
error-pattern-safety
✓ Official★ 4,700by github · part of github/gh-aw
Error Pattern Safety Guidelines for Agentic Engines
This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.
name: error-pattern-safety description: Apply safe error-pattern matching rules for agentic engines.
Error Pattern Safety Guidelines
Use these regex safety rules in agentic engines to prevent JavaScript infinite loops.
The Problem
With the JavaScript global flag (/pattern/g), zero-width matches can cause infinite loops because:
- JavaScript's
regex.exec()with thegflag useslastIndexto track position - When a pattern matches zero-width,
lastIndexdoesn't advance - The same position is matched repeatedly, causing an infinite loop
Dangerous Pattern Examples
❌ NEVER USE THESE PATTERNS:
// Pure .* - matches everything including empty string at end
/.*/g
// Single character with * - matches zero or more (including zero)
/a*/g
// Patterns that can match empty string
/(x|y)*/gSafe Pattern Examples
✅ ALWAYS USE PATTERNS LIKE THESE:
// Required prefix before .*
/error.*/gi
/error.*permission.*denied/gi
// Specific structure with required content
/\[(\d{4}-\d{2}-\d{2})\]\s+(ERROR):\s+(.+)/g
// Required characters throughout
/access denied.*user.*not authorized/giPattern Safety Rules
-
Always require at least one character match
- Use
.+instead of.*when you need "something" - Ensure pattern has required prefix/suffix
- Use
-
Never use bare
.*as the entire pattern- Always combine with required text:
error.* - Never just
.*or.*?
- Always combine with required text:
-
Test patterns against empty string
const regex = /your-pattern/g; if (regex.test("")) { throw new Error("Pattern matches empty string - DANGEROUS!"); } -
Use specific anchors when possible
- Start:
^error.* - End:
.*error$ - Word boundaries:
\berror\b
- Start:
Validation Tests
All error patterns must pass these tests:
Go Tests (pkg/workflow/engine_error_patterns_infinite_loop_test.go)
// Test that pattern doesn't match empty string
func TestPatternSafety(t *testing.T) {
pattern := "your-pattern"
regex := regexp.MustCompile(pattern)
if regex.MatchString("") {
t.Error("Pattern matches empty string!")
}
}JavaScript Tests (pkg/workflow/js/validate_errors.test.cjs)
test("should not match empty string", () => {
const regex = new RegExp("your-pattern", "g");
expect(regex.test("")).toBe(false);
});Safety Mechanisms in validate_errors.cjs
The validate_errors.cjs script has built-in protections:
- Zero-width detection: Checks if
regex.lastIndexstops advancing - Iteration warning: Warns at 1000 iterations
- Hard limit: Stops at 10,000 iterations to prevent hang
// Safety check in validate_errors.cjs
if (regex.lastIndex === lastIndex) {
core.error(`Infinite loop detected! Pattern: ${pattern.pattern}`);
break;
}Adding New Error Patterns
When adding new error patterns to engines:
-
Write the pattern with required content
{ Pattern: `(?i)error.*permission.*denied`, LevelGroup: 0, MessageGroup: 0, Description: "Permission denied error", } -
Test against empty string
- Run:
make test-unit - Checks:
TestAllEnginePatternsSafe
- Run:
-
Test with actual log samples
- Ensure it matches real errors
- Ensure it doesn't match informational text
-
Document the pattern
- Add clear description
- Note what it's designed to catch
Pattern Conversion: Go to JavaScript
Patterns are converted from Go to JavaScript:
// Go pattern (case-insensitive flag)
Pattern: `(?i)error.*permission.*denied`
// Converted to JavaScript
new RegExp("error.*permission.*denied", "gi")The (?i) prefix is removed because JavaScript uses the i flag instead.
Examples from Current Codebase
✅ Safe Patterns
// Requires "error" prefix
Pattern: `(?i)error.*permission.*denied`
// Requires specific timestamp format
Pattern: `(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z)\s+\[(ERROR)\]\s+(.+)`
// Requires "access denied" prefix
Pattern: `(?i)access denied.*user.*not authorized`How to Fix Unsafe Patterns
If you find a pattern that matches empty string:
Before (unsafe):
Pattern: `.*error.*` // Can match empty at start/endAfter (safe):
Pattern: `error.*` // Requires "error" at start
// OR
Pattern: `.*error.+` // Requires "error" and at least one char after
// OR
Pattern: `\berror\b.*` // Requires word "error"Testing Checklist
Before committing pattern changes:
- Run
make test-unit - Check
TestAllEnginePatternsSafepasses - Check
TestErrorPatternsNoInfiniteLoopPotentialpasses - Run JavaScript tests:
cd pkg/workflow/js && npm test - Verify pattern matches intended error messages
- Verify pattern doesn't match informational text
References
- Go regex syntax: https://pkg.go.dev/regexp/syntax
- JavaScript regex: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions
- Test files:
pkg/workflow/engine_error_patterns_infinite_loop_test.gopkg/workflow/js/validate_errors.test.cjspkg/workflow/error_pattern_tuning_test.go
npx skills add https://github.com/github/gh-aw --skill error-pattern-safetyRun this in your project — your agent picks the skill up automatically.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.