Negative lookahead regex issue on node definition

Describe the Bug

When upgrading to Puppet Server version 8.6.3, certain node regex patterns stop functioning correctly. Specifically, regex patterns that use negative lookahead (?!) no longer match nodes as expected. Instead, the Puppet agent throws an error when attempting to retrieve the catalog.

Expected Behavior

The regex patterns should continue to match nodes as defined, including those using negative lookahead assertions, and the catalog should be successfully retrieved.

Steps to Reproduce

Steps to reproduce the behavior:

Upgrade to Puppet Server version 8.6.3 on a Debian 12 (Bookworm) system.
Use a node block with a regex pattern that includes negative lookahead, such as: node /^aws-server\d{2}-(af|ap|ca|eu|me|sa|us)-(central|(north|south)?(east|west)?)-\d(?!\.test)/
Attempt to classify a node matching this pattern, e.g., aws-server01-us-west-1.domain.com (which should match) and aws-server01-us-west-1.test.domain.com (which should not match).
Observe that the Puppet agent on the node that should match (e.g., aws-server01-us-west-1.domain.com) throws the following error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Cannot find definition Node on node aws-server01-us-west-1.domain.com

Environment

Version 8.6.3
Platform Debian 12 (Bookworm)

Additional Context

This issue only seems to occur after upgrading to Puppet Server 8.6.3. Previous versions did not experience this problem. The issue appears related to the handling of negative lookahead (?!) within the regex engine used by Puppet Server.

This is a regression introduced by https://github.com/puppetlabs/puppet/pull/9420 as puppetserver calls puppet as a library when compiling the catalog.

It works when using puppet 8.8.1

# cat /etc/puppetlabs/code/environments/production/manifests/site.pp 
node /^aws-server\d{2}-(af|ap|ca|eu|me|sa|us)-(central|(north|south)?(east|west)?)-\d(?!\.test)/ {
  notify { "matched": }
}

node default {
  notify { "no match": }
}

# puppet --version
8.8.1

# puppet agent -t --certname aws-server01-us-west-1.test.domain.com --ssldir /tmp/aws-server01-us-west-1.test.domain.com
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Requesting catalog from folksy-dystopia:8140 (10.16.112.127)
Notice: Catalog compiled by folksy-dystopia
Info: Caching catalog for aws-server01-us-west-1.test.domain.com
Info: Applying configuration version '1727201731'
Notice: no match
Notice: /Stage[main]/Main/Node[default]/Notify[no match]/message: defined 'message' as 'no match'
Notice: Applied catalog in 0.01 seconds

# puppet agent -t --certname aws-server01-us-west-1.domain.com --ssldir /tmp/aws-server01-us-west-1.domain.com
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Requesting catalog from folksy-dystopia:8140 (10.16.112.127)
Notice: Catalog compiled by folksy-dystopia
Info: Caching catalog for aws-server01-us-west-1.domain.com
Info: Applying configuration version '1727201737'
Notice: matched
Notice: /Stage[main]/Main/Node[__node_regexp__aws-serverd2-afapcaeumesaus-centralnorthsoutheastwest-d.test]/Notify[matched]/message: defined 'message' as 'matched'
Notice: Applied catalog in 0.01 seconds

But not with 8.9.0

# yum install puppet-agent-8.9.0
...
Upgraded:
  puppet-agent-8.9.0-1.el8.x86_64

# systemctl reload puppetserver

# puppet agent -t --certname aws-server01-us-west-1.test.domain.com --ssldir /tmp/aws-server01-us-west-1.test.domain.com
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Requesting catalog from folksy-dystopia:8140 (10.16.112.127)
Notice: Catalog compiled by folksy-dystopia
Info: Caching catalog for aws-server01-us-west-1.test.domain.com
Info: Applying configuration version '1727201856'
Notice: no match
Notice: /Stage[main]/Main/Node[default]/Notify[no match]/message: defined 'message' as 'no match'
Notice: Applied catalog in 0.01 seconds

# puppet agent -t --certname aws-server01-us-west-1.domain.com --ssldir /tmp/aws-server01-us-west-1.domain.com
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Requesting catalog from folksy-dystopia:8140 (10.16.112.127)
Notice: Catalog compiled by folksy-dystopia
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Cannot find definition Node on node aws-server01-us-west-1.domain.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

The server's log contains


024-09-24T11:17:42.678-07:00 ERROR [qtp1804702662-152] [puppetserver] Puppet Cannot find definition Node on node aws-server01-us-west-1.domain.com
2024-09-24T11:17:42.680-07:00 ERROR [qtp1804702662-152] [puppetserver] Puppet Server Error: Cannot find definition Node on node aws-server01-us-west-1.domain.com
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/errors.rb:159:in `fail'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parser/resource.rb:80:in `block in evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:59:in `profile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:53:in `profile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parser/resource.rb:75:in `evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parser/compiler.rb:227:in `evaluate_ast_node'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parser/compiler.rb:136:in `block in compile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:59:in `profile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:53:in `profile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parser/compiler.rb:136:in `block in compile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:64:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:288:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parser/compiler.rb:125:in `compile'

puppetlabs / puppet