perf(gate): spawn secretlint/madge once per gate — ~47% faster pre-commit (closes #211)#212
Open
yuyu04 wants to merge 1 commit into
Open
perf(gate): spawn secretlint/madge once per gate — ~47% faster pre-commit (closes #211)#212yuyu04 wants to merge 1 commit into
yuyu04 wants to merge 1 commit into
Conversation
…anner memo (F-5a49899e) HARDCODED_SECRET (secretlint, ~4.4s) and ARCHITECTURE_VIOLATION (madge, ~1.4s) shell out to an external tool — together ~97% of the drift stage. They ran TWICE per gate: once inside the Drift stage (stage_1.3 sweeps every detector) and again as their dedicated Secret (stage_1.6) / Arch (stage_1.5) stage. secret.ts even documented that the layering "avoids spawning the scanner twice" — but nothing enforced it, so a full gate paid ~5.8s of duplicate subprocess time. - src/stages/scanner-cache.ts (new) — gate-scoped memo (mirrors the run-scoped spec cache F-cd0415): primeScannerCache(on) + memoizeScan(key, compute). - hardcoded-secret.ts / architecture-violation.ts — route execaSync through memoizeScan keyed by (cwd, cmd, args). Pass-through when no cache is primed → standalone/MCP behavior byte-for-byte unchanged. - clad check primes the memo around the stage loop, clears in finally (the long-lived MCP server must not carry a scan across runs). - secret.ts comment updated: the dedup it promised is now actually enforced. Measured (isolated worktree A/B, cladding's own repo): clad check --tier=pre-commit ~11.9s → ~6.3s (-47%), IDENTICAL findings. Blind-authored tests (tests/stages/scanner-cache.test.ts, 6). scanner-cache.ts lives in src/stages/ (NOT detectors/) so the 38-detector count is unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
4c68d1b to
bd3d525
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A gate-scoped memo makes the two shell-out detectors —
HARDCODED_SECRET(secretlint) andARCHITECTURE_VIOLATION(madge) — spawn their external tool once per gate instead of twice, the dedupsecret.tsalready documented but never enforced. Closes #211.Why (measured, not assumed)
Per-detector profiling on cladding's own repo:
They run in the Drift stage (which sweeps all detectors) AND again as the dedicated Secret/Arch stage → 2× spawn = ~5.8s duplicated per gate.
What's in the box
src/stages/scanner-cache.ts(new) —primeScannerCache(on)+memoizeScan(key, compute), mirroring the run-scoped spec cache (F-cd0415). A freshMapper primed gate; pass-through when unprimed.hardcoded-secret.ts/architecture-violation.ts— route theirexecaSyncthroughmemoizeScan, keyed by(cwd, cmd, args).clad.ts— primes the memo around the stage loop, clears in afinally(the long-lived MCP server must not carry a scan across runs).secret.ts— comment updated: the "avoids spawning twice" promise is now actually enforced.src/stages/(NOTdetectors/) so the 38-detector count is unchanged.A/B (isolated worktrees, 3 runs each)
clad check --tier=pre-commitCorrectness: the
HARDCODED_SECRET/ARCHITECTURE_VIOLATIONfindings are identical — the memo returns the same result, just once (proven by the unit test returning the same reference; the only OLD↔branch JSON diffs are unrelated branch state — a new feature shard + pre-attestation, not scanner findings).Scope / safety
finally→ each gate run gets a fresh cache; no stale cross-run scans in the MCP server.Feature cycle
spec/features/gate-scanner-memo-5a49899e.yaml(F-5a49899e, 4 ACs) → implement → blind tests (tests/stages/scanner-cache.test.ts, 6) →clad doneGREEN. Single clean commit ondevelop.🤖 Generated with Claude Code