target|Endpoint|Method|Description|Impact|Technical Analysis|PoC Description|PoC Code|Code Locations|Remediation)\b", - line, - re.IGNORECASE, - ) - ) + return bool(NEW_FIELD_RE.match(line)) class ReportParser: @@ -271,11 +285,7 @@ class ReportParser: self.finish_report() self.in_window = True self.window_model = "" - match = re.search( - r"(?:model|for model)\s+((?:github[-_]models|openai|deepseek|vertex_ai)/[A-Za-z0-9._/-]+)", - line, - re.IGNORECASE, - ) + match = WINDOW_MODEL_RE.search(line) if match: self.window_model = match.group(1) self.current_model = match.group(1) @@ -296,7 +306,7 @@ class ReportParser: return False if not line: self.continuation = "" - elif not starts_new_field(line) and not re.match(r"^[╭╰─]+$", line) and line.lower() != "vulnerability report": + elif not starts_new_field(line) and not DECORATION_RE.match(line) and line.lower() != "vulnerability report": if self.continuation == "title": self.title = f"{self.title} {line}".strip() elif self.continuation == "endpoint": @@ -309,28 +319,28 @@ class ReportParser: return False def _parse_field(self, line: str) -> None: - field_match = re.match(r"^Title:\s+(.+)", line, re.IGNORECASE) + field_match = TITLE_FIELD_RE.match(line) if field_match: self.finish_report() self.title = field_match.group(1) self.report_model = self.window_model self.continuation = "title" return - field_match = re.match(r"^Severity:\s+(CRITICAL|HIGH|MEDIUM|LOW|NONE)\b", line, re.IGNORECASE) + field_match = SEVERITY_FIELD_RE.match(line) if field_match: self.severity = field_match.group(1).upper() return - field_match = re.match(r"^Endpoint:\s+(.+)", line, re.IGNORECASE) + field_match = ENDPOINT_FIELD_RE.match(line) if field_match: self.endpoint = field_match.group(1) self.continuation = "endpoint" return - field_match = re.match(r"^Method:\s+(.+)", line, re.IGNORECASE) + field_match = METHOD_FIELD_RE.match(line) if field_match: self.method = field_match.group(1) self.continuation = "" return - field_match = re.match(r"^Target:\s+(.+)", line, re.IGNORECASE) + field_match = TARGET_FIELD_RE.match(line) if field_match: self.target = field_match.group(1) self.continuation = "target" From 1f241eb7332172710ffaeb085ce7124f3c4faead Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Wed, 8 Jul 2026 06:39:24 +0000 Subject: [PATCH 2/2] =?UTF-8?q?=E2=9A=A1=20Bolt:=20[=EC=84=B1=EB=8A=A5=20?= =?UTF-8?q?=EA=B0=9C=EC=84=A0]=20validate=5Fopencode=5Ffailed=5Fcheck=5Fre?= =?UTF-8?q?view.sh=20=EB=82=B4=20Python=20=EC=A0=95=EA=B7=9C=EC=8B=9D=20?= =?UTF-8?q?=EC=B5=9C=EC=A0=81=ED=99=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit validate_opencode_failed_check_review.sh 스크립트 내부의 Python 코드에서 반복적으로 호출되는 `clean`, `starts_new_field`, `_handle_window_start`, `_handle_continuation`, `_parse_field` 함수 내의 정규식(`re.sub`, `re.match` 등)을 모듈 레벨에서 미리 컴파일(`re.compile`)하도록 개선하여 반복적인 텍스트 파싱 과정의 성능을 향상시켰습니다.