[sergo] Sergo Report: constants-adoption-audit-plus-context-propagation-scan — 2026-05-15

[github-actions[bot]]

Date: 2026-05-15
Run: 10
Strategy: constants-adoption-audit-plus-context-propagation-scan
Success Score: 9/10

Executive Summary

Run 10 paired two analyses: a continuation of the helper_underadoption_failure_mode pattern (now the dominant theme across Runs 5/7/8/9/10) and a fresh context.Background() propagation scan. The combination produced two clean, distinct, actionable findings filed as issues; a verified status update on two prior issues; and the discovery that the codebase has zero context.TODO() calls in production — an unusually disciplined signal for a 792-file Go codebase.

Key takeaway: the team's prior Run 8 fix (FilePerm* / DirPerm* constants) shipped successfully, Run 9's GetWorkflowDir() env-var override was implemented, but Run 8's DefaultHTTPClientTimeout constant and Run 9's .github/workflows literal adoption remain open work. The two new issues filed today are scoped specifically to avoid overlap with that backlog.

Serena Tools Update

• Total Tools Available: 23
• New Tools Since Last Run: None
• Removed Tools: None
• Modified Tools: None
• Stability: Tool list unchanged for 7 consecutive runs (Runs 4–10)

Tool capabilities used today

Tool	Usage
activate_project	Initial project activation (11.8s, expected first-call cost)
find_referencing_symbols	Cross-reference audit of (*ActionResolver).ResolveSHA — 4.9s, returned 11 references identifying all 5 production context.Background() callsites
find_symbol (skipped)	Bare-name attempt for ResolveSHA errored as expected; reconfirmed Run 5 finding that receiver methods need (*Type).method qualified form

Strategy Selection

Cached Reuse Component (50%) — helper-adoption audit

Previous Strategy Adapted: exported-symbol-dead-code-plus-magic-literal-duplication (Run 8, 8/10) and string-literal-centralization-plus-interface-pollution-audit (Run 9, 9/10)

• Why Reused: Both runs surfaced a recurring helper_underadoption_failure_mode — constants/helpers exist in pkg/constants but call sites bypass them via literal duplication. Run 9's .github/workflows case (27 prod sites bypassing GetWorkflowDir()) is the canonical exemplar.
• Modifications: Audited Default* and Get* exported symbols in pkg/constants/constants.go for adoption percentage — focusing on runtime constants (paths, timeouts, ports) rather than format-policy constants (perms, dirs) already covered.
• Coverage: 11 candidate constants checked (Default*Timeout, Default*MCP*Port, Default*GatewayPayloadDir, AWF*Dir, AWFConfigFilePath, AWFReflectFilePath, GhAwRootDir, GetWorkflowDir).

New Exploration Component (50%) — context.Background/TODO scan

Novel Approach: Audit every context.Background() and context.TODO() callsite in pkg/ non-test to identify cases where a function should accept or forward an existing ctx context.Context instead of materializing a fresh one. Cross-reference via Serena find_referencing_symbols to map the full callgraph of ResolveSHA.

• Tools Employed: Serena find_referencing_symbols, Grep with multi-pattern
• Hypothesis: Compile-time and CLI-entry codepaths sometimes drop caller context, breaking cancellation/timeout propagation through network calls
• Target Areas: pkg/workflow/, pkg/cli/, pkg/actionpins/ — all packages that make network calls during workflow compilation

Combined Strategy Rationale

The two components complement each other along orthogonal axes: the cached side audits what exists but isn't used (constants), the new side audits what's used but shouldn't be the way it is (context.Background() at non-boundary sites). Together they triangulate on a single underlying engineering smell — bypass patterns that look harmless in isolation but accumulate maintenance debt.

Analysis Execution

Codebase Context

• Total Go files in pkg/ non-test: 792
• Files containing context.Background(): 23 (in pkg/ non-test)
• Total context.Background() callsites: 28
• Total context.TODO() callsites: 0
• Default* constants in pkg/constants/constants.go: ~25 (sampled 11)

Findings Summary

Severity	Count
Critical	0
High	0
Medium	2 (filed)
Low	4 (status updates / minor)

Detailed Findings

Medium #1 — context.Background() cluster in ResolveSHA call sites (#aw_sgar1, filed as issue)

5 production call sites pass context.Background() directly to (*ActionResolver).ResolveSHA(ctx, repo, version), a network operation:

File	Line	Function
pkg/workflow/maintenance_workflow.go	70	resolveActionRef
pkg/workflow/action_sha_checker.go	121	CheckActionSHAUpdates (exported)
pkg/workflow/action_reference.go	78	resolveSetupActionRef (action mode)
pkg/workflow/action_reference.go	116	resolveSetupActionRef (release mode)
pkg/cli/copilot_setup.go	25, 35	getActionRef

The correct pattern already exists at pkg/actionpins/actionpins.go:317:

sha, err := ctx.Resolver.ResolveSHA(cmp.Or(ctx.Ctx, context.Background()), actionRepo, version)

The PinContext struct carries Ctx context.Context and the resolver call falls back to Background() only when no parent ctx is provided. The 5 unfixed sites should adopt this pattern (with ctx context.Context threaded through their signatures).

Medium #2 — AWFProxyLogsDir same-file inconsistency (#aw_sgar2, filed as issue)

pkg/workflow/engine_firewall_support.go:

// Line 104 — generateSquidLogsUploadStep
firewallLogsDir := "/tmp/gh-aw/sandbox/firewall/logs/"

// Line 123 — generateFirewallLogParsingStep
firewallLogsDir := constants.AWFProxyLogsDir

Same file, same logical concept (firewall logs directory for YAML emission), but only one site uses the constant. Future migrations of the sandbox path will silently miss line 104.

Low #1 — Run 8 DefaultHTTPClientTimeout NOT YET implemented (status update)

Run 8 filed #aw_sg8a2 for centralizing the 30 * time.Second literal at 4 prod sites. Run 10 confirms: no DefaultHTTPClientTimeout constant exists yet in pkg/constants/, and all 4 literal sites are unchanged:

• pkg/parser/remote_fetch.go:522
• pkg/cli/mcp_registry.go:50
• pkg/cli/deps_security.go:139
• pkg/cli/agent_download.go:45

Not re-filed (existing tracking issue covers it).

Low #2 — Run 9 GetWorkflowDir() env-var override IMPLEMENTED (status update)

Run 9's #aw_sg9a1 flagged that constants.GetWorkflowDir() ignored the documented GH_AW_WORKFLOWS_DIR env-var override. Run 10 verifies the helper now reads the env var:

// pkg/constants/constants.go:338-343
func GetWorkflowDir() string {
    if dir := os.Getenv("GH_AW_WORKFLOWS_DIR"); dir != "" {
        return filepath.ToSlash(dir)
    }
    return ".github/workflows"
}

The broader call-site adoption (Run 9 reported 27 literal sites vs 13 helper sites) was not re-audited this run.

Low #3–#4 — Minor observations not warranting separate issues

• AWFAuditDir minor bypass at pkg/cli/firewall_policy.go:459: uses filepath.Join(agentDir, "tmp", "gh-aw", "sandbox", "firewall", "audit") plus agentBase+"/tmp/gh-aw/sandbox/firewall/audit". Defensible — the join form is needed for OS-portable path construction inside an artifact directory.
• mcpScriptsStartPort = 3000 at pkg/cli/mcp_inspect_mcp_scripts_server.go:21: literal duplicate of constants.DefaultMCPServerPort = 3000. Not filed (the local constant has different semantics — it's the starting port for a port-scan loop, not the default port).
• context.Background() defensible sites (23 of 28): nil-check fallbacks (action_resolver.go:33, actionpins.go:85,318, signal_aware_poll.go:68, retry.go:69), top-level CLI entry points (add_command.go:367, outcomes_command.go:138, mcp_server_command.go:171, etc.), and RunGH/RunGHCombined non-Context convenience wrappers (analog of stdlib http.Get vs http.NewRequestWithContext).
• Zero context.TODO() calls in prod: notable signal of context discipline.

Improvement Tasks Generated

Task 1 — Thread context.Context through ResolveSHA wrapper functions

• Severity: Medium
• Effort: Medium (5 sites + 4 functions to modify)
• Files: pkg/workflow/maintenance_workflow.go, pkg/workflow/action_sha_checker.go, pkg/workflow/action_reference.go, pkg/cli/copilot_setup.go
• Reference pattern: pkg/actionpins/actionpins.go:317
• Tracking: filed as issue with body containing per-site before/after

Task 2 — Replace AWFProxyLogsDir literal at engine_firewall_support.go:104

• Severity: Medium (preventive)
• Effort: Small (one-line edit + snapshot test verification)
• Files: pkg/workflow/engine_firewall_support.go
• Tracking: filed as issue

Success Metrics

This Run

Metric	Value
Findings generated	6 (2 filed, 2 status updates, 2 minor)
Tasks created	2
Files analyzed	~30 (focused on workflow/cli/actionpins)
Constants audited	11
Context callsites triaged	28
Success Score	9/10

Reasoning: Two distinct, scoped, actionable findings filed with clear before/after code; one prior issue verified as implemented; one prior issue verified as still open (no re-file); zero false positives; Serena find_referencing_symbols validated the context-propagation finding with precision. Did not hit 10/10 because the issues are medium-severity preventive rather than fixing a live bug.

Historical Context

Cumulative Statistics

Metric	Value
Total Runs	10
Total Findings	89
Total Tasks Generated	27
Average Success Score	8.5/10
Most Successful Strategy Type	Resource/concurrency/complexity scans (Run 4, 5, 6, 7, 9, 10 all 9/10)

Strategy Performance Trend

• Runs 1–3 (initial): 7–8/10 — LSP instability, broader scope
• Runs 4–10 (mature): 8–9/10 — focused per-axis scans with Serena LSP
• Pattern: high score comes from one crisp finding with a clear remediation path, not from breadth

Recommendations

Immediate Actions

1. Thread ctx context.Context through ResolveSHA wrappers (Issue filed) — unblocks caller cancellation of compile-path network calls
2. Replace AWFProxyLogsDir literal at engine_firewall_support.go:104 (Issue filed) — prevents future sandbox-path migration bug

Long-term Improvements

• The helper_underadoption_failure_mode has now appeared in 5 of 10 runs. Consider adding a CI check that grep-detects known sentinel literals (e.g., /tmp/gh-aw/sandbox/firewall/, ".github/workflows", 30 * time.Second on http.Client) and fails when they appear outside pkg/constants/.
• Run 8's #aw_sg8a2 (DefaultHTTPClientTimeout) has been open since 2026-05-13. Add to the next-run watchlist for adoption verification.

Next Run Preview

Suggested Focus Areas

• fmt.Errorf vs errors.New consistency — Run 5 noted 1704 fmt.Errorf calls but didn't audit %w placement at the boundary between Errorf and New
• Test helper extraction opportunities — scan _test.go files for repeated 5+-line setup blocks
• init() function audit — Run 5 logged panic in init was clean; never audited init bodies for side-effect ordering
• time.Now() call distribution — clock injection / testability axis
• Re-verify Run 8 #aw_sg8a2 adoption as Phase-3 health check

Strategy Evolution

The 50/50 cached/new split has now stabilized as the dominant pattern. Consider introducing a third "verification" component (~10%): each run, re-audit one previously-filed issue to confirm/deny adoption. Run 10 did this informally for GetWorkflowDir() and FilePerm*; formalizing it would make adoption gaps explicit.

References:

• §25901108807 — this run

Generated by 🤖 Sergo - Serena Go Expert · ● 19.1M · ◷

• expires on May 16, 2026, 5:09 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Sergo - Serena Go Expert.

A newer discussion is available at Discussion #32547.