Consolidate 36 Jules PRs: pre-compile regex, harden log sanitization, add dry-run plan details

[Copilot]

Jules generated 36 overlapping PRs across three categories (Bolt/Sentinel/Palette) with heavy duplication. This PR cherry-picks the best change from each category, incorporates bot review feedback (Gemini Code Assist, Copilot reviewer, CodeQL), and consolidates into a single mergeable PR.

⚡ Performance: Pre-compile regex (from PR #173)

Moved PROFILE_ID_PATTERN, RULE_PATTERN, and two sanitization patterns to module-level compiled constants. Used in is_valid_rule, is_valid_profile_id_format, validate_profile_id, and sanitize_for_log.

PROFILE_ID_PATTERN = re.compile(r"^[a-zA-Z0-9_-]+$")
RULE_PATTERN = re.compile(r"^[a-zA-Z0-9.\-_:*\/]+$")
_BASIC_AUTH_PATTERN = re.compile(r"://[^/@]+@")
_SENSITIVE_PARAM_PATTERN = re.compile(
    r"([?&#])(token|key|secret|password|auth|access_token|api_key)=[^&#\s]*",
    flags=re.IGNORECASE,
)

🛡️ Security: Redact credentials from logs (from PR #172 + review feedback)

sanitize_for_log() now strips Basic Auth (://user:pass@host) and sensitive query params before logging. Handles # fragment separators per Gemini review. Uses [^&#\s]* to avoid consuming trailing punctuation per Copilot review.

🎨 UX: Dry-run plan details + fix duplicate function (from PR #174)

• Added print_plan_details() showing per-folder rule counts during --dry-run
• Removed duplicate render_progress_bar definition (first copy was dead code shadowed by second)

PRs superseded (close these)

Category	PRs to close
Bolt (regex)	#140, #143, #152, #155, #158, #161, #167, #173
Sentinel (security)	#142, #145, #148, #151, #154, #157, #160, #169, #172
Palette (UX)	#139, #141, #144, #147, #150, #153, #156, #159, #162, #165, #168, #171, #174

Keep open (independent features): #146, #149, #164 (parallel deletion), #163 (RTLO fix), #166 (.env perms), #170 (combined API calls).

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

@abhimehro Unfortunately, I hit an error while trying to use the custom Copilot setup steps configured for this repository and had to close this PR. The error I am seeing is:

no `copilot-setup-steps` job found in your `copilot-setup-steps.yml` workflow file. Please ensure you have a single job named `copilot-setup-steps`. For more details, see https://gh.io/copilot/actions-setup-steps

Once you or someone with the necessary access fixes the problem, please unassign and then reassign issue #0 to me and I'll retry. Thanks!

[trunk-io]

😎 Merged manually by @abhimehro - details.

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.

[Copilot]

Pull request overview

This PR consolidates prior overlapping changes into a single update that improves runtime efficiency and security of log output, and enhances --dry-run UX by showing a folder/rule breakdown.

Changes:

• Pre-compiles hot-path validation regexes and log-sanitization regexes at module scope and switches call sites to reuse them.
• Hardens sanitize_for_log() to redact Basic Auth credentials in URLs and sensitive query parameters (in addition to TOKEN), while continuing to escape control characters.
• Adds print_plan_details() and calls it during --dry-run, plus adds/extends tests covering dry-run output and new sanitization behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
main.py	Adds pre-compiled regex constants, strengthens sanitize_for_log, introduces print_plan_details, and wires it into dry-run flow.
tests/test_plan_details.py	New pytest tests validating dry-run plan detail output ordering and no-folder behavior.
tests/test_log_sanitization.py	Adds unittest coverage for Basic Auth and sensitive query parameter redaction in sanitize_for_log.