[sergo] Sergo Report: 27th-Linter httpnoctx — Enforce-Readiness + Precision Audit - 2026-06-13

[github-actions[bot]]

Executive Summary

The custom linter registry grew 26 → 27: httpnoctx (flags net/http calls that take no context.Context) landed and is registered at cmd/linters/main.go:60, but is not enforced in CI. Today's run audited the new analyzer and produced two distinct, evidence-backed tasks:

• 2 issues created (both labelled sergo)
• 0 duplicates filed — the new doc-lag was deliberately not refiled (already covered by open doc-sync: linters/doc.go still says "All 24 active analyzers" after two new linters (hardcodedfilepath, timesleepnocontext) land [Content truncated due to length] #38787)
• Serena LSP unchanged at 23 tools (stable R4→R35)

Metric	Value
Linter registry	26 → 27 (httpnoctx)
Serena LSP tools	23 (unchanged)
CI-enforced linters	12 (unchanged)
Findings	6
Issues created	2
Run	R35 · success 9/10

Tool / Registry Updates

httpnoctx is the 27th analyzer. Encouragingly, it is precision-clean on false positives — it uses full type identity for both detection paths:

• Client receiver: *types.Pointer → *types.Named, obj.Pkg().Path() == "net/http" (httpnoctx.go:91-106)
• Package shortcuts: ObjectOf → *types.PkgName → Imported().Path() (httpnoctx.go:109-123) — the correct, alias-safe pattern.

This is the model implementation the older syntactic linters (ctxbackground, still open as #38789) should adopt.

Documentation divergence (3-way) — not refiled

The new linter widened the existing doc gap to 27 / 24 / 25:

Surface	Count	Missing
cmd/linters/main.go registry	27	—
pkg/linters/doc.go ("All 24...")	24	hardcodedfilepath, httpnoctx, timesleepnocontext
spec_test.go documentedAnalyzers() + README	25	httpnoctx, timesleepnocontext

This is not a new issue: open #38787 already tracks doc-sync for the new linters; a fix there should enumerate the registry and pick up httpnoctx too. Filing a second doc-sync issue would duplicate it, so it was skipped (dedup).

Strategy (50 / 50 split)

Cached component — enforce-readiness pattern (proven)

Reused the proven "run the unenforced linter over prod, list real true-positive sites, recommend conversion + CI flag" pattern that previously landed tolowerequalfold (#37250, 13 sites), strconvparseignorederror (6 sites), and manualmutexunlock (16 sites). Applied to httpnoctx.

New exploration — precision audit of the 27th linter

Fresh target: the brand-new httpnoctx analyzer. Audited it on three axes (call-detection type-identity, ctx/control-flow handling, completeness vs its own Doc). Found the type-identity is sound for FPs but the receiver gate is pointer-only, yielding a latent false negative.

Run targets: detect registry delta (✅ 26→27), ≥1 enforce-readiness finding (✅ 3 sites), ≥1 precision finding (✅ value/embedded FN), reconcile prior issues (✅ 5 open verified), ≤3 non-duplicate issues (✅ 2).

Findings & Generated Tasks

🔴 sg35a1 — httpnoctx enforce-readiness (3 real prod sites)

Running httpnoctx over production pkg/ surfaces 3 genuine context-free HTTP calls (all *http.Client.Get, all true positives):

Location	Call	Context available?
pkg/cli/deps_outdated.go:169	Go-proxy @latest query	No
pkg/parser/remote_fetch.go:613	raw.githubusercontent.com download	No
pkg/cli/mcp_inspect_mcp_scripts_server.go:54	server-ready poll loop	No

Each relies only on the client Timeout; no caller can cancel an in-flight request. Recommendation: thread a context.Context + convert to http.NewRequestWithContext + client.Do, then append -httpnoctx to LINTER_FLAGS (cgo.yml:1122). Effort: M.

🟡 sg35a2 — httpnoctx precision (latent false negative)

isHTTPClientReceiver (httpnoctx.go:96) mandates t.(*types.Pointer) before the net/http.Client identity check. But Get/Head/Post/PostForm are in the method set of any addressable http.Client value, so value receivers, value struct fields, and embedded clients (var c http.Client; c.Get(...)) compile yet escape the linter — contradicting its Doc ("reports http.Client ... calls"). Currently latent (all prod clients are &http.Client{}). Fix: unwrap an optional pointer, then match the named type; add value/embedded testdata. Effort: S.

Metrics & Success

• Findings: 6 · Issues: 2 (sg35a1, sg35a2) · Duplicates avoided: 1 (doc-sync) · Success score: 9/10
• Coverage: 27-analyzer registry, all 3 doc surfaces, full pkg/ non-test sweep for net/http context-free calls.

Historical context & prior-issue reconciliation

All prior sergo issues verified via gh api ?labels=sergo&state=all:

Issue	Status	Age
#38787 doc-sync (R34)	open	1d
#38788 hardcodedfilepath FP (R34)	open	1d
#38789 ctxbackground precision (R34)	open	1d
#38281 execcommand nil-guard FP (R32)	open	3d
#38282 execcommand enforce (R32)	open	3d

R34's safe-outputs are confirmed posted (a phantom-issue failure had occurred silently in R33). The execcommand pair (#38281/#38282) involves complex control-flow and has lingered 3 days — flagged for report/noop if it reaches ~6 days. Recently landed: sortslice #38028/#38029, lenstringzero #37740/#37741.

Recommendations & Next-Run Focus

1. Land sg35a1 — the 3 context-free HTTP calls are latent reliability defects (uncancellable network I/O); fixing them unblocks CI enforcement of the 27th linter.
2. sg35a2 is a fast single-file hardening following the same value-unwrap recipe used elsewhere.
3. R36: reconcile sg35a1/a2 + sg34a1/2/3 landings; reverify the 3-day-old execcommand pair; watch for a 28th linter via registry-count delta.

References:

• §27457409492

Generated by 🤖 Sergo - Serena Go Expert · 247.3 AIC · ⌖ 10.6 AIC · ⊞ 6.3K · ◷

• expires on Jun 13, 2026, 9:20 PM UTC-08:00