Skip to content

fix: address critical issues from panel review#7

Merged
cschuman merged 1 commit into
mainfrom
feat/session-20260105-223105
Jan 6, 2026
Merged

fix: address critical issues from panel review#7
cschuman merged 1 commit into
mainfrom
feat/session-20260105-223105

Conversation

@cschuman

@cschuman cschuman commented Jan 6, 2026

Copy link
Copy Markdown
Owner

Summary

Addresses critical issues identified by a 5-reviewer panel audit:

Security (CRITICAL)

  • Add parser timeout (5s) to prevent DoS attacks
  • Add AST complexity limits (100k nodes, 1000 depth)
  • Panic recovery for malformed input

Testing

  • Add 7 analyzer tests with 8 test fixture files
  • Tests cover: basics, ignore paths, empty files, syntax errors, context extraction, multiple files, helpers

Developer Experience

  • Add .goperf.yml config file support
  • Add .goperf.yml.example template

Honesty

  • Rename --fix flag to --suggest (it never actually modified files)
  • Update all "auto-fix" wording to "suggestion" terminology

Documentation

  • Add comprehensive docs/RULES.md (24KB) with:
    • All 15 rules documented with examples
    • False positive disclosure (~77% rate)
    • Why/Fix explanations for each rule

Error Handling

  • Change Analyze() to return ([]Issue, []string) for proper error tracking
  • Report parse errors without blocking analysis of other files

Test plan

  • go build ./... passes
  • go test ./... passes (7 new tests)
  • Manual verification of --suggest flag

Security hardening:
- Add parser timeout (5s) to prevent DoS via malicious files
- Add AST complexity limits (100k nodes, 1k depth)
- Add ASTComplexityValidator to enforce limits during walks
- Wrap parsing in goroutine with panic recovery

Error handling:
- Analyze() now returns ([]Issue, []string) with errors
- No more silent file/parse error swallowing
- Verbose mode logs skipped files

Honesty:
- Rename --fix to --suggest (no files are modified)
- Update all "auto-fix" language to "suggestion"
- Clear documentation that fixes are not applied

Config file support:
- Add config/config.go with YAML config loading
- Support .goperf.yml for team settings
- Add .goperf.yml.example template

Documentation:
- Create docs/RULES.md with all 20+ rules documented
- Include false positive rate disclosure (77%)
- Add examples, fixes, and edge cases for each rule

Testing:
- Add rules/analyzer_test.go with 7 test functions
- Add testdata/ fixtures for analyzer tests
- Tests cover basics, ignore paths, empty files, syntax errors,
  context extraction, and multi-file analysis

Generated using OpenAI Codex CLI with parallel task execution.
@cschuman cschuman merged commit ff55e05 into main Jan 6, 2026
4 of 5 checks passed
@cschuman cschuman deleted the feat/session-20260105-223105 branch January 6, 2026 03:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant