Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .jules/bolt.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,6 @@
## 2026-07-02 - Credential Masking Security Hole in Subprocess Environments
**Learning:** Found a critical missing credential masking pattern in `scripts/ci/noema_review_gate.py`'s `scrub_sensitive_data` which didn't mask `Authorization: Basic` or `Proxy-Authorization: Basic` tokens unlike its analogous helper in `scripts/ci/pr_review_merge_scheduler.py`. This leaves exception messages and logs vulnerable to exposing sensitive credentials when HTTP operations fail.
**Action:** When implementing credential masking functions that sanitize tracebacks and log messages, ensure the masking scope includes all relevant headers, particularly `Authorization` and `Proxy-Authorization`. Ensure parity across masking helpers across CI scripts to prevent blind spots.
## 2026-07-07 - Pre-compile Regex Patterns in Python Scripts Embedded in Bash
**Learning:** Found an anti-pattern in `scripts/ci/validate_opencode_failed_check_review.sh` where a Python script injected via HEREDOC repeatedly recompiled regex patterns using `re.sub` and `re.match` within tight loops for cleaning and parsing CI logs. This caused measurable overhead.
**Action:** Always pre-compile regex patterns at the module level using `re.compile()` in Python scripts, even those embedded inside Bash scripts via HEREDOCs, to prevent redundant compilations when processing large inputs.
54 changes: 32 additions & 22 deletions scripts/ci/validate_opencode_failed_check_review.sh
Original file line number Diff line number Diff line change
Expand Up @@ -213,26 +213,40 @@ location_re = re.compile(
re.IGNORECASE,
)

# ⚡ Bolt: Pre-compiled regex patterns to avoid recompilation on every line processed.
CLEAN_PREFIX_RE = re.compile(r"^.*?│\s*")
CLEAN_SUFFIX_RE = re.compile(r"\s*│.*$")
CLEAN_TIMESTAMP_RE = re.compile(r"^.*?[0-9]Z\s+")
CLEAN_WHITESPACE_RE = re.compile(r"\s+")
NEW_FIELD_RE = re.compile(
r"^(Title|Severity|CVSS Score|CVSS Vector|Target|Endpoint|Method|Description|Impact|Technical Analysis|PoC Description|PoC Code|Code Locations|Remediation)\b",
re.IGNORECASE,
)
DECORATION_RE = re.compile(r"^[╭╰─]+$")
WINDOW_MODEL_RE = re.compile(
r"(?:model|for model)\s+((?:github[-_]models|openai|deepseek|vertex_ai)/[A-Za-z0-9._/-]+)",
re.IGNORECASE,
)
TITLE_FIELD_RE = re.compile(r"^Title:\s+(.+)", re.IGNORECASE)
SEVERITY_FIELD_RE = re.compile(r"^Severity:\s+(CRITICAL|HIGH|MEDIUM|LOW|NONE)\b", re.IGNORECASE)
ENDPOINT_FIELD_RE = re.compile(r"^Endpoint:\s+(.+)", re.IGNORECASE)
METHOD_FIELD_RE = re.compile(r"^Method:\s+(.+)", re.IGNORECASE)
TARGET_FIELD_RE = re.compile(r"^Target:\s+(.+)", re.IGNORECASE)


def clean(raw_line: str) -> str:
line = ansi_re.sub("", raw_line).replace("\r", "")
if "│" in line:
line = re.sub(r"^.*?│\s*", "", line)
line = re.sub(r"\s*│.*$", "", line)
line = CLEAN_PREFIX_RE.sub("", line)
line = CLEAN_SUFFIX_RE.sub("", line)
else:
line = re.sub(r"^.*?[0-9]Z\s+", "", line)
line = re.sub(r"\s+", " ", line).strip()
line = CLEAN_TIMESTAMP_RE.sub("", line)
line = CLEAN_WHITESPACE_RE.sub(" ", line).strip()
return line


def starts_new_field(line: str) -> bool:
return bool(
re.match(
r"^(Title|Severity|CVSS Score|CVSS Vector|Target|Endpoint|Method|Description|Impact|Technical Analysis|PoC Description|PoC Code|Code Locations|Remediation)\b",
line,
re.IGNORECASE,
)
)
return bool(NEW_FIELD_RE.match(line))


class ReportParser:
Expand Down Expand Up @@ -271,11 +285,7 @@ class ReportParser:
self.finish_report()
self.in_window = True
self.window_model = ""
match = re.search(
r"(?:model|for model)\s+((?:github[-_]models|openai|deepseek|vertex_ai)/[A-Za-z0-9._/-]+)",
line,
re.IGNORECASE,
)
match = WINDOW_MODEL_RE.search(line)
if match:
self.window_model = match.group(1)
self.current_model = match.group(1)
Expand All @@ -296,7 +306,7 @@ class ReportParser:
return False
if not line:
self.continuation = ""
elif not starts_new_field(line) and not re.match(r"^[╭╰─]+$", line) and line.lower() != "vulnerability report":
elif not starts_new_field(line) and not DECORATION_RE.match(line) and line.lower() != "vulnerability report":
if self.continuation == "title":
self.title = f"{self.title} {line}".strip()
elif self.continuation == "endpoint":
Expand All @@ -309,28 +319,28 @@ class ReportParser:
return False

def _parse_field(self, line: str) -> None:
field_match = re.match(r"^Title:\s+(.+)", line, re.IGNORECASE)
field_match = TITLE_FIELD_RE.match(line)
if field_match:
self.finish_report()
self.title = field_match.group(1)
self.report_model = self.window_model
self.continuation = "title"
return
field_match = re.match(r"^Severity:\s+(CRITICAL|HIGH|MEDIUM|LOW|NONE)\b", line, re.IGNORECASE)
field_match = SEVERITY_FIELD_RE.match(line)
if field_match:
self.severity = field_match.group(1).upper()
return
field_match = re.match(r"^Endpoint:\s+(.+)", line, re.IGNORECASE)
field_match = ENDPOINT_FIELD_RE.match(line)
if field_match:
self.endpoint = field_match.group(1)
self.continuation = "endpoint"
return
field_match = re.match(r"^Method:\s+(.+)", line, re.IGNORECASE)
field_match = METHOD_FIELD_RE.match(line)
if field_match:
self.method = field_match.group(1)
self.continuation = ""
return
field_match = re.match(r"^Target:\s+(.+)", line, re.IGNORECASE)
field_match = TARGET_FIELD_RE.match(line)
if field_match:
self.target = field_match.group(1)
self.continuation = "target"
Expand Down
Loading