[sergo] Sergo Report: switch-statement-complexity-plus-exported-api-usage-audit — 2026-05-12

[github-actions[bot]]

Executive Summary

Run 7 ranked all 195 non-test .go files in pkg/ by case count and drilled into the top-5 hotspots. The headline finding: eight parallel dispatch tables keyed by the same SafeOutputs handler-type axis — a maintenance hazard explicitly documented in code (safe_outputs_state.go:16-21) but where the source comment undercounts the actual sprawl by half (says 4, actual is 8). Two adjacent permission-scope switches in permissions.go and frontmatter_parsing.go exhibit the same shotgun-surgery anti-pattern on a smaller scale, including a 49-case identity switch where each branch literally returns PermissionScope(key).

Three issues were filed (#aw_sg7a1, #aw_sg7a2, #aw_sg7a3). All findings are independent of Run 5/6 trackers and have not been raised before. Self-assessed success score: 9/10.

Strategy Selection

Cached Reuse Component (50%)

Adapted from: Run 5 function-complexity-and-long-function-hot-spots (9/10).

• Run 5 ranked functions by line count. Today extended that axis to switch/case statement complexity — a complementary measure (a 200-line function can be trivial; a 60-case switch is always dispatch).
• New target: count ^\s*case .*: lines per file in pkg/, drill into top-5.

New Exploration Component (50%)

Approach: Exported-symbol usage audit via Serena find_referencing_symbols (and Grep cross-check). Scanned exported pkg/workflow/* functions to find dead-or-near-dead API surface.

• During this scan, find_symbol --name_path_pattern=hasSafeOutputType ran for 71 seconds without --include_kinds — fell back to Grep for plain-name lookups. New cache entry recorded.
• Pivot: the exported-API search led directly to hasSafeOutputType, which led to the dispatch-table cluster.

Why this combination worked

The complexity scan supplies where (frontmatter_parsing.go 58 cases, permissions.go 49, imports.go 45). The exported-API scan supplied what for — discovering that hasSafeOutputType is one of multiple sibling functions all carrying the same dispatch logic. Cross-product revealed the 8-table cluster.

Serena Tools Update

• Total tools available: 23 (unchanged since Run 4 — five consecutive stable snapshots)
• Added since last run: none
• Removed: none
• Tools used today: activate_project, find_symbol, plus Grep / Read as cross-check.

Performance note logged to cache

find_symbol with --name_path_pattern and no --include_kinds filter took 71 seconds for a simple symbol lookup. For plain-name queries, Grep returned the same answer in under 1s. Cache updated to recommend Grep first and reserve find_symbol for cases needing kind filtering or precise body locations.

Analysis Execution

Codebase context

• Total non-test Go files in pkg/: 772
• Files containing case statements: 195
• Total case lines in pkg/: 1,390

Top-5 case-count hotspots

File	case count	Function(s)
pkg/workflow/frontmatter_parsing.go	58	parsePermissionsConfig (40-case) + parseRuntimesConfig
pkg/workflow/permissions.go	49	convertStringToPermissionScope (49-case identity switch)
pkg/workflow/imports.go	45	hasSafeOutputType (45-case)
pkg/workflow/safe_outputs_permissions.go	35	SafeOutputsConfigFromKeys (45-case)
pkg/workflow/mcp_config_custom.go	34	(not drilled this run)

Findings Summary

• Total findings: 8
  • Critical: 1 (8-way duplicate dispatch surface)
  • High: 3 (the three filed issues)
  • Medium: 4 (companion observations below)

Detailed Findings

Critical / High (filed as issues)

#aw_sg7a1 — 8 parallel dispatch tables keyed by safe-output type

The inventory:

#	Function	File:line	Shape
1	safeOutputFieldMapping (map literal)	safe_outputs_state.go:27-71	StructField → key
2	hasAnySafeOutputEnabled	safe_outputs_state.go:79+	nil-check cascade
3	hasNonBuiltinSafeOutputsEnabled	safe_outputs_state.go	nil-check cascade
4	hasSafeOutputType	imports.go:321-419	45-case switch → bool
5	SafeOutputsConfigFromKeys	safe_outputs_permissions.go:313+	45-case switch → struct setter
6	ComputePermissionsForSafeOutputs	safe_outputs_permissions.go:79-307	30+ if-branches per pointer
7	mergeSafeOutputConfig	imports.go:423-670	45+ if result.X == nil && imported.X != nil
8	extractSafeOutputsConfig	compiler.go	637-line, 45-branch parser (already tracked: #31298)

Existing safeguard: safe_outputs_state.go:16-21 lists 4 locations — half the actual count. Recommended fix: one descriptor table consumed by all eight sites via reflection. See full issue text on #aw_sg7a1.

#aw_sg7a2 — convertStringToPermissionScope 49-case identity switch

Every case returns PermissionScope(key) because constants are defined as PermissionActions = "actions", etc. Collapsible to a 5-line validated cast against the already-existing GetAllPermissionScopes()/GetAllGitHubAppOnlyScopes() inventory. ~110 lines → ~12.

#aw_sg7a3 — parsePermissionsConfig 40-case scope→struct-field switch

Duplicates the permission inventory for the fourth time (const block, 2× Get* slices, convertStringToPermissionScope, and now this). Recommend driving from a map[PermissionScope]func(*PermissionsConfig, string) setter table, or converting PermissionsConfig itself to map[PermissionScope]string.

Medium-priority companion observations (not filed)

• pkg/workflow/mcp_config_custom.go (34 cases) — large but not surveyed this run; carry to Run 8.
• pkg/cli/audit_agentic_analysis.go (32 cases) — same — carry forward.
• pkg/workflow/imports.go:184 MergeSafeOutputs mediates between mergeSafeOutputConfig (Weekly Research Report: AI Workflow Automation Landscape and Market Opportunities - August 2025 #7) and extractSafeOutputsConfig (Add workflow: githubnext/agentics/weekly-research #8). After #aw_sg7a1 it should collapse to a small wrapper.
• pkg/workflow/safe_outputs_state.go:16-21 comment must be updated whichever way #aw_sg7a1 lands (or be deleted if the descriptor-table fix removes the need entirely).

Improvement Tasks Generated

Task 1 — Descriptor-table refactor of SafeOutputs dispatch (#aw_sg7a1)

• Severity: High; affected: 4 files, ~700 LoC across 4 of the 8 sites alone
• Effort: Large
• Validation: existing safe_outputs_*_test.go suite; TestHasSafeOutputTypeNewKeys becomes a descriptor-table parity check

Task 2 — Collapse convertStringToPermissionScope identity switch (#aw_sg7a2)

• Severity: High (bloat); affected: 1 file, ~100 LoC removed
• Effort: Small — good-first-issue candidate
• Validation: round-trip test over GetAllPermissionScopes() ∪ GetAllGitHubAppOnlyScopes()

Task 3 — Table-drive parsePermissionsConfig (#aw_sg7a3)

• Severity: High (drift risk); affected: 1 file, ~95 LoC reducible
• Effort: Medium — coordinate with Task 2 to share validated-key map
• Validation: existing parser tests + a new round-trip test

Success Metrics (this run)

• Findings generated: 8
• Tasks created: 3 issues + medium-priority carry-forwards
• Files analyzed: 195 ranked, 5 drilled into
• Success score: 9/10

Reasoning for score

• Findings quality (4/4): An explicitly-documented maintenance hazard whose source comment understates its own scope; an identity-switch that's almost a textbook example of redundant code; both arrived at via complementary methods.
• Coverage (3/3): Full pkg/ ranked, top-5 drilled, plus exported-API cross-check.
• Task generation (2/3): Three solid issues; -1 for not surveying mcp_config_custom.go and audit_agentic_analysis.go (carried forward).

Historical Context

Strategy performance trend

Run	Date	Strategy	Score
1	05-06	error-handling-and-interface-design	7
2	05-07	deep-error-analysis-plus-symbol-naming	8
3	05-08	constructor-consistency-plus-type-safety	8
4	05-09	concurrency-safety-and-resource-lifecycle	9
5	05-10	function-complexity-and-long-function-hot-spots	9
6	05-11	parameter-list-systematic-scan-plus-deep-nesting	9
7	05-12	switch-statement-complexity-plus-exported-api-usage-audit	9

Cumulative

• Total runs: 7
• Total findings: 69
• Total tasks: 21
• Avg success score: 8.4
• Most successful strategy class: complexity-axis scans (Runs 5–7 all scored 9)

Recommendations

Immediate

1. Land #aw_sg7a2 first — small, low-risk, demonstrates the pattern and produces a validPermissionScopes map that #aw_sg7a3 can reuse.
2. Then #aw_sg7a3 — table-drive the parser using the validated-key map from step 1.
3. Then #aw_sg7a1 — the heavyweight refactor; benefits from the precedent set by steps 1 and 2.

Long-term

A go:generate step that emits all eight dispatch sites (or analogous ones for permissions) from one source-of-truth table would prevent recurrence. Consider gating CI on a parity check that fails if the table and any individual function drift.

Next Run Preview

Suggested focus areas

• Carry-forward complexity scan: mcp_config_custom.go (34 cases), audit_agentic_analysis.go (32), tool_description_enhancer.go (30), stop_after.go (23)
• New axis candidate: receiver-method density per type — find types whose methods sprawl across many files (indicates God-object risk)
• Or: zero/one-reference exported-symbol audit on pkg/parser and pkg/stringutil (small leaf packages, manageable scope)

Strategy evolution

Complexity-axis scans (line count → param count → nesting depth → switch cases) have anchored Runs 5–7 with consistent 9/10 scores. Suggest one more complexity sweep (method density) before pivoting to a new theme like inter-package coupling.

References

• §25714058216 — this run
• Filed issues: #aw_sg7a1, #aw_sg7a2, #aw_sg7a3
• Related trackers: Refactor: 637-line extractSafeOutputsConfig has 45 near-identical parse-and-assign blocks (table-driven candidate) #31298 (extractSafeOutputsConfig refactor — site Add workflow: githubnext/agentics/weekly-research #8 in the dispatch cluster), Tracking: 14 production functions in pkg/ are >400 lines (function-length hot-spots) #31300 (long-function tracker)
• Sandbox limitation: gh issue list returns HTTP 403 on /meta — duplicate detection via gh search was unavailable this run; relied on Sergo cache (no prior issue covers these findings) and safe-outputs creation.

Generated by Sergo - Serena Go Expert · ● 18.1M · ◷

• expires on May 13, 2026, 4:59 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Sergo - Serena Go Expert.

A newer discussion is available at Discussion #31867.