[plan] Fix regexp.MustCompile inside for loop in validateExpressionForDangerousProps

[github-actions]

Objective

Hoist two regexp.MustCompile calls in validateExpressionForDangerousProps to package-level var declarations to eliminate repeated regex compilation in a hot validation path.

Context

Reported in discussion #19993 (Sergo audit: scanner-buffer-revisit-plus-regexp-compilation-audit, 2026-03-07).

validateExpressionForDangerousProps in pkg/workflow/expression_validation.go calls regexp.MustCompile twice — once at function scope (per-call) and once inside a for loop (per-iteration) — on compile-time constant patterns. Since validateSingleExpression is recursive and called for every expression in every compiled workflow, these allocations accumulate significantly.

Files to Modify

• pkg/workflow/expression_validation.go — hoist two regex vars

Approach

1. Locate the two regexp.MustCompile calls in validateExpressionForDangerousProps (lines ~212, ~216):
   • regexp.MustCompile("[.\\[\\]]+") — at function scope
   • regexp.MustCompile("^\\d+$") — inside for loop
2. Add package-level var declarations alongside existing regex vars in the file:

   var (
       exprPartSplitRe   = regexp.MustCompile(`[.\[\]]+`)
       exprNumericPartRe = regexp.MustCompile(`^\d+$`)
   )

3. Replace the inline regexp.MustCompile(...) calls with references to exprPartSplitRe and exprNumericPartRe.
4. Run make fmt and make test-unit (or selectively: go test -v -run "Test.*Expression" ./pkg/workflow/).

Acceptance Criteria

• Both regex patterns are declared as package-level vars in expression_validation.go
• No regexp.MustCompile calls remain inside validateExpressionForDangerousProps
• All existing expression validation tests pass
• make agent-finish passes with no errors

Generated by Plan Command for issue #discussion #19993 · ◷

• expires on Mar 10, 2026, 5:59 AM UTC