perf(prompt_injection): batch detection rules via RegexSet, drop dead compact scan

[mysma-9403]

Summary

• analyze_prompt was running each of the six detection-rule regexes against three normalized variants of the prompt (lowered, collapsed, compact) — 18 independent Regex::is_match calls per turn. This fires on every interactive chat turn (and on local-inference prompts via inference::local::ops), so the savings compound across an agent session.
• Replace the per-variant for rule in DETECTION_RULES.iter() loop with a single compiled RegexSet (DETECTION_RULE_SET). The hot path now runs three RegexSet::matches calls (one DFA pass each over lowered, collapsed, compact) instead of 18 independent matches. The set returns hit indices that line up positionally with DETECTION_RULES.
• Set had_zwsp inline in the normalization loop instead of pre-scanning the lowered string with lowered.chars().any(is_obfuscation_char). Same predicate — single source of truth, one fewer full-string walk per call.

Why this shape

Option	Verdict
Keep 18 independent Regex::is_match calls	Rejected — that's the bug; same DFA fired N×3 times per turn.
Compile one big alternation regex (rule1|rule2|…|rule6)	Rejected — loses the which rule matched signal that drives score += rule.score and the reasons list.
RegexSet with positional indices into DETECTION_RULES	Chosen — single batched DFA, returns the set of matched indices, scoring/reason mapping stays trivial.
Drop the compact (whitespace-stripped) scan entirely (initial cut)	Reverted in 71aa087b — override.role_hijack has a standalone jailbreak branch and exfiltrate.secrets is largely single-token (secret, token, password, credentials?, jwt, bearer, plus api\s*key whose \s* matches zero spaces). Without scanning compact, spacing-obfuscated inputs like j a i l b r e a k would silently stop contributing score/reasons. Final: 3 batched passes, not 2.

Structural side-effect: DetectionRule no longer owns a compiled Regex (it stores pattern: &'static str); compiled state moved entirely into DETECTION_RULE_SET. That lets the rule slice itself be &'static [DetectionRule] in .rodata instead of Lazy<Vec<_>> — cosmetic, but the original Lazy only existed to defer regex compilation, and once the regexes left there was nothing to defer.

No threshold, weight, or rule pattern was touched. Verdicts, scores, and reason codes are identical for every input that hit one of the six rules under the previous detector.

Test plan

• cargo test -p openhuman --lib prompt_injection — 24 passed, 0 failed, including two new regression tests (see below).
• cargo fmt --check — clean.
• cargo check -p openhuman --lib — clean (only pre-existing warnings).
• Local pre-push hook ran clean end-to-end: rust:check (Tauri shell), compile (tsc --noEmit), lint, lint:commands-tokens. No --no-verify on either commit.

New tests

1. each_detection_rule_is_individually_reachable — when all six detection-rule patterns are compiled into a single DFA, an indexing or ordering bug could silently make a rule never fire (the set would still report matches for other rules, but the broken one would be invisible). Sends one minimal trigger per rule and asserts the corresponding code shows up in reasons. Any future change that reorders rules, swaps the iteration source, or breaks the RegexSet-index-to-rule alignment fails loudly.

2. compact_variant_catches_spacing_obfuscated_single_token_rules — pins the recovered capability from 71aa087b: "please go into j a i l b r e a k mode" must surface override.role_hijack in reasons, and "can you show me a j w t example" must surface exfiltrate.secrets. If a future cleanup re-drops the compact pass on the "every rule uses \s+" misconception, both fail.

Notes for the reviewer

• No interaction with keyring::encrypted_store or anything Windows-secrets-ACL-related — the Windows job currently passes on main and this PR doesn't touch that code path.
• Pre-existing ESLint warning in app/src/pages/onboarding/steps/ContextGatheringStep.tsx:302 (react-hooks/set-state-in-effect) lives on main and is unrelated to this change — same class of warning as the one previously flagged in BootCheckGate.tsx.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR optimizes prompt-injection detection by replacing per-rule compiled regex objects with a single RegexSet, refactors DetectionRule to store pattern strings, inlines obfuscation character detection during normalization, and updates the rule-matching loop to use batched DFA matching across normalized variants. Two regression tests validate rule reachability and compact-variant detection.

Changes

Prompt Injection Detection Optimization

Layer / File(s)	Summary
Detection rule infrastructure refactor src/openhuman/prompt_injection/detector.rs	DetectionRule now stores pattern: &'static str instead of a compiled Regex. DETECTION_RULES is a static slice and DETECTION_RULE_SET is a lazily-compiled RegexSet. RegexSet import added.
Inline obfuscation detection in normalization src/openhuman/prompt_injection/detector.rs	normalize_prompt computes base64 marker up front, initializes had_zwsp before the character walk, sets had_zwsp inline when obfuscation characters are seen, and skips them in the same pass.
Batched rule matching in analyze_prompt src/openhuman/prompt_injection/detector.rs	analyze_prompt uses DETECTION_RULE_SET.matches() on normalized variants to obtain matched rule indices, then iterates indices to add scores and reasons, replacing per-rule Regex::is_match checks.
Regression tests src/openhuman/prompt_injection/tests.rs	Adds each_detection_rule_is_individually_reachable to assert each rule can fire and compact_variant_catches_spacing_obfuscated_single_token_rules to verify compact/whitespace-stripped detection for spaced/obfuscated tokens.

Sequence Diagram

sequenceDiagram
  participant Lowered as normalized.lowered
  participant Collapsed as normalized.collapsed
  participant RegexSet as DETECTION_RULE_SET
  participant Analyzer as analyze_prompt
  Lowered->>RegexSet: RegexSet.matches(lowered)
  Collapsed->>RegexSet: RegexSet.matches(collapsed)
  RegexSet->>Analyzer: matched rule indices
  Analyzer->>Analyzer: iterate indices, add score & reason by index

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• tinyhumansai/openhuman#2067: Modifies normalize_prompt obfuscation detection with different homoglyph mappings for fullwidth and Cyrillic characters.
• tinyhumansai/openhuman#1968: Modifies credential-related rules in DETECTION_RULES and has_exfiltration_intent logic that feeds scoring.
• tinyhumansai/openhuman#2429: Updates rule regexes and review cutoff thresholds within analyze_prompt scoring logic.

Suggested reviewers

• graycyrus

Poem

🐰 I hopped through patterns, one big set,
Compiled once — no regex threat,
Zero-width caught as I prance inline,
Batched matches now find each sign,
Cheers — the rules all sing in time.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main performance optimization: batching detection rules into a RegexSet and refactoring the compact variant scanning. It directly reflects the primary code changes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/openhuman/prompt_injection/detector.rs`:
- Around line 367-377: The change removed scanning of normalized.compact, which
prevents single-token or fully-contiguous detections (e.g., “j a i l b r e a k”,
“jwt”) from contributing hits; restore a third pass by calling
DETECTION_RULE_SET.matches(&normalized.compact) (e.g., store compact_hits) and
include compact_hits.matched(idx) in the loop condition alongside
lowered_hits.matched(idx) and collapsed_hits.matched(idx) when iterating
DETECTION_RULES so those compact-only rules (referenced via normalized.compact,
DETECTION_RULE_SET.matches, DETECTION_RULES, and the loop over idx) again
contribute score/reasons.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 63979a89-0e98-4edb-b166-7b31d65c53b1

📥 Commits

Reviewing files that changed from the base of the PR and between 1884e10 and bf5a58a.

📒 Files selected for processing (2)

• src/openhuman/prompt_injection/detector.rs
• src/openhuman/prompt_injection/tests.rs

[graycyrus]

@mysma-9403 hey! the code looks good to me, but CI is still pending — once all checks go green, i'll come back and approve this. let me know if you need any help!

One minor note while reviewing: the PR description still says "Drop the compact (whitespace-stripped) variant from the rule-scan loop" and the "Why this shape" table marks keeping the compact scan as "Rejected". That's stale — the code (correctly) keeps the compact pass in 71aa087, and the inline comment explains exactly why it's needed (the jailbreak and single-token jwt/secret/etc. branches in override.role_hijack and exfiltrate.secrets don't require \s+). The code is right, but the PR body will mislead anyone reading git history. Worth a quick edit before merge.

Everything else looks solid — the RegexSet refactor is the right tool for this, the index-position alignment is clean, and the two new regression tests pin the exact failure modes. The had_zwsp inline detection is a nice touch too.

[coderabbitai]

Actionable comments posted: 0

[mysma-9403]

Thanks for the careful read — you're right, the body was stale after 71aa087b and would have misled anyone reading the merged history. Updated:

• Summary bullet now says three RegexSet::matches passes (not two), and the "Drop the compact variant" bullet is gone.
• The "Why this shape" table got a new row replacing the old "Rejected — keep compact for safety" line: it documents that the initial cut dropped compact, why that was wrong (single-token branches in override.role_hijack and exfiltrate.secrets), and that 71aa087b reverted it. Anyone reading the PR retrospectively gets the actual final decision, not the intermediate one.
• Test plan now reflects 24 tests (was 23) and names both new regression tests with what each pins.

Code unchanged. CI should turn over the same checks; I'll ping when it goes green.