[Repo Assist] eng(sanitize): promote inline regexp to package-level var; add SanitizeString benchmark

[github-actions]

🤖 This is an automated PR from Repo Assist.

Summary

Two small engineering improvements to the sanitize package:

1. Promote inline regexp.MustCompile to package-level var

SanitizeString is called on every log message in the gateway. For each of the 10 SecretPatterns, it calls ReplaceAllStringFunc. When a match contained = or :, the previous code compiled a brand-new *regexp.Regexp inside the closure:

// Before — compiled on every matching call
parts := regexp.MustCompile(`[=:]\s*`).Split(match, 2)

This allocated a new regexp object and re-ran the compilation pipeline on every such match. The fix promotes it to a package-level var keyValueSplitPattern, compiled exactly once at init:

// After — compiled once
var keyValueSplitPattern = regexp.MustCompile(`[=:]\s*`)
// ...
parts := keyValueSplitPattern.Split(match, 2)

2. Add BenchmarkSanitizeString

Adds two sub-benchmarks (no_secrets, with_secret) to make the cost of SanitizeString visible and guard against future regressions.

Test Status

• ✅ All existing TestSanitizeString* tests unchanged.
• ➕ New BenchmarkSanitizeString benchmark added.
• ⚠️ Local build not possible: sandbox has Go 1.24.13, go.mod requires 1.25.0, proxy.golang.org is firewalled. CI will validate.

Generated by Repo Assist · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.