⚡ Bolt: Combine API calls and optimize regex for faster startup

WARP.md

@@ -91,7 +91,8 @@ The entire tool lives in `main.py` and is structured into clear phases:
    - `sanitize_for_log()` – Redacts `TOKEN` values from any log messages.
 
 4. **Control D API helpers**
-   - `list_existing_folders()` – Returns a `{folder_name -> folder_id}` mapping for a profile.
+   - `verify_access_and_get_folders()` – Combines the API access check and fetching existing folders into a single request. Returns `{folder_name -> folder_id}` on success.
+   - `list_existing_folders()` – Helper that returns a `{folder_name -> folder_id}` mapping (used as fallback).
    - `get_all_existing_rules()` – Collects all existing rule PKs from both the root and each folder, using a `ThreadPoolExecutor` to parallelize per-folder fetches while accumulating into a shared `set` guarded by a lock.
    - `delete_folder()` – Deletes a folder by ID with error-logged failures.
    - `create_folder()` – Creates a folder and tries to read its ID directly from the response; if that fails, it polls `GET /groups` with increasing waits (using `FOLDER_CREATION_DELAY`) until the new folder appears.
@@ -111,7 +112,8 @@ The entire tool lives in `main.py` and is structured into clear phases:
      2. Builds a `plan_entry` summarizing folder names, rule counts, and per-action breakdown (for `rule_groups`), appending it to the shared `plan_accumulator`.
      3. If `dry_run=True`, stops here after logging a summary message.
      4. Otherwise, reuses a single `_api_client()` instance to:
-        - List and optionally delete existing folders with matching names (`--no-delete` skips this step).
+        - Verify access and list existing folders in one request (`verify_access_and_get_folders`).
+        - Optionally delete existing folders with matching names (`--no-delete` skips this step).
         - If any deletions occurred, waits ~60 seconds (`countdown_timer`) to let Control D fully process the removals.
         - Build the global `existing_rules` set.
         - Sequentially process each folder (executor with `max_workers=1` to avoid rate-limit and ordering issues), calling `_process_single_folder()` for each.

main.py

@@ -289,6 +289,10 @@
 FOLDER_CREATION_DELAY = 5  # <--- CHANGED: Increased from 2 to 5 for patience
 MAX_RESPONSE_SIZE = 10 * 1024 * 1024  # 10MB limit
 
+# Regex patterns (compiled for performance)
+PROFILE_ID_PATTERN = re.compile(r"^[a-zA-Z0-9_-]+$")
+RULE_PATTERN = re.compile(r"^[a-zA-Z0-9.\-_:*\/]+$")
+
 
 # --------------------------------------------------------------------------- #
 # 2. Clients
@@ -398,7 +402,7 @@
 
 
 def is_valid_profile_id_format(profile_id: str) -> bool:
-    if not re.match(r"^[a-zA-Z0-9_-]+$", profile_id):
+    if not PROFILE_ID_PATTERN.match(profile_id):
         return False
     if len(profile_id) > 64:
         return False
@@ -408,7 +412,7 @@
 def validate_profile_id(profile_id: str, log_errors: bool = True) -> bool:
     if not is_valid_profile_id_format(profile_id):
         if log_errors:
-            if not re.match(r"^[a-zA-Z0-9_-]+$", profile_id):
+            if not PROFILE_ID_PATTERN.match(profile_id):
                 log.error("Invalid profile ID format (contains unsafe characters)")
             elif len(profile_id) > 64:
                 log.error("Invalid profile ID length (max 64 chars)")
@@ -427,7 +431,7 @@
 
     # Strict whitelist to prevent injection
     # ^[a-zA-Z0-9.\-_:*\/]+$
-    if not re.match(r"^[a-zA-Z0-9.\-_:*\/]+$", rule):
+    if not RULE_PATTERN.match(rule):
         return False
 
     return True
@@ -516,7 +520,7 @@
             return response
         except (httpx.HTTPError, httpx.TimeoutException) as e:
             if attempt == max_retries - 1:
                 if hasattr(e, "response") and e.response is not None:
                     log.debug(f"Response content: {sanitize_for_log(e.response.text)}")
                 raise
             wait_time = delay * (2**attempt)
@@ -583,44 +587,6 @@
         return _cache[url]
 
 
-def check_api_access(client: httpx.Client, profile_id: str) -> bool:
-    """
-    Verifies API access and Profile existence before starting heavy work.
-    Returns True if access is good, False otherwise (with helpful logs).
-    """
-    url = f"{API_BASE}/{profile_id}/groups"
-    try:
-        # We use a raw request here to avoid the automatic retries of _retry_request
-        # for auth errors, which are permanent.
-        resp = client.get(url)
-        resp.raise_for_status()
-        return True
-    except httpx.HTTPStatusError as e:
-        code = e.response.status_code
-        if code == 401:
-            log.critical(
-                f"{Colors.FAIL}❌ Authentication Failed: The API Token is invalid.{Colors.ENDC}"
-            )
-            log.critical(
-                f"{Colors.FAIL}   Please check your token at: https://controld.com/account/manage-account{Colors.ENDC}"
-            )
-        elif code == 403:
-            log.critical(
-                f"{Colors.FAIL}🚫 Access Denied: Token lacks permission for Profile {profile_id}.{Colors.ENDC}"
-            )
-        elif code == 404:
-            log.critical(
-                f"{Colors.FAIL}🔍 Profile Not Found: The ID '{profile_id}' does not exist.{Colors.ENDC}"
-            )
-            log.critical(
-                f"{Colors.FAIL}   Please verify the Profile ID from your Control D Dashboard URL.{Colors.ENDC}"
-            )
-        else:
-            log.error(f"API Access Check Failed ({code}): {e}")
-        return False
-    except httpx.RequestError as e:
-        log.error(f"Network Error during access check: {e}")
-        return False
 
 
 def list_existing_folders(client: httpx.Client, profile_id: str) -> Dict[str, str]:
@@ -629,14 +595,87 @@
         folders = data.get("body", {}).get("groups", [])
         return {
             f["group"].strip(): f["PK"]
             for f in folders
             if f.get("group") and f.get("PK")
         }
     except (httpx.HTTPError, KeyError) as e:
         log.error(f"Failed to list existing folders: {sanitize_for_log(e)}")
         return {}
 
 
+def verify_access_and_get_folders(
+    client: httpx.Client, profile_id: str
+) -> Optional[Dict[str, str]]:
+    """
+    Combines access check and fetching existing folders into a single request.
+    Returns:
+        Dict of {folder_name: folder_id} if successful.
+        None if access is denied or request fails after retries.
+    """
+    url = f"{API_BASE}/{profile_id}/groups"
+
+    for attempt in range(MAX_RETRIES):
+        try:
+            # Don't use _api_get because we need custom error handling for 4xx
+            resp = client.get(url)
+            resp.raise_for_status()
+
+            # Success! Parse and return
+            try:
+                data = resp.json()
+                folders = data.get("body", {}).get("groups", [])
+                return {
+                    f["group"].strip(): f["PK"]
+                    for f in folders
+                    if f.get("group") and f.get("PK")
+                }
+            except (KeyError, ValueError) as e:
+                log.error(f"Failed to parse folders data: {e}")
+                return None
+
+        except httpx.HTTPStatusError as e:
+            code = e.response.status_code
+            if code in (401, 403, 404):
+                if code == 401:
+                    log.critical(
+                        f"{Colors.FAIL}❌ Authentication Failed: The API Token is invalid.{Colors.ENDC}"
+                    )
+                    log.critical(
+                        f"{Colors.FAIL}   Please check your token at: https://controld.com/account/manage-account{Colors.ENDC}"
+                    )
+                elif code == 403:
+                    log.critical(
+                        f"{Colors.FAIL}🚫 Access Denied: Token lacks permission for Profile {profile_id}.{Colors.ENDC}"
+                    )
+                elif code == 404:
+                    log.critical(
+                        f"{Colors.FAIL}🔍 Profile Not Found: The ID '{profile_id}' does not exist.{Colors.ENDC}"
+                    )
+                    log.critical(
+                        f"{Colors.FAIL}   Please verify the Profile ID from your Control D Dashboard URL.{Colors.ENDC}"
+                    )
+                return None
+
+            # For 5xx errors, retry
+            if attempt == MAX_RETRIES - 1:
+                log.error(f"API Request Failed ({code}): {e}")
+                return None
+
+        except httpx.RequestError as e:
+            if attempt == MAX_RETRIES - 1:
+                log.error(f"Network Error: {e}")
+                return None
+
+        # Wait before retry (exponential backoff)
+        wait_time = RETRY_DELAY * (2**attempt)
+        log.warning(
+            f"Request failed (attempt {attempt + 1}/{MAX_RETRIES}). Retrying in {wait_time}s..."
+        )
+        time.sleep(wait_time)
+
+    return None
+
+
 def get_all_existing_rules(
     client: httpx.Client,
     profile_id: str,
@@ -704,7 +743,7 @@
     if not validate_folder_data(js, url):
         raise KeyError(f"Invalid folder data from {sanitize_for_log(url)}")
     return js
 
 
 def warm_up_cache(urls: Sequence[str]) -> None:
     urls = list(set(urls))
@@ -1142,11 +1181,12 @@
         # Initial client for getting existing state AND processing folders
         # Optimization: Reuse the same client session to keep TCP connections alive
         with _api_client() as client:
-            # Check for API access problems first (401/403/404)
-            if not check_api_access(client, profile_id):
+            # Check for API access problems first (401/403/404) AND get existing folders in one go
+            existing_folders = verify_access_and_get_folders(client, profile_id)
+            if existing_folders is None:
+                # Access check failed (logged already)
                 return False
 
-            existing_folders = list_existing_folders(client, profile_id)
             if not no_delete:
                 deletion_occurred = False
                 for folder_data in folder_data_list:

test_main.py

@@ -248,16 +248,29 @@
     assert "https://controld.com/account/manage-account" in stdout
 
 
-# Case 7: check_api_access handles success and errors correctly
-def test_check_api_access_success(monkeypatch):
+# Case 7: verify_access_and_get_folders handles success and errors correctly
+def test_verify_access_and_get_folders_success(monkeypatch):
     m = reload_main_with_env(monkeypatch)
     mock_client = MagicMock()
+
+    # Mock successful JSON response
+    mock_resp = MagicMock()
+    mock_resp.json.return_value = {
+        "body": {
+            "groups": [
+                {"group": "Folder A", "PK": "id_a"},
+                {"group": "Folder B", "PK": "id_b"},
+            ]
+        }
+    }
+    mock_client.get.return_value = mock_resp
     mock_client.get.return_value.raise_for_status.return_value = None
 
-    assert m.check_api_access(mock_client, "valid_profile") is True
+    folders = m.verify_access_and_get_folders(mock_client, "valid_profile")
+    assert folders == {"Folder A": "id_a", "Folder B": "id_b"}
 
 
-def test_check_api_access_401(monkeypatch):
+def test_verify_access_and_get_folders_401(monkeypatch):
     m = reload_main_with_env(monkeypatch)
     mock_client = MagicMock()
 
@@ -273,14 +286,14 @@
     mock_log = MagicMock()
     monkeypatch.setattr(m, "log", mock_log)
 
-    assert m.check_api_access(mock_client, "invalid_token") is False
+    assert m.verify_access_and_get_folders(mock_client, "invalid_token") is None
     assert mock_log.critical.call_count >= 1
     # Check for authentication failed message
     args = str(mock_log.critical.call_args_list)
     assert "Authentication Failed" in args
 
 
-def test_check_api_access_403(monkeypatch):
+def test_verify_access_and_get_folders_403(monkeypatch):
     m = reload_main_with_env(monkeypatch)
     mock_client = MagicMock()
 
@@ -295,12 +308,12 @@
     mock_log = MagicMock()
     monkeypatch.setattr(m, "log", mock_log)
 
-    assert m.check_api_access(mock_client, "forbidden_profile") is False
+    assert m.verify_access_and_get_folders(mock_client, "forbidden_profile") is None
     assert mock_log.critical.call_count == 1
     assert "Access Denied" in str(mock_log.critical.call_args)
 
 
-def test_check_api_access_404(monkeypatch):
+def test_verify_access_and_get_folders_404(monkeypatch):
     m = reload_main_with_env(monkeypatch)
     mock_client = MagicMock()
 
@@ -315,12 +328,12 @@
     mock_log = MagicMock()
     monkeypatch.setattr(m, "log", mock_log)
 
-    assert m.check_api_access(mock_client, "missing_profile") is False
+    assert m.verify_access_and_get_folders(mock_client, "missing_profile") is None
     assert mock_log.critical.call_count >= 1
     assert "Profile Not Found" in str(mock_log.critical.call_args_list)
 
 
-def test_check_api_access_generic_http_error(monkeypatch):
+def test_verify_access_and_get_folders_500_retry(monkeypatch):
     m = reload_main_with_env(monkeypatch)
     mock_client = MagicMock()
 
@@ -335,12 +348,19 @@
     mock_log = MagicMock()
     monkeypatch.setattr(m, "log", mock_log)
 
-    assert m.check_api_access(mock_client, "profile") is False
+    # Speed up sleep
+    monkeypatch.setattr(m, "RETRY_DELAY", 0.001)
+    monkeypatch.setattr("time.sleep", lambda x: None)
+    monkeypatch.setattr(m, "MAX_RETRIES", 2)
+
+    assert m.verify_access_and_get_folders(mock_client, "profile") is None
+    # Should have retried
+    assert mock_client.get.call_count == 2
     assert mock_log.error.called
     assert "500" in str(mock_log.error.call_args)
 
 
-def test_check_api_access_network_error(monkeypatch):
+def test_verify_access_and_get_folders_network_error(monkeypatch):
     m = reload_main_with_env(monkeypatch)
     mock_client = MagicMock()
 
@@ -351,7 +371,13 @@
     mock_log = MagicMock()
     monkeypatch.setattr(m, "log", mock_log)
 
-    assert m.check_api_access(mock_client, "profile") is False
+    # Speed up sleep
+    monkeypatch.setattr(m, "RETRY_DELAY", 0.001)
+    monkeypatch.setattr("time.sleep", lambda x: None)
+    monkeypatch.setattr(m, "MAX_RETRIES", 2)
+
+    assert m.verify_access_and_get_folders(mock_client, "profile") is None
+    assert mock_client.get.call_count == 2
     assert mock_log.error.called
     assert "Network failure" in str(mock_log.error.call_args)