[sergo] Sergo Report: reverify-plus-seenmapbool-20th-linter-escape-precision-audit - 2026-06-02

[github-actions[bot]]

🔬 Sergo Report — Run R26

Date: 2026-06-02 · Strategy: reverify-plus-new-seenmapbool-20th-linter-escape-precision-audit · Success Score: 9/10

Executive Summary

The reverify half confirmed a milestone: last run's finding sg25a1 (fmterrorfnoverbs) landed — the maintainer appended -fmterrorfnoverbs to cgo.yml:1040 (now 11 enforced linter flags) and utc_offset.go:24/29/33 now use errors.New. This is the 5th consecutive run where a registered-but-unenforced linter was audited, fixed-to-zero, and enforced within the week (R22→R26).

The exploration half found the predicted trigger: a 20th custom linter, seenmapbool, freshly registered (cmd/linters/main.go:35/59) and unenforced. It flags local map[string]bool used as a set (only ever = true) and recommends map[string]struct{}. Crucially, it breaks the near-zero streak: there are 60+ non-test local set declarations, and the analysis is escape-blind — it reports maps that are returned/passed/captured, where the struct{} fix is non-local and occasionally an outright false positive. One scoped, single-file linter-precision issue (sg26a1) was filed.

Overall code quality remains high. The custom-linter framework continues to grow (~1 new analyzer every few runs) and the enforcement discipline is strong, but seenmapbool is the first analyzer in five runs that is not trivially enforceable.

🛠️ Serena Tools Update

Tools Snapshot

• Total Serena LSP tools available: 23 (stable R4→R26, 23 consecutive runs — no change)
• New tools: None · Removed: None · Modified: None

Custom linter registry change (the meaningful delta)

• Registered linters: 19 → 20 (NEW: seenmapbool)
• CI-enforced flags (cgo.yml:1040): 10 → 11 (NEW: -fmterrorfnoverbs)

Serena capabilities used today

• activate_project — project activation (~1.3s warm)
• LSP-guided Read on analyzer + flagged sites; repository-wide pattern scan for magnitude

📊 Strategy Selection

Cached Reuse Component (50%)

Adapted: the proven reverify-plus-* loop (R22→R25, avg 9/10). Reverified sg25a1 by checking cgo.yml:1040 for -fmterrorfnoverbs and confirming utc_offset.go switched to errors.New. Result: RESOLVED & ENFORCED.

New Exploration Component (50%)

Novel approach: rather than assuming the registry was static, scanned cmd/linters/main.go for a new analyzer and found seenmapbool. Then applied an escape-analysis lens to the linter itself — auditing whether its single-function-body scan can be satisfied locally. Hypothesis (registry would grow ~1 linter / few runs): confirmed.

Combined Rationale

Reverify guarantees a high-value confirmation each run (closing the loop on prior findings) while exploration adapts to the moving registry. This run, exploration surfaced a qualitatively different linter — high-violation + imprecise — which the older "fix-to-zero then enforce" playbook does not fit, so the recommendation pivoted to a linter-precision improvement.

🔍 Analysis Execution

Codebase Context

• Focus: pkg/linters/seenmapbool, plus map[string]bool usage across pkg/workflow, pkg/cli, pkg/parser
• Magnitude scan: 266 make(map[string]bool) / map[string]bool{} occurrences across 156 files (incl. tests); 60+ non-test local set declarations

Findings Summary

• Total issues: 6 observations (1 resolved reverify + 5 around the new linter) → 1 actionable task
• Critical: 0 · High: 0 · Medium: 1 (seenmapbool precision/readiness) · Low/Informational: rest

📋 Detailed Findings

✅ Reverify — sg25a1 RESOLVED (Informational)

fmterrorfnoverbs enforced: cgo.yml:1040 now carries 11 flags ending -fmterrorfnoverbs; pkg/workflow/utc_offset.go:24/29/33 use errors.New (the fmt import is retained via Sprintf at :27). 5th consecutive enforce-landing.

⚠️ Medium — sg26a1: seenmapbool is escape-blind and not near-zero

Full analysis

What it flags: inspectBody (seenmapbool.go:128-157) collects local map[string]bool declared via :=/var, then reports any whose m[k] = ... writes are all the literal true — recommending map[string]struct{}.

Problem 1 — not near-zero / no suppression: no nolint import → no //nolint escape hatch, so fix-to-zero is the only enforce path. But there are 60+ non-test local set declarations (domains.go 9, on_needs_validation.go 6, and many seen/visited dedup maps). Enforcing as-is = large cross-cutting refactor.

Problem 2 — escape-blindness (root cause): the scan only sees the declaring function body. It cannot tell whether the map escapes via return, argument, struct field, or closure. For escaping maps, struct{} requires changing the signature and every caller read site — not local — and if a caller writes a non-true value, the report is a false positive the linter can never observe.

Confirmed escape sites (returned directly):

• toImportSet → pkg/parser/import_topological.go:48 → return :52
• managedPatternsWithInlineComment → pkg/workflow/dependabot.go:614 → return :625
• buildForbiddenFieldsMap → pkg/parser/schema_validation.go:37
• findCycleNodes → pkg/parser/import_topological.go:190
• computeEnabledToolNames → pkg/workflow/safe_outputs_tools_computation.go:10
• DetectKnownCredentialLeakingActions[/FromYAML/FromWorkflowData] → pkg/workflow/known_action_credentials.go:120/165/205

✅ Improvement Task Generated

Task 1 — sg26a1: add escape detection to seenmapbool.inspectBody before enforcing

• Severity: Medium · Effort: Small (single file: seenmapbool.go + testdata)
• Fix: drop a candidate object if its ident is returned (*ast.ReturnStmt), passed as a call arg, assigned to a struct field, or captured by a *ast.FuncLit. Re-measure residual local-only violations, then append -seenmapbool to cgo.yml:1040.
• Optional follow-up: add nolint.BuildLineIndex for per-site suppression parity (shared gap with fmterrorfnoverbs).
• Issue filed: yes (label sergo, 7d auto-expiry).

📈 Success Metrics

This Run

• Findings: 6 · Tasks created: 1 · Issues filed: 1 · Files/areas analyzed: seenmapbool + 3 packages scanned
• Score: 9/10 — reverify confirmed a clean enforce-landing (4 pts findings quality), broad magnitude scan (3 pts coverage), one tightly-scoped landable task (2 pts). Held back from 10 by the inherent uncertainty of whether the maintainer will adopt a precision-improvement vs. a bulk-conversion approach.

📊 Historical Context

Cumulative statistics

• Total runs: 26 · Total findings: 210 · Total tasks: 52 · Avg success score: 8.68/10
• Enforce-landing streak: R22→R26 (5 consecutive) — regexp/fprintln/strconv (R23), jsonmarshalignoredeerror (R24), uncheckedtypeassertion (R25), fmterrorfnoverbs (R26)
• Linters: 20 registered → 11 enforced, 9 unenforced

🎯 Recommendations

Immediate

1. sg26a1 (Medium) — make seenmapbool escape-aware, re-measure, then enforce. Frame as a single-file precision fix, not a 60-site refactor.

Long-term

• seenmapbool is the first non-near-zero registered linter in 5 runs — the fast "fix-to-zero then enforce" loop may stall here. Consider incremental, file-by-file conversion of the truly local residual sets once escape filtering lands.
• Two analyzers (fmterrorfnoverbs, seenmapbool) now lack //nolint support; adding nolint.BuildLineIndex parity would unblock pragmatic suppression.

🔄 Next Run Preview

• R27 reverify: did the seenmapbool escape-filter land? Recount residual violations.
• Exploration: watch for a 21st linter; otherwise pivot to errormessage opt-in scoping or a scoped ctxbackground (28 sites) refactor proposal.

---

Generated by Sergo — The Serena Go Expert · Run ID: 26799873398 · Strategy: reverify-plus-new-seenmapbool-20th-linter-escape-precision-audit

References: §26799873398

Generated by 🤖 Sergo - Serena Go Expert · opus48 2.3M · ◷

• expires on Jun 3, 2026, 5:24 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-03T05:24:46.691Z.

Closed by Workflow