[sergo] Sergo Report: reverify-plus-unchecked-type-assertion-audit - 2026-05-25

[github-actions[bot]]

Executive Summary

Run 18 reverified the three open Sergo-tracked findings and ran a new audit on unchecked single-value type assertions (.(T) without , ok) in production Go code. The reverify is the headline: #aw_sg17a2 (magic time.Sleep literals) is FULLY RESOLVED — all six previously-flagged literals in pkg/cli/ now use named time.Duration constants (trialRepoInitDelay, betweenWorkflowsDelay, mcpScriptsServerStartupDelay, mcpScriptsServerShutdownDelay, mcpStdioServerStartupDelay, mcpProcessCleanupDelay). Resolution path: the named_duration pattern established last run is now load-bearing across pkg/cli/. #aw_sg14a1 (silent syscall discards, 10 sites) and #aw_sg17a1 (16 prod panic() sites with unenforced panicinlibrarycode linter) are unchanged — line-drift only on two files, no new sites, no fixes.

The new audit (50% novel exploration) turned up one clean high-value finding: pkg/cli/project_command.go:159 calls project["id"].(string) without the , ok form while the very same project map is ok-checked for "url" (L167) and "number" (L172). The asymmetry is the smoking gun — same variable, same trust boundary (a GraphQL response), three sibling reads, two defended, one not. A null or missing id from a future or malformed GitHub GraphQL response panics the CLI. Fix is six lines and mirrors the pattern already used three lines below. Filed as #34580. The other unchecked .(T) sites found across pkg/ are either local-literal safe-by-construction, sync.Map/sync.Pool single-type idioms, or the pass.ResultOf[inspect.Analyzer].(*inspector.Inspector) framework idiom — flagged in the issue body for awareness but no action recommended.

Success score: 9/10. One new high-quality issue, one finding fully resolved between runs, clear evidence of the codebase absorbing prior Sergo recommendations.

🛠️ Serena Tools Update

Tools Snapshot

• Total Tools Available: 23
• New Tools Since Last Run: None
• Removed Tools: None
• Modified Tools: None
• Stability: 14 consecutive runs (R4–R18) with the same 23-tool surface

Tool Capabilities Used Today

Tool	Purpose in R18
activate_project	Warm Serena LSP for /home/runner/work/gh-aw/gh-aw (6.7 s — cold container)
Grep (preferred over find_symbol for broad patterns)	Located unchecked .(T) sites across 250 files; verified panic-site count; located time.Sleep call sites
Read	Confirmed each finding's context — createProject envelope validation, sibling , ok checks
gh api search/issues	Duplicate detection — confirmed no open issue exists for unchecked type assertions; #33459 already tracks #aw_sg14a1. Bridge wraps results in a recursive envelope when total_count is real — workaround: filter select(.html_url)

📊 Strategy Selection

Strategy name: reverify-plus-unchecked-type-assertion-audit

Cached Reuse Component (50%)

• Previous Strategy Adapted: The reverify-plus-X template (R13–R17, five consecutive runs, avg success 8.6/10)
• Why Reused: Reverify caught two prior fixes inside one cycle (#aw_sgar1/#aw_sgar2 in R12, #aw_sg15a1/#aw_sg15a2 in R16, #aw_sg16a1 in R17). This run continued the streak: #aw_sg17a2 resolved within one run of being flagged.
• Modifications: Reverified all three currently-open findings (#aw_sg14a1, #aw_sg17a1, #aw_sg17a2) using only Grep (LSP not needed for line-count comparisons against cached site lists). Avoided the 70 s+ broad find_symbol calls noted in the tools-cache gotchas.

New Exploration Component (50%)

• Novel Approach: Audit unchecked single-value type assertions .(T) (no , ok) in production code. Not in completed_scans cache. Panic-risk pattern complementary to (but distinct from) #aw_sg17a1's explicit panic() audit.
• Tools Employed: Grep extended regex, Read for context verification.
• Hypothesis: Expected 5–20 unchecked sites; most idiomatic, 1–3 real bug-risks at trust boundaries.
• Target Areas: pkg/cli/, pkg/workflow/, pkg/parser/, pkg/linters/ (all .go, excluding _test.go).

Combined Strategy Rationale

Reverify locks in cumulative value (catches regressions and resolutions); the type-assertion audit extends the panic-risk taxonomy started by #aw_sg17a1. Together they cover both explicit panic paths (panic(...)) and implicit panic paths (.(T) without , ok) — a complete picture of the codebase's runtime-failure surface.

🔍 Analysis Execution

Codebase Context

• Total Go files scanned: ~250 production files in pkg/ (excluding _test.go)
• Type-assertion expressions counted: 1,487 (across all kinds — switches, , ok, framework idioms, etc.)
• Unchecked single-value .(T) sites in production: ~12 (after excluding .(type) and , ok forms)
• After idiom-filter (sync.Pool/Map, framework, safe-by-construction): 1 actionable

Findings Summary

• Total Issues Found (new): 1 actionable + 6 informational
• Critical: 0
• High: 1 — #34580 unchecked project["id"].(string) (issue created)
• Medium: 0 new (existing open: #aw_sg14a1, #aw_sg17a1)
• Low / informational: 6 (table in #34580 issue body)

📋 Detailed Findings

High Priority — NEW

#34580 — Unchecked project["id"].(string) at pkg/cli/project_command.go:159

• Why it matters: Same project map (a map[string]any from a GraphQL response) is ok-checked for "url" (L167) and "number" (L172). The "id" read is the only unchecked sibling.
• Impact: A null / missing / unexpectedly-typed id in the GraphQL response panics the CLI instead of returning "failed to get project ID from response".
• Fix size: ~6 LOC, mirrors the pattern three lines below.
• Filed as issue with full repro + fix snippet (tracked via #34580).

Open Findings — Reverified

ID	State	Sites	Δ from R17	Notes
#aw_sg17a2 magic time.Sleep	✅ FULLY RESOLVED	6 → 0	All 6 now use named constants	named_duration pattern adopted; fastest fix yet (1 run)
#aw_sg14a1 silent syscall discards	↔️ unchanged	10 (4 os.Setenv + 6 os.Chdir)	Line drift only	Tracked by open issue #33459
#aw_sg17a1 panic() in library code	↔️ unchanged	16 prod sites	Line drift on 4 sites (agentic_engine 463→464, claude_tools 179→185, model_aliases 84→86, strings 176→177)	Linter registered cmd/linters/main.go:43 but cgo.yml:1040 runs LINTER_FLAGS=-errstringmatch -test=false only

Informational — Unchecked `.(T)` sites that are safe-by-convention

File:Line	Pattern	Safety Argument
pkg/cli/jsonworkflow_to_markdown.go:448	intervalType.(string)	parts["_interval"] is populated only by this function with string values
pkg/cli/jsonworkflow_to_markdown.go:455	intervalType.(string)	Same as above
pkg/workflow/safe_outputs_workflow_helpers.go:41	tool["inputSchema"].(map[string]any)[...]	Map literal constructed 4 lines above; cannot fail
pkg/workflow/mcp_scripts_generator.go:61	inputSchema["properties"].(map[string]any)	Map literal 2 lines above; cannot fail
pkg/workflow/yaml.go:173	cached.(*regexp.Regexp)	sync.Map stores only *regexp.Regexp
pkg/workflow/repository_features_validation.go:185, 212	cached.(*RepositoryFeatures), actual.(*RepositoryFeatures)	sync.Map / OnceLoader[T] invariant
pkg/cli/workflows.go:357	workflowTitleScannerBufferPool.Get().(*[]byte)	sync.Pool stores only *[]byte
pkg/linters/* (12 sites)	pass.ResultOf[inspect.Analyzer].(*inspector.Inspector)	go/analysis framework idiom — required form

✅ Improvement Tasks Generated

Task 1 — #34580 Fix unchecked project["id"].(string)

• Severity: High (for the affected code path)
• Effort: Small (~6 LOC)
• Scope: Single file, single function (createProjectFromConfig block in project_command.go)
• Validation: Existing tests + optional new TestCreateProject_MissingID table case

📈 Success Metrics

This Run

• Findings Generated: 1 actionable + 6 informational + 3 reverified
• Tasks Created: 1 (#34580)
• Issues Created: 1
• Files Analyzed: ~250 (pkg/**/*.go excluding _test.go)
• Success Score: 9/10

Reasoning for Score

• Findings Quality: 4/4 — #34580 is a clear inconsistency-with-sibling-code bug-risk, not a stylistic nit. Self-fixing PRs land easily on patterns like this.
• Coverage: 2/3 — broad scan of pkg/ but no deep LSP cross-reference (deliberate; Grep was sufficient).
• Task Generation: 3/3 — exactly the right number (1) for the actionable signal density today.
• Bonus: #aw_sg17a2 fully resolved in one cycle — Sergo's named_duration recommendation taken up immediately.

📊 Historical Context

Strategy Performance (R13–R18)

Run	Date	Strategy	Findings	Issues	Score
R13	2026-05-19	reverify-plus-errstringmatch	8	2	9
R14	2026-05-20	reverify-plus-silent-syscall	11	1	8
R15	2026-05-21	reverify-plus-error-comparison	11	2	8
R16	2026-05-23	reverify-plus-test-seam-vars	9	1	9
R17	2026-05-24	reverify-plus-panic-linter-and-sleep	9	2	9
R18	2026-05-25	reverify-plus-unchecked-type-assertion	7	1	9

Cumulative Statistics (through R18)

• Total Runs: 18
• Total Findings: 161
• Total Tasks Generated: 40
• Average Success Score: 8.56/10
• Most Successful Strategy Family: reverify-plus-* (avg 8.67/10 across 6 uses; 4 of 5 prior open findings resolved within ≤2 cycles)

🎯 Recommendations

Immediate Actions

1. #34580 — Apply the 6-LOC fix to project_command.go:159. Smallest issue Sergo has filed in months; easy win.
2. #aw_sg17a1 — Make a decision: refine the panicinlibrarycode linter to skip the established idiomatic patterns (sync.Once.Do init-load, BUG: prefix, init() registration failures, defense-in-depth preconditions), OR annotate the 16 sites with //nolint + justification, OR retire the linter. Current state — registered but unenforced via cgo.yml:1040's positive-allowlist LINTER_FLAGS=-errstringmatch -test=false — is the worst of three worlds (dev-time intent without CI enforcement).
3. #aw_sg14a1 — Open issue Silent error discards on os.Setenv / os.Chdir in pkg/cli (10 prod sites) #33459 covers this. No new Sergo action.

Long-term Improvements

• Consider a new linter unchecktypeassert that warns on .(T) (single-value form) except in the documented safe contexts: sync.{Map,Pool} callbacks, go/analysis framework, and immediately-after-literal-construction. The taxonomy is concrete enough to encode.
• Codebase has converged on excellent patterns (OnceLoader[T], actionUpdateDeps deps-struct, named_duration, errors.Is for stdlib-unwrapped sentinels). Sergo can shift more weight toward auditing new code for adoption rather than legacy-cleanup.

🔄 Next Run Preview

Suggested Focus Areas

• Audit error-wrapping consistency: %w vs %v for wrapped errors in pkg/workflow/ (large surface, no prior scan).
• Audit defer ordering / placement: are defer mu.Unlock() calls always immediately after mu.Lock()?
• Verify #34580 fixed and #aw_sg17a1/#aw_sg14a1 still unchanged.

Strategy Evolution

Continue the reverify-plus-X template — it's been the most productive format (6 consecutive uses, all scoring 8–9). Rotate the X audit dimension to keep coverage broad without losing the reverify backbone.

---

Generated by Sergo - The Serena Go Expert
Run ID: 26384351150
Strategy: reverify-plus-unchecked-type-assertion-audit

References:

• §26384351150 — this run
• Unchecked type assertion in pkg/cli/project_command.go — panics on malformed GraphQL response (#aw_sg18a1) #34580 — new issue tracking project_command.go:159 unchecked type assertion
• Silent error discards on os.Setenv / os.Chdir in pkg/cli (10 prod sites) #33459 — existing tracking issue for #aw_sg14a1 (silent syscall discards)

Generated by 🤖 Sergo - Serena Go Expert · opus47 25.4M · ◷

• expires on May 26, 2026, 5:24 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-05-26T05:24:19.176Z.

Closed by Workflow