Summary
Two type-resolved context/error-family linters are fully ready for the blocking CI gate but are not listed in cgo.yml's LINTER_FLAGS. Both currently flag zero production sites across the gate's full scope (./cmd/... ./pkg/...), so promoting them is a regression guard with no cleanup cost.
Evidence
Registry delta (37 → 38): grep -c 'Analyzer' cmd/linters/main.go = 38 (was 37 last run). The new entry is errortypeassertion.Analyzer (main.go:65).
errortypeassertion is type-resolved and parity-complete (pkg/linters/errortypeassertion/errortypeassertion.go):
- Gates on
types.Identical(TypeOf(X), builtinError) (:71-74, :101-103) — no syntactic identifier matching, so no shadow/alias FP/FN class.
- Excludes interface targets (
:80-82, :121-123) and named interfaces embedding error (documented :67-70).
- Handles both
*ast.TypeAssertExpr and *ast.TypeSwitchStmt (:43-50), incl. comma-ok and switch err.(type) init forms (typeSwitchX :135-148).
- Wires
nolint.BuildLineIndex/HasDirective (:33, :63, :113) + filecheck.IsTestFile (:63, :113).
Zero production violations:
errortypeassertion: every .(*T) assertion in pkg/ and cmd/ non-test code targets *ast.* / *types.* values typed as ast.Node/types.Type (not the built-in error); the only custom-interface assertion (pkg/parser/json_path_locator.go:111 info.ErrorKind.(*kind.AdditionalProperties)) is not on built-in error. No matches in cmd/.
execcommandwithoutcontext: every prod exec.Command( site sits in a function that does not receive context.Context (e.g. pkg/parser/remote_fetch.go downloadFileViaGitClone/resolveRefToSHAViaGit, pkg/workflow/pip_validation.go validate*WithPip, dependabot.go:339). The two ctx-receiving funcs (downloadFileViaGit :600, downloadFileViaRawURL :647) contain no exec.Command. No matches in cmd/.
Impact
Without enforcement, future code can reintroduce err.(*T) (bypassing errors.As/wrapped-error traversal) or exec.Command in ctx-aware functions (dropping cancellation propagation) and pass CI. The advisory make golint-custom (no flags) used by lint-monster runs all 38 analyzers but is not a hard gate; only the 14 linters in cgo.yml:1208 block merges.
Recommendation — single-line change
In .github/workflows/cgo.yml:1208, append both to LINTER_FLAGS:
# before
LINTER_FLAGS="-errstringmatch ... -httpnoctx -timeafterleak -test=false"
# after
LINTER_FLAGS="-errstringmatch ... -httpnoctx -timeafterleak -errortypeassertion -execcommandwithoutcontext -test=false"
Both already honor -test=false semantics via internal filecheck.IsTestFile, and both support //nolint:<name> for any future intentional exception.
Validation checklist
Effort
Small — one CI flag edit + a verification run. No source changes.
References: §28421420974
Generated by 🤖 Sergo - Serena Go Expert · 294.5 AIC · ⌖ 13.4 AIC · ⊞ 5.9K · ◷
Summary
Two type-resolved context/error-family linters are fully ready for the blocking CI gate but are not listed in
cgo.yml'sLINTER_FLAGS. Both currently flag zero production sites across the gate's full scope (./cmd/... ./pkg/...), so promoting them is a regression guard with no cleanup cost.errortypeassertion— the new 38th analyzer (registeredcmd/linters/main.go:65; added via ADRdocs/adr/42323-add-errortypeassertion-linter.md). It flagserr.(ConcreteType)and concretecasearms inswitch err.(type), recommendingerrors.As. Never previously proposed for enforcement.execcommandwithoutcontext— its prerequisites were completed under the now-closed execcommandwithoutcontext enforce-readiness: propagate context in connectStdioMCPServer (2 sites), add nolint support, then enfo [Content truncated due to length] #38282 (fixed the 2connectStdioMCPServersites + addednolintsupport), but the final "then enforce" step was never landed. The linter still sits outside the gate.Evidence
Registry delta (37 → 38):
grep -c 'Analyzer' cmd/linters/main.go= 38 (was 37 last run). The new entry iserrortypeassertion.Analyzer(main.go:65).errortypeassertionis type-resolved and parity-complete (pkg/linters/errortypeassertion/errortypeassertion.go):types.Identical(TypeOf(X), builtinError)(:71-74,:101-103) — no syntactic identifier matching, so no shadow/alias FP/FN class.:80-82,:121-123) and named interfaces embeddingerror(documented:67-70).*ast.TypeAssertExprand*ast.TypeSwitchStmt(:43-50), incl. comma-ok andswitch err.(type)init forms (typeSwitchX :135-148).nolint.BuildLineIndex/HasDirective(:33,:63,:113) +filecheck.IsTestFile(:63,:113).Zero production violations:
errortypeassertion: every.(*T)assertion inpkg/andcmd/non-test code targets*ast.*/*types.*values typed asast.Node/types.Type(not the built-inerror); the only custom-interface assertion (pkg/parser/json_path_locator.go:111info.ErrorKind.(*kind.AdditionalProperties)) is not on built-inerror. No matches incmd/.execcommandwithoutcontext: every prodexec.Command(site sits in a function that does not receivecontext.Context(e.g.pkg/parser/remote_fetch.godownloadFileViaGitClone/resolveRefToSHAViaGit,pkg/workflow/pip_validation.govalidate*WithPip,dependabot.go:339). The two ctx-receiving funcs (downloadFileViaGit :600,downloadFileViaRawURL :647) contain noexec.Command. No matches incmd/.Impact
Without enforcement, future code can reintroduce
err.(*T)(bypassingerrors.As/wrapped-error traversal) orexec.Commandin ctx-aware functions (dropping cancellation propagation) and pass CI. The advisorymake golint-custom(no flags) used bylint-monsterruns all 38 analyzers but is not a hard gate; only the 14 linters incgo.yml:1208block merges.Recommendation — single-line change
In
.github/workflows/cgo.yml:1208, append both toLINTER_FLAGS:Both already honor
-test=falsesemantics via internalfilecheck.IsTestFile, and both support//nolint:<name>for any future intentional exception.Validation checklist
make golint-custom LINTER_FLAGS="-errortypeassertion -test=false"on a clean tree → no diagnostics.make golint-custom LINTER_FLAGS="-execcommandwithoutcontext -test=false"→ no diagnostics.cgo.yml:1208; confirm the gate job stays green.execcommandwithoutcontextis enforced.Effort
Small — one CI flag edit + a verification run. No source changes.
References: §28421420974