[sergo] Sergo Report: Helper-Adoption Followup + Error-Comparison Audit - 2026-05-17

[github-actions[bot]]

Executive Summary

Run 12 confirmed four of five outstanding Sergo findings from Runs 10–11 are now fixed in main: context propagation to ResolveSHA (#aw_sgar1), AWFProxyLogsDir literal (#aw_sgar2), filepath.Join env-override bypass (#aw_sgbo1), and stub init() functions (#aw_sgbo2). The lone holdout is Run 8 #aw_sg8a2 (HTTP 30 * time.Second literal at 4 sites, 13+ days unfixed) — cache tracks it, not re-filing.

New error-comparison audit found healthy sentinel-error discipline (4 sentinels, all checked via errors.Is, zero direct ==) but two cases of helper-underadoption for gh-CLI error detection: isPermissionError (in pkg/cli/audit.go) duplicated across 3+ sites, and isNotFoundError (in pkg/parser/remote_fetch.go, unexported) reimplemented inline at 4 pkg/cli sites — with one site (outcome_eval_comment.go:34) silently buggy due to case-sensitive matching.

Serena Tools Update

• Total Tools Available: 23 (stable for 9 consecutive runs)
• New / Removed / Modified: None
• Tools Used Today: activate_project, find_symbol (with --relative_path for fast single-file lookups, ~100ms), think_about_collected_information
• Confirmed: find_symbol with --relative_path constraint is fast (~100ms) — useful for chasing one symbol through one file without paying broad-query cost.

Strategy Selection

Cached Reuse (50%): Extended the long-running helper-underadoption thread (Runs 8/9/10/11) by re-auditing every outstanding finding from the last three runs. Theme has scored 9/10 for four consecutive runs.

New Exploration (50%): Error-comparison audit — sentinel error definitions, errors.Is/errors.As adoption, err == sentinel anti-patterns, error type assertions, and strings.Contains(err.Error(), ...) fragile matching. This dimension had not been audited in prior runs.

Combined rationale: Cached half verifies that the helper-underadoption findings actually drive fixes (closing the feedback loop). New half checks the previously-unscanned error-comparison axis — finding fits the same theme (helpers exist, are bypassed), which strengthens the pattern.

Analysis Execution

• Total Go files (non-test) in pkg/: 800
• Total non-test LOC in pkg/: 191,149
• Focus: gh-CLI error detection sites, sentinel-error definitions and usages, prior-run finding sites for fix verification.

Cached-followup findings (verification)

Cached issue	Status	Notes
Run 8 #aw_sg8a2 HTTP 30s timeout	STILL OPEN	4 sites still literal; no DefaultHTTPClientTimeout in pkg/constants after 13+ days. Cache tracks; not re-filing.
Run 10 #aw_sgar1 context.Background→ResolveSHA	FIXED ✓	All 5 prod sites now propagate context.
Run 10 #aw_sgar2 AWFProxyLogsDir literal	FIXED ✓	engine_firewall_support.go:104 now uses constant.
Run 11 #aw_sgbo1 filepath.Join env-override bypass	FIXED ✓	All 5 split-segment sites gone. Only fix_command.go:410 remains as a search needle (defensible).
Run 11 #aw_sgbo2 stub init() functions	FIXED ✓	init() count in pkg/ dropped from 11 → 8; all 8 remaining are legitimate.

New error-comparison findings

Pattern	Count	Verdict
var Err... = errors.New(...) sentinel definitions	4	All checked via errors.Is — excellent
Direct err == sentinel comparisons	0 (zero!)	Perfect
Type-assertion error checks (err.(*Foo))	0	Perfect
errors.Is / errors.As callsites	74 across 50 files	Heavy adoption
strings.Contains(err.Error(), ...) fragile matching	11 prod sites	All for gh-CLI — see findings below
== context.Cancelled/== context.DeadlineExceeded/!= http.ErrServerClosed	4	Defensible (stdlib contract guarantees direct sentinel return); minor modernization possible

Detailed Findings

High Priority

Finding 1 — isPermissionError helper underadoption → Issue #aw_sgcr1

Centralized helper exists at pkg/cli/audit.go:250 with five signal substrings. 3 prod sites bypass it:

• pkg/cli/logs_download.go:312 — single-substring check (exit status 4), narrower than helper
• pkg/cli/logs_download.go:802 — same pattern, second site in same file
• pkg/cli/logs_github_api.go:286-291 — inlines its own five substrings, with a different superset (adds "To use GitHub CLI in a GitHub Actions workflow" not in the helper)

The inline lists have already drifted, which is exactly the drift-cost the helper exists to prevent. Issue body proposes consolidation + optional errors.As(err, &exitErr) + ExitCode() upgrade path that enrichGHError (at pkg/workflow/github_cli.go:81) already partially demonstrates.

Finding 2 — isNotFoundError wrong-package + underadoption → Issue #aw_sgcr2

Helper at pkg/parser/remote_fetch.go:610 is unexported and takes a string (forces callers to call err.Error(), losing wrapping). Four pkg/cli sites reimplement inline:

Site	Signals matched	Divergence
audit.go:1037-1042	5 substrings + 1 on err.Error()	Superset (adds "Could not resolve")
outcome_eval_comment.go:34	"404", "Not Found"	Case-sensitive — silently misses lowercase "not found"
gateway_logs_mcp.go:28	"not found" only	Misses bare "404" substring
logs_download.go:316	"not found" + "410"	Mixes 404+410

The outcome_eval_comment.go case is a real silent-bug today.

Medium Priority

Finding 3 — Run 8 #aw_sg8a2 HTTP 30s timeout still open

13+ days since first filed. Still 4 sites: parser/remote_fetch.go:522, cli/agent_download.go:45, cli/mcp_registry.go:50, cli/deps_security.go:139. No DefaultHTTPClientTimeout in pkg/constants. Cache tracks; not re-filing per cache policy on long-open findings.

Low Priority (observed, not filed)

• pkg/cli/mcp_server_http.go:89: err != http.ErrServerClosed — modern idiom is errors.Is(err, http.ErrServerClosed). Single-line fix, too small to track.
• pkg/cli/secrets.go:113: comment says "if we get a 403, skip silently" but code is if !strings.Contains(err.Error(), "403") { continue } — comment/code mismatch but logic may be intentional. Flagging for human review.

Low Priority Observations (raw)

• ctx.Err() == context.DeadlineExceeded at actionlint.go:310,320, mcp_validation.go:205 — defensible per stdlib contract.
• 11 total strings.Contains(err.Error(), ...) sites in pkg/ non-test — all gh-CLI related; helper consolidation covers them.
• Sentinel errors ErrInterrupted, ErrNoArtifacts, ErrNpmNotAvailable, ErrNotGitRepository — all consumers use errors.Is; one (isErrNpmNotAvailable) wraps it in a predicate helper — exemplary pattern.

Improvement Tasks

Task 1 — Adopt isPermissionError across pkg/cli (Issue #aw_sgcr1)

Issue Type: Helper underadoption (gh-CLI auth-error detection)
Severity: Medium
Effort: Small

Widen isPermissionError to the union of inline substring sets, then replace 3 sites at logs_download.go:312, logs_download.go:802, logs_github_api.go:286-291. Optionally extract *exec.ExitError.ExitCode() so consumers can branch via errors.As instead of substring.

Validation: existing user-facing messages preserved; go test ./pkg/cli/... passes; no new "exit status 4" substring matches outside the helper.

Task 2 — Export and consolidate isNotFoundError (Issue #aw_sgcr2)

Issue Type: Helper underadoption + silent bug (wrong package, wrong signature, case-sensitivity drift)
Severity: Medium (silent false-negative at outcome_eval_comment.go:34)
Effort: Small-Medium

Move the helper to a shared package (pkg/ghapi/errors.go or pkg/errorutil), change signature to func IsNotFoundError(err error) bool, lower-case once internally, replace 4 sites.

Validation: case-sensitivity behavior unified to lowercase; 4 sites preserve current branch behavior; go test ./pkg/cli/... ./pkg/parser/... passes.

Success Metrics

• Findings: 7 (4 verifications + 2 new actionable + 1 still-open tracker)
• Tasks created: 2
• Issues filed: 2 (#aw_sgcr1, #aw_sgcr2)
• Cached findings verified: 5 of 5 (4 fixed, 1 still open)
• Success Score: 9/10

Reasoning: High-confidence verification of prior findings (4 confirmed fixed) closes the feedback loop and validates the helper-underadoption theme. New audit dimension (error comparison) discovered two clean helper-underadoption issues including one silent bug. Lost a point only because no truly novel finding category emerged — the new dimension fed back into the existing dominant theme rather than opening a new one.

Historical Context

• Total runs: 12
• Total findings: 104
• Total tasks generated: 31
• Average success score: 8.58/10
• Helper-underadoption thread: now spans 6 consecutive runs (8–12 — 5 audits since pattern coined), with three documented failure modes (literal duplication, shape mismatch, wrong-package).

Recommendations

Immediate

1. Implement Task 1 / Task 2 (helper consolidation, both low-effort).
2. Implement long-pending Run 8 #aw_sg8a2 (add constants.DefaultHTTPClientTimeout).

Longer term

• Consider creating a pkg/ghapi (or pkg/errorutil) package that hosts IsPermissionError, IsNotFoundError, and an eventual structured GHError{ExitCode, HTTPStatus} derived in enrichGHError. Two helpers cohabiting one package is the natural endpoint of the helper-underadoption thread.
• Add a lint rule to forbid strings.Contains(err.Error(), "exit status ") outside the canonical helper, since the substring pattern is the load-bearing fragile point.

Next Run Preview

Suggested Focus Areas

• Verify Task 1 / Task 2 land; check for any regressions.
• Audit a fresh dimension that has NOT yet been touched: slice/map preallocation (make([]T, 0, knownLen) adoption), string-building patterns (strings.Builder vs += vs fmt.Sprintf), or sync.Pool candidates in hot paths.
• Re-audit Run 8 #aw_sg8a2 if it remains unfixed past 30 days — escalate via different framing.

Strategy Evolution

The helper-underadoption theme has matured: now well-cataloged with three failure modes. Consider a one-off "helper coverage scan" as a single pass, then retire the theme for several runs to avoid pattern fatigue. The high success rate (5×9/10) suggests the theme is still productive but may be approaching saturation.

---

Generated by Sergo - The Serena Go Expert
Run ID: 25981825933
Strategy: helper-adoption-followup-plus-error-comparison-audit

References:

• §25981825933

Generated by 🤖 Sergo - Serena Go Expert · ● 23.5M · ◷

• expires on May 18, 2026, 5:11 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-05-18T05:11:00.043Z.

Closed by Workflow