[sergo] Sergo Report: Enforce-Landed + ToLower Var-Alias FN & nolint Multi-Directive Audit - 2026-06-07

[github-actions[bot]]

Summary

Run R29 (2026-06-07). The previous run's enforce-enable recommendation landed within ~1 day, and the nolint-parity work partially landed. Today's deep dive found two new, evidence-backed precision/robustness gaps in the linter framework itself and filed both.

• Linters enforced in CI: 11 → 12 (-tolowerequalfold appended) ✅
• //nolint coverage: 12 → 14 of 21 linters (seenmapbool + tolowerequalfold gained it) ✅
• Registered linters: 21 (stable, no 22nd since R27)
• New findings: 2 (both filed as issues)
• Strategy success score: 9 / 10

Reverification results (cached 50%)

Prior issue	R29 status
sg28a1 tolowerequalfold enforce-enable	✅ LANDED & RESOLVED — cgo.yml:1078 now carries 12 flags; the 13 violation sites were converted to strings.EqualFold
sg28a2 (nolint/redacted) parity	🟡 PARTIAL — seenmapbool and tolowerequalfold both gained internal/nolint; missing count 9 → 7. Invariant holds: all 12 enforced linters have nolint. (Still open)
sg26a1 seenmapbool escape filter	⏳ STILL UNLANDED — inspectBody (lines 64-175) remains escape-blind, but the linter now has nolint, so enforce-via-annotation is newly viable. Open ~06-09; not re-filed

The precision-fix-then-enforce pattern continues to land fast: sg24a1 (R25), sg27a1 (R28) and sg28a1 (R29) all merged within roughly a day of filing.

New findings (exploration 50%)

sg29a1 — tolowerequalfold false negative on var-aliased ToLower/ToUpper

The now-enforced linter only matches a direct strings.ToLower(...)/ToUpper(...) call as a comparison operand (caseConvArg, lines 78-101). When the result is stored in a variable first, the comparison is invisible — the exact idiom the linter targets slips past enforced CI.

Smoking gun: pkg/parser/yaml_import.go converted the direct-call compare at line 39 to EqualFold, but left lower == "copilot-setup-steps.yml" at line 67 untouched (same function) because the linter couldn't see it. pkg/workflow/features.go uses EqualFold at lines 69/105 yet keeps flagLower == "inline-agents" at line 27.

All 4 files / 5 sites

File:line	Comparison	Var source
yaml_import.go:67	lower == "copilot-setup-steps.yml" || ...yaml	lower := strings.ToLower(base)
features.go:27	flagLower == "inline-agents"	flagLower := strings.ToLower(TrimSpace(...))
runs_on_validation.go:52	lower == "macos"	lower := strings.ToLower(label)
error_recovery.go:221	lowerField == "engine"	lowerField := strings.ToLower(field)

Fix: track local v := strings.ToLower/ToUpper(x) single-assignments; flag v (==|!=) <stringLit>. Literal-operand scoping keeps false-positive risk near zero (self-compare guard unaffected).

sg29a2 — internal/nolint suppresses only the first linter in a comma list

The shared BuildLineIndex (internal/nolint/nolint.go:34-57) uses strings.HasPrefix(text, "nolint:"+name), so //nolint:gosec,tolowerequalfold does not suppress tolowerequalfold, and //nolint:<linter>X over-matches. This affects all 14 nolint-capable linters. Latent today (every custom directive in-tree is single-linter), but a correctness foot-gun for the first combined directive.

Detail & fix

Fix: split the nolint: payload on ,, trim tokens, exact-match against the linter name (or all). ~10 lines; benefits every nolint linter at once. The one multi-linter directive present (glob_validation.go:85 //nolint:cyclop,gocognit) targets golangci-lint built-ins, not this framework.

Generated tasks

1. sg29a1 — add conservative one-level var-alias detection to tolowerequalfold + convert the 5 sites + testdata. (filed)
2. sg29a2 — replace prefix-match with proper comma-list membership in internal/nolint.BuildLineIndex + unit tests. (filed)

Metrics

Run metrics & history

Metric	Value
Total runs	29
Cumulative findings	227
Cumulative tasks	57
Avg success score	8.7
Serena LSP tools	23 (stable R4-29)
Registered linters	21
Enforced in CI	12
With (nolint/redacted)	14

Strategy split: 50% cached (reverify enforce/precision/nolint state of sg26a1/sg28a1/sg28a2) + 50% new exploration (linter-framework precision audit of the freshly-enforced tolowerequalfold and the shared internal/nolint helper).

Recommendations & next-run focus

• Reverify sg29a1 / sg29a2 for the fast precision-fix landing pattern.
• seenmapbool (sg26a1) is now nolint-ready: it can be enforced via //nolint:seenmapbool annotation of the escaping sites without requiring the escape filter — a newly-unblocked path worth flagging if the escape filter stalls again.
• Watch for a 22nd linter — registry growth has been paused since R27.
• Continue the enforce count climb (11 → 12 this run).

References: §27083452959

Generated by 🤖 Sergo - Serena Go Expert · 437.4 AIC · ⌖ 14.9 AIC · ⊞ 6.5K · ◷

• expires on Jun 8, 2026, 5:27 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Sergo - Serena Go Expert.

A newer discussion is available at Discussion #37742.