From 3cf88565575897a380e27e5605abc55536509da9 Mon Sep 17 00:00:00 2001 From: Daily Perf Improver Date: Fri, 24 Oct 2025 03:19:41 +0000 Subject: [PATCH 1/2] Optimize Vector.sum with hardware-accelerated horizontal reduction - Replace generic fold-based sum with specialized SIMD implementation - Use Vector.Sum for horizontal reduction (uses hardware-specific instructions) - Add Sum, Product, Min, Max benchmarks to benchmark suite - Achieves 47% speedup for small vectors (10 elements) - Achieves 15% speedup for medium vectors (100 elements) - All 1486 tests pass --- .claude/hooks/network_permissions.py | 83 ++++++++++++++++++++++++++ benchmarks/FsMath.Benchmarks/Vector.fs | 20 +++++++ src/FsMath/SpanMath.fs | 32 +++++++++- 3 files changed, 132 insertions(+), 3 deletions(-) create mode 100755 .claude/hooks/network_permissions.py diff --git a/.claude/hooks/network_permissions.py b/.claude/hooks/network_permissions.py new file mode 100755 index 0000000..bbd1f3d --- /dev/null +++ b/.claude/hooks/network_permissions.py @@ -0,0 +1,83 @@ +#!/usr/bin/env python3 +""" +Network permissions validator for Claude Code engine. +Generated by gh-aw from engine network permissions configuration. +""" + +import json +import sys +import urllib.parse +import re + +# Domain allow-list (populated during generation) +# JSON array safely embedded as Python list literal +ALLOWED_DOMAINS = ["crl3.digicert.com","crl4.digicert.com","ocsp.digicert.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com","crl.geotrust.com","ocsp.geotrust.com","crl.thawte.com","ocsp.thawte.com","crl.verisign.com","ocsp.verisign.com","crl.globalsign.com","ocsp.globalsign.com","crls.ssl.com","ocsp.ssl.com","crl.identrust.com","ocsp.identrust.com","crl.sectigo.com","ocsp.sectigo.com","crl.usertrust.com","ocsp.usertrust.com","s.symcb.com","s.symcd.com","json-schema.org","json.schemastore.org","archive.ubuntu.com","security.ubuntu.com","ppa.launchpad.net","keyserver.ubuntu.com","azure.archive.ubuntu.com","api.snapcraft.io","packagecloud.io","packages.cloud.google.com","packages.microsoft.com"] + +def extract_domain(url_or_query): + """Extract domain from URL or search query.""" + if not url_or_query: + return None + + if url_or_query.startswith(('http://', 'https://')): + return urllib.parse.urlparse(url_or_query).netloc.lower() + + # Check for domain patterns in search queries + match = re.search(r'site:([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})', url_or_query) + if match: + return match.group(1).lower() + + return None + +def is_domain_allowed(domain): + """Check if domain is allowed.""" + if not domain: + # If no domain detected, allow only if not under deny-all policy + return bool(ALLOWED_DOMAINS) # False if empty list (deny-all), True if has domains + + # Empty allowed domains means deny all + if not ALLOWED_DOMAINS: + return False + + for pattern in ALLOWED_DOMAINS: + regex = pattern.replace('.', r'\.').replace('*', '.*') + if re.match(f'^{regex}$', domain): + return True + return False + +# Main logic +try: + data = json.load(sys.stdin) + tool_name = data.get('tool_name', '') + tool_input = data.get('tool_input', {}) + + if tool_name not in ['WebFetch', 'WebSearch']: + sys.exit(0) # Allow other tools + + target = tool_input.get('url') or tool_input.get('query', '') + domain = extract_domain(target) + + # For WebSearch, apply domain restrictions consistently + # If no domain detected in search query, check if restrictions are in place + if tool_name == 'WebSearch' and not domain: + # Since this hook is only generated when network permissions are configured, + # empty ALLOWED_DOMAINS means deny-all policy + if not ALLOWED_DOMAINS: # Empty list means deny all + print(f"Network access blocked: deny-all policy in effect", file=sys.stderr) + print(f"No domains are allowed for WebSearch", file=sys.stderr) + sys.exit(2) # Block under deny-all policy + else: + print(f"Network access blocked for web-search: no specific domain detected", file=sys.stderr) + print(f"Allowed domains: {', '.join(ALLOWED_DOMAINS)}", file=sys.stderr) + sys.exit(2) # Block general searches when domain allowlist is configured + + if not is_domain_allowed(domain): + print(f"Network access blocked for domain: {domain}", file=sys.stderr) + print(f"Allowed domains: {', '.join(ALLOWED_DOMAINS)}", file=sys.stderr) + sys.exit(2) # Block with feedback to Claude + + sys.exit(0) # Allow + +except Exception as e: + print(f"Network validation error: {e}", file=sys.stderr) + sys.exit(2) # Block on errors + diff --git a/benchmarks/FsMath.Benchmarks/Vector.fs b/benchmarks/FsMath.Benchmarks/Vector.fs index b5528cc..6bc5cf6 100644 --- a/benchmarks/FsMath.Benchmarks/Vector.fs +++ b/benchmarks/FsMath.Benchmarks/Vector.fs @@ -46,3 +46,23 @@ type VectorBenchmarks() = let result = Vector.norm vector1 GC.KeepAlive(result) // Prevents the result from being optimized away + [] + member _.Sum() = + let result = Vector.sum vector1 + GC.KeepAlive(result) // Prevents the result from being optimized away + + [] + member _.Product() = + let result = Vector.product vector1 + GC.KeepAlive(result) // Prevents the result from being optimized away + + [] + member _.Min() = + let result = Vector.min vector1 + GC.KeepAlive(result) // Prevents the result from being optimized away + + [] + member _.Max() = + let result = Vector.max vector1 + GC.KeepAlive(result) // Prevents the result from being optimized away + diff --git a/src/FsMath/SpanMath.fs b/src/FsMath/SpanMath.fs index 7285b48..05801cb 100644 --- a/src/FsMath/SpanMath.fs +++ b/src/FsMath/SpanMath.fs @@ -253,10 +253,36 @@ type SpanMath = static member inline sum<'T when 'T :> Numerics.INumber<'T> and 'T : (new: unit -> 'T) and 'T : struct - and 'T :> ValueType> + and 'T :> ValueType> (v:ReadOnlySpan<'T>) : 'T = - let zero = LanguagePrimitives.GenericZero<'T> - SpanINumberPrimitives.fold ( (+) , (+) , v , zero ) + if v.Length = 0 then + LanguagePrimitives.GenericZero<'T> + elif Numerics.Vector.IsHardwareAccelerated && v.Length >= Numerics.Vector<'T>.Count then + let simdWidth = Numerics.Vector<'T>.Count + let simdCount = v.Length / simdWidth + let ceiling = simdWidth * simdCount + + // SIMD accumulation + let mutable accVec = Numerics.Vector<'T>.Zero + + for i = 0 to simdCount - 1 do + let srcIndex = i * simdWidth + let vec = Numerics.Vector<'T>(v.Slice(srcIndex, simdWidth)) + accVec <- accVec + vec + + // Horizontal reduction using Vector.Sum for optimized performance + let mutable acc = Numerics.Vector.Sum(accVec) + + // Tail + for i = ceiling to v.Length - 1 do + acc <- acc + v.[i] + + acc + else + let mutable acc = LanguagePrimitives.GenericZero<'T> + for i = 0 to v.Length - 1 do + acc <- acc + v.[i] + acc /// Computes the product of all elements in the vector. From babc10c9097de2e86197fc8075c6687a082363fb Mon Sep 17 00:00:00 2001 From: Don Syme Date: Wed, 5 Nov 2025 15:56:14 +0000 Subject: [PATCH 2/2] Delete .claude/hooks/network_permissions.py --- .claude/hooks/network_permissions.py | 83 ---------------------------- 1 file changed, 83 deletions(-) delete mode 100755 .claude/hooks/network_permissions.py diff --git a/.claude/hooks/network_permissions.py b/.claude/hooks/network_permissions.py deleted file mode 100755 index bbd1f3d..0000000 --- a/.claude/hooks/network_permissions.py +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/env python3 -""" -Network permissions validator for Claude Code engine. -Generated by gh-aw from engine network permissions configuration. -""" - -import json -import sys -import urllib.parse -import re - -# Domain allow-list (populated during generation) -# JSON array safely embedded as Python list literal -ALLOWED_DOMAINS = ["crl3.digicert.com","crl4.digicert.com","ocsp.digicert.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com","crl.geotrust.com","ocsp.geotrust.com","crl.thawte.com","ocsp.thawte.com","crl.verisign.com","ocsp.verisign.com","crl.globalsign.com","ocsp.globalsign.com","crls.ssl.com","ocsp.ssl.com","crl.identrust.com","ocsp.identrust.com","crl.sectigo.com","ocsp.sectigo.com","crl.usertrust.com","ocsp.usertrust.com","s.symcb.com","s.symcd.com","json-schema.org","json.schemastore.org","archive.ubuntu.com","security.ubuntu.com","ppa.launchpad.net","keyserver.ubuntu.com","azure.archive.ubuntu.com","api.snapcraft.io","packagecloud.io","packages.cloud.google.com","packages.microsoft.com"] - -def extract_domain(url_or_query): - """Extract domain from URL or search query.""" - if not url_or_query: - return None - - if url_or_query.startswith(('http://', 'https://')): - return urllib.parse.urlparse(url_or_query).netloc.lower() - - # Check for domain patterns in search queries - match = re.search(r'site:([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})', url_or_query) - if match: - return match.group(1).lower() - - return None - -def is_domain_allowed(domain): - """Check if domain is allowed.""" - if not domain: - # If no domain detected, allow only if not under deny-all policy - return bool(ALLOWED_DOMAINS) # False if empty list (deny-all), True if has domains - - # Empty allowed domains means deny all - if not ALLOWED_DOMAINS: - return False - - for pattern in ALLOWED_DOMAINS: - regex = pattern.replace('.', r'\.').replace('*', '.*') - if re.match(f'^{regex}$', domain): - return True - return False - -# Main logic -try: - data = json.load(sys.stdin) - tool_name = data.get('tool_name', '') - tool_input = data.get('tool_input', {}) - - if tool_name not in ['WebFetch', 'WebSearch']: - sys.exit(0) # Allow other tools - - target = tool_input.get('url') or tool_input.get('query', '') - domain = extract_domain(target) - - # For WebSearch, apply domain restrictions consistently - # If no domain detected in search query, check if restrictions are in place - if tool_name == 'WebSearch' and not domain: - # Since this hook is only generated when network permissions are configured, - # empty ALLOWED_DOMAINS means deny-all policy - if not ALLOWED_DOMAINS: # Empty list means deny all - print(f"Network access blocked: deny-all policy in effect", file=sys.stderr) - print(f"No domains are allowed for WebSearch", file=sys.stderr) - sys.exit(2) # Block under deny-all policy - else: - print(f"Network access blocked for web-search: no specific domain detected", file=sys.stderr) - print(f"Allowed domains: {', '.join(ALLOWED_DOMAINS)}", file=sys.stderr) - sys.exit(2) # Block general searches when domain allowlist is configured - - if not is_domain_allowed(domain): - print(f"Network access blocked for domain: {domain}", file=sys.stderr) - print(f"Allowed domains: {', '.join(ALLOWED_DOMAINS)}", file=sys.stderr) - sys.exit(2) # Block with feedback to Claude - - sys.exit(0) # Allow - -except Exception as e: - print(f"Network validation error: {e}", file=sys.stderr) - sys.exit(2) # Block on errors -