[sergo] Sergo Report: New jsonmarshalignoredeerror Linter Audit - 2026-05-30

[github-actions[bot]]

🔬 Sergo Report: reverify-plus-new-jsonmarshal-linter-violation-audit

Date: 2026-05-30 · Run: R23 · Success Score: 9/10

Executive Summary

This run reverified the previous run's enforcement findings and discovered a newly-registered custom linter that is not yet enforced. The reverify half paid off cleanly: the three linters Sergo flagged in R22 — regexpcompileinfunction, fprintlnsprintf, and strconvparseignorederror — were all enforced by the maintainer within the week, appended to LINTER_FLAGS at .github/workflows/cgo.yml:1040. The enforced linter count rose from 5 → 8, and the 6 strconv sites now all check their errors. There are zero open Sergo issues.

The new-exploration half found that the codebase grew an 18th custom linter since R22 — jsonmarshalignoredeerror (cmd/linters/main.go:26,57) — which flags discarded json.Marshal/json.Unmarshal errors. It is registered but not enforced, and a static audit surfaced 19 production violations across 11 files, concentrated in the compiler's code-generation path where a silent nil-bytes marshal failure would emit malformed workflow output. One issue was filed to triage and then enforce it.

Overall code-quality posture remains strong and improving: the "audit registered-but-unenforced linter → file enforcement issue" strategy is now demonstrably landing, making it the highest-ROI Sergo loop.

🛠️ Serena Tools Update

Tools Snapshot

• Total Serena LSP tools: 23 (unchanged)
• New tools: None
• Removed tools: None
• Stability: 23 tools stable across Runs 4–23 (20 consecutive runs)

Codebase linter change detected (not a Serena change)

• Registered custom linters: 17 → 18 (jsonmarshalignoredeerror added)
• Enforced linters: 5 → 8 (regexpcompileinfunction, fprintlnsprintf, strconvparseignorederror appended to cgo.yml:1040)

Serena tools used today

• activate_project — project activation (go, typescript, bash detected)
• Supplemented with Grep/Read for AST-pattern auditing (find_symbol broad queries remain 70s+; Grep preferred per cached gotchas)

📊 Strategy Selection

Cached Reuse Component (50%)

Adapted: reverify-plus-unenforced-linter-zero-violation-audit (avg success 9/10 across R20–R22)

• Why reused: highest-scoring recent family; R22's flagged linters were pending maintainer action
• Result: confirmed sg22a1 (regexpcompileinfunction + fprintlnsprintf) and sg22a2 (strconvparseignorederror) ENFORCED & RESOLVED; no re-file needed; semverutil relocated pkg/parser/ → pkg/semverutil/

New Exploration Component (50%)

Novel approach: audit the newly-registered jsonmarshalignoredeerror analyzer for production violations

• Tools employed: read the analyzer source to learn its exact AST match (only encoding/json, only Marshal/Unmarshal, not MarshalIndent), then Grep'd prod for both discard patterns
• Hypothesis: a freshly-registered linter would have un-triaged violations (unlike the zero-violation linters from R22)
• Confirmed: 19 real violations — this is a non-zero linter requiring triage before enforcement

Combined rationale

The reuse half closes the loop on prior findings (and validates the strategy's ROI); the new half catches a brand-new analyzer the moment it lands, before its violations calcify. Together they keep the custom-linter suite moving toward full enforcement.

🔍 Analysis Execution

Codebase Context

• Registered linters: 18 (cmd/linters/main.go)
• Focus: pkg/workflow (code generation) and pkg/cli
• Method: AST-accurate Grep (linter only flags 2-LHS-blank json.Marshal and 1-LHS-blank json.Unmarshal)

Findings Summary

• Total issues: 7 (1 reverify-confirmed resolution cluster + 1 new linter cluster of 19 sites, risk-tiered)
• Critical: 0
• High: 0
• Medium: 1 (the 19-site json.Marshal cluster, Tier-1 site sharpest)
• Low/Informational: reverify confirmations + Tier-3 cannot-fail sites

📋 Detailed Findings

Medium — jsonmarshalignoredeerror: 19 discarded json.Marshal errors (filed as issue)

🔴 Tier 1 — error path exists but discarded

• pkg/workflow/safe_outputs_config_generation.go:198 — function returns (string, error) yet configJSON, _ := json.Marshal(...); failure → "" + nil error → silent empty safe-outputs config

🟠 Tier 2 — nil bytes into generated output

• pkg/workflow/compiler_experiments.go:457,461, compiler_pre_activation_job.go:168,172,230, compiler_yaml.go:814, cache.go:636,917, repo_memory.go:717, pkg/cli/mcp_config_file.go:59,60, mcp_config_playwright_renderer.go:80,87

🟢 Tier 3 — cannot fail (annotate)

• String marshals (never error): args.go:62, mcp_renderer_github.go:249, mcp_config_playwright_renderer.go:73, compiler_experiments.go:451
• copilot_logs.go:97 — len()-only size metric

Note: the lone _ = json.Unmarshal(...) Grep hit (mcp_scripts_generator.go:334) is a string literal inside a code generator, not a real call; the AST linter correctly ignores it → zero real Unmarshal violations.

Reverify confirmations (resolved since R22)

• regexpcompileinfunction — ZERO prod, ENFORCED (cgo.yml:1040)
• fprintlnsprintf — ZERO prod, ENFORCED
• strconvparseignorederror — 6 sites now check errors, ENFORCED (semverutil relocated to pkg/semverutil/)
• Open Sergo issues: 0

Still-unenforced linters (10) — audit backlog

• jsonmarshalignoredeerror — 19 sites (filed R23)
• ctxbackground — 28 sites · largefunc / excessivefuncparams — known violations · uncheckedtypeassertion — sg18a1 effect
• errormessage — opt-in --changed-files · ssljson — content validator, not Go-code
• Previously dismissed (do not re-file): fileclosenotdeferred (zero prod), contextcancelnotdeferred (6 sites), ossetenvlibrary (10 silent-setenv sites)

✅ Improvement Task Generated

Task 1: Triage & enforce jsonmarshalignoredeerror

• Tier 1: handle the error via the existing (string, error) return at safe_outputs_config_generation.go:198
• Tier 2: handle/return errors in code-gen sites (fail loudly rather than emit partial output)
• Tier 3: //nolint:jsonmarshalignoredeerror // marshaling a string cannot fail
• Then: append -jsonmarshalignoredeerror to LINTER_FLAGS (cgo.yml:1040)
• Effort: Small–Medium (~19 mechanical sites)

📈 Success Metrics

Metric	Value
Findings	7
Issues created	1
Tasks generated	1
Files audited	11 (focus)
Linters reverified resolved	3
Score	9/10

Reasoning: high-signal — caught a brand-new analyzer the run it appeared, with precise AST-accurate site triage and a clear enforcement path; reverify confirmed the strategy's ROI (3 prior findings enforced). Not a 10 only because no second independent finding was strong enough to file without diluting quality.

📊 Historical Context

• Total runs: 23 · Total findings: 193 · Total tasks: 49 · Avg score: 8.65/10
• Most successful strategy family: reverify-plus-unenforced-linter audits (consistent 8–9)
• Proven this run: R22's enforcement recommendations landed → enforced linters 5 → 8

🎯 Recommendations

Immediate

1. Triage the 19 jsonmarshalignoredeerror sites (Tier 1 first — it has a live error path), then enforce.

Long-term

• Treat every newly-registered linter as an audit trigger: registration without enforcement is the repo's signal that triage is wanted.
• The compiler code-gen path repeatedly discards marshal/format errors; a small mustMarshalJSON-style helper (or consistent error propagation) would retire a whole class of these.

🔄 Next Run Preview

• Watch: whether jsonmarshalignoredeerror gets triaged + enforced (confirm by R24).
• Next new angle: deep-audit ctxbackground (28 sites) for defensibility tiers, or recheck largefunc/excessivefuncparams current counts (were 17/11 functions at R5–6).

---

Generated by Sergo — The Serena Go Expert · Run ID: 26675080432 · Strategy: reverify-plus-new-jsonmarshal-linter-violation-audit

Generated by 🤖 Sergo - Serena Go Expert · opus48 2.1M · ◷

• expires on May 31, 2026, 5:07 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Sergo - Serena Go Expert.

A newer discussion is available at Discussion #36061.