Skip to content

feat(enrichment): add unsafe-any TypeScript counter analyzer#3322

Closed
jaso0n0818 wants to merge 1 commit into
JSONbored:mainfrom
jaso0n0818:feat/unsafe-any-analyzer-2017
Closed

feat(enrichment): add unsafe-any TypeScript counter analyzer#3322
jaso0n0818 wants to merge 1 commit into
JSONbored:mainfrom
jaso0n0818:feat/unsafe-any-analyzer-2017

Conversation

@jaso0n0818

Copy link
Copy Markdown
Contributor

Closes #2017

What

A new local REES analyzer, unsafeAny, that counts and locates explicit any usage a PR ADDS in TypeScript — a : any annotation, an as any cast, or an <any> assertion/type-argument. A type-safety-erosion signal a reviewer can weigh. Structural regex only (no type-checker), pure, no network.

Detection

  • TS-gated: only .ts/.tsx/.mts/.cts files are scanned, so JS or prose can't false-positive on the word any.
  • Three kinds, each matched with \bany\b so anyOf/anything/Company never match:
    • annotation: any
    • castas any
    • assertion — an explicit any inside an angle-bracket type-argument / assertion list, not only the bare <any>: Record<string, any>, Map<string, any>, Promise<any[]>, and Array<any> are all surfaced (a nested generic matches on its innermost <…> group)
  • Cheap best-effort string/comment avoidance (per the issue's "ignoring occurrences inside string/comment where cheaply detectable"): string literals are blanked via secret-log.ts's codeOnly, same-line /* */ and trailing // comments are stripped, and a JSDoc/comment continuation line (trimmed starts with *) is skipped. So "cast as any" in a string, // treat as any value, and * @param p : any are not counted, while const v: any = load(); // TODO still is. Known limitation (documented in the source, not claimed as a guarantee): cross-line block-comment state is not tracked, so an any on a continuation line of a multi-line /* … */ comment that does not begin with * can still be counted — a rare, accepted false positive of the cheap-strip approach the issue explicitly scopes to "where cheaply detectable".
  • Kinds are de-duplicated per line; added lines only, line-cited via hunk headers, with the shared \ No newline line-counter fix; findings capped (maxFindings: 25) per file and globally.

Registration

Registered as a local descriptor (category quality, cost local, requires ["files"]) with an inline render(), following the redos/todoMarker descriptor shape. All wiring updated: types.ts (UnsafeAnyFinding + unsafeAny? key), render.ts, analyzer-registry.test.ts, root src/review/enrichment-analyzer-names.ts, root test/unit/enrichment-wire.test.ts, and the generated analyzer-metadata.json / rees-analyzers.ts / .env.example via node scripts/generate-analyzer-metadata.mjs.

Tests

review-enrichment/test/unsafe-any.test.ts (13 tests) covers: annotation vs cast vs assertion (including Array<any>), any inside multi-argument / compound / nested generic type arguments (Record<string, any>, Promise<any[]>, Map<string, any>, Map<K, Set<any>>) surfaced as assertions while a no-any generic (Record<string, number>) is not, multiple distinct kinds on one line de-duplicated, word-boundary rejection (anyOf/anything/Company), string/line-comment/block-comment/JSDoc suppression, a real annotation with a trailing comment still counted, non-TS files skipped (.js/.md), added-line scanning with exact locations, added-lines-only with line-number accuracy across mixed hunks, the per-file cap + maxFindings: 0, the entrypoint's TS-only gating + global cap across files, the no-files case, and the rendered brief section. Analyzer metadata is regenerated and committed.

@jaso0n0818 jaso0n0818 requested a review from JSONbored as a code owner July 5, 2026 02:12
@superagent-security

Copy link
Copy Markdown

Superagent didn't find any vulnerabilities or security issues in this PR.

@gittensory-orb gittensory-orb Bot added the gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 1.25x multiplier. label Jul 5, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 5, 2026

Copy link
Copy Markdown

Caution

🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥

🛑 Gittensory review result - reject/close recommended

Review updated: 2026-07-05 03:54:20 UTC

11 files · 1 AI reviewer · 1 blocker · readiness 62/100 · CI green · clean

🛑 Suggested Action - Reject/Close

  • AI reviewers agree on a likely critical defect: review-enrichment/src/analyzers/unsafe-any.ts:46 treats every code line whose trimmed text starts with `*` as documentation, so a valid added generator method like `*load(): any {}` or `async *load(): AsyncGenerator<any> {}` is skipped entirely
  • narrow this to actual comment-continuation lines, for example by moving JSDoc skipping before `toCode` and requiring a comment-shaped raw line such as `/^\s*\*\s/.test(line)` plus a regression test for generator methods. — Resolve the flagged defect, or override if the AI reviewers are mistaken, then re-run the gate.

Review summary
This adds a focused local analyzer for explicit TypeScript `any` usage, wires it through the descriptor/render/name surfaces, and covers the main patch-scanning and rendering paths. The registry/metadata/UI wiring is coherent, but the comment-continuation heuristic suppresses a real TypeScript syntax form, so the analyzer misses added generator methods that introduce `any`. The tests cover ordinary annotations/casts/assertions and caps, but not this reachable `*method(): any` path.

Blockers

  • review-enrichment/src/analyzers/unsafe-any.ts:46 treats every code line whose trimmed text starts with `*` as documentation, so a valid added generator method like `*load(): any {}` or `async *load(): AsyncGenerator<any> {}` is skipped entirely; narrow this to actual comment-continuation lines, for example by moving JSDoc skipping before `toCode` and requiring a comment-shaped raw line such as `/^\s*\*\s/.test(line)` plus a regression test for generator methods.
Nits — 6 non-blocking
  • review-enrichment/src/analyzers/registry.ts:910 says an assertion finding is always an `<any>` assertion/type-argument, but this analyzer also flags `Record<string, any>` and `Promise<any[]>`, so the wording should not imply only the bare `<any>` form.
  • review-enrichment/src/analyzers/unsafe-any.ts:21 calls every angle-bracket generic match an `assertion`, which is consistent with the new union but a little misleading for `Array<any>`/`Record<string, any>` type arguments; consider a name like `angleType` or clearer docs if this leaks into reviewer-facing text.
  • review-enrichment/test/unsafe-any.test.ts:35 covers dedupe by repeated casts only; add a repeated assertion or annotation case if dedupe-by-kind is intended across all three matchers.
  • Add a regression in `review-enrichment/test/unsafe-any.test.ts` for `detectUnsafeAny("*load(): any {")` and, if supported, `detectUnsafeAny("async *load(): AsyncGenerator<any> {")`.
  • Update the `assertion` explanation in `review-enrichment/src/analyzers/registry.ts` to say the line contains an explicit `any` in an angle-bracket type/assertion form, matching the analyzer’s actual scope.
  • Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.

Why this is blocked

  • review-enrichment/src/analyzers/unsafe-any.ts:46 treats every code line whose trimmed text starts with `*` as documentation, so a valid added generator method like `*load(): any {}` or `async *load(): AsyncGenerator<any> {}` is skipped entirely; narrow this to actual comment-continuation lines, for example by moving JSDoc skipping before `toCode` and requiring a comment-shaped raw line such as `/^\s*\*\s/.test(line)` plus a regression test for generator methods.
Signal Result Evidence
Code review ❌ 1 blocker 1 reviewer
Linked issue ✅ Linked #2017
Related work ⚠️ 3 scoped overlaps Top overlaps are listed below; lower-confidence bulk is hidden.
Change scope ❌ 8/20 High review scope from cached public metadata (1 linked issue).
Validation posture ❌ 5/25 Preflight is holding this PR: the review lane is unavailable, so it is not ready for automated review.
Contributor workload ✅ 10/10 Author activity: 444 registered-repo PR(s), 267 merged, 7 issue(s).
Contributor context ✅ Confirmed Gittensor contributor jaso0n0818; Gittensor profile; 444 PR(s), 7 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Review context
  • Author: jaso0n0818
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository registration is not available in the local Gittensory cache.
  • Public profile languages: not available
  • Official Gittensor activity: 444 PR(s), 7 issue(s).
  • Related work: Titles/paths share 5 meaningful terms. (issue #2025, issue #1514)
  • Related work: Titles/paths share 7 meaningful terms. (issue #2025, issue #2017)
  • Related work: Titles/paths share 7 meaningful terms. (issue #2025, issue #2033)
  • Additional title-only matches omitted; title-only overlap does not block.
Contributor next steps
  • Review top overlaps.
  • Add a concise scope and risk note.
  • Await review-lane availability.
  • Refresh registry data or choose a registered active repo.
  • Check active issues and PRs before submitting.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.87%. Comparing base (c556d78) to head (08b5125).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #3322   +/-   ##
=======================================
  Coverage   93.87%   93.87%           
=======================================
  Files         277      277           
  Lines       30522    30522           
  Branches    11114    11114           
=======================================
  Hits        28654    28654           
  Misses       1211     1211           
  Partials      657      657           
Files with missing lines Coverage Δ
src/review/enrichment-analyzer-names.ts 100.00% <ø> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb

gittensory-orb Bot commented Jul 5, 2026

Copy link
Copy Markdown

Gittensory is closing this pull request on the maintainer's behalf (AI reviewers agree on a likely critical defect: review-enrichment/src/analyzers/unsafe-any.ts:46 treats every code line whose trimmed text starts with `*` as documentation, so a valid added generator method like `*load(): any {}` or `async *load(): AsyncGenerator {}` is skipped entirely; narrow this to actual comment-continuation lines, for example by moving JSDoc skipping before `toCode` and requiring a comment-shaped raw line such as `/^\s*\*\s/.test(line)` plus a regression test for generator methods.). This is an automated maintenance action — to pursue this change, please open a new pull request with the issues resolved. Closed PRs may be analyzed later to improve review accuracy, but they are not automatically reopened or re-reviewed.

@gittensory-orb gittensory-orb Bot closed this Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 1.25x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(enrichment): unsafe-any (TS) counter analyzer

1 participant