Merge develop into main: ShellAI test fixes

SimplyLiz · SimplyLiz · commit ef273f4e7bb4 · 2026-03-22T16:08:53.000+01:00
diff --git a/internal/query/review_bugpatterns.go b/internal/query/review_bugpatterns.go
@@ -499,7 +499,11 @@ func checkDiscardedError(root *sitter.Node, source []byte, file string) []Review
 		}
 
 		// Build a map of variable names to their declared types within this function.
+		// For closures (func_literal), also include vars from enclosing scopes.
 		varTypes := buildVarTypeMap(body, source)
+		if fn.Type() == "func_literal" {
+			mergeEnclosingVarTypes(fn, source, varTypes)
+		}
 
 		// Find discarded calls in this function body.
 		exprStmts := complexity.FindNodes(body, []string{"expression_statement"})
@@ -623,6 +627,30 @@ func buildVarTypeMap(body *sitter.Node, source []byte) map[string]string {
 	return result
 }
 
+// mergeEnclosingVarTypes walks up from a func_literal to find the enclosing
+// function's variable declarations. This catches cases like:
+//
+//	var rawContent strings.Builder
+//	provider.GenerateStream(ctx, prompt, func(chunk string) {
+//	    rawContent.WriteString(chunk)  // closure captures outer var
+//	})
+func mergeEnclosingVarTypes(closureNode *sitter.Node, source []byte, varTypes map[string]string) {
+	for n := closureNode.Parent(); n != nil; n = n.Parent() {
+		if n.Type() == "function_declaration" || n.Type() == "method_declaration" {
+			body := n.ChildByFieldName("body")
+			if body != nil {
+				enclosing := buildVarTypeMap(body, source)
+				for k, v := range enclosing {
+					if _, exists := varTypes[k]; !exists {
+						varTypes[k] = v
+					}
+				}
+			}
+			return
+		}
+	}
+}
+
 // splitSelector splits "b.WriteString" into ("b", "WriteString").
 func splitSelector(fullName string) (receiver, method string) {
 	idx := strings.LastIndex(fullName, ".")
diff --git a/internal/query/review_deadcode.go b/internal/query/review_deadcode.go
@@ -111,7 +111,14 @@ func (e *Engine) checkDeadCode(ctx context.Context, changedFiles []string, opts
 
 // findDeadConstants scans changed Go files for exported constants and checks
 // if they have any references outside their declaration file.
+// Requires SCIP index for reference counting — skips if unavailable to avoid
+// tree-sitter fallback which isn't thread-safe for concurrent use.
 func (e *Engine) findDeadConstants(ctx context.Context, changedFiles []string, alreadyReported map[string]bool) []ReviewFinding {
+	// Skip constant scanning when SCIP is unavailable — the tree-sitter
+	// fallback search path is not thread-safe for concurrent goroutine use.
+	if e.scipAdapter == nil {
+		return nil
+	}
 	var findings []ReviewFinding
 
 	for _, file := range changedFiles {
diff --git a/internal/query/symbols.go b/internal/query/symbols.go
@@ -818,6 +818,7 @@ func sortReferences(refs []ReferenceInfo) {
 }
 
 // searchWithTreesitter performs symbol search using tree-sitter as fallback.
+// Acquires tsMu because tree-sitter cgo is not thread-safe.
 func (e *Engine) searchWithTreesitter(ctx context.Context, opts SearchSymbolsOptions) ([]SearchResultItem, error) {
 	if e.treesitterExtractor == nil {
 		return nil, nil
@@ -829,8 +830,10 @@ func (e *Engine) searchWithTreesitter(ctx context.Context, opts SearchSymbolsOpt
 		searchRoot = filepath.Join(e.repoRoot, opts.Scope)
 	}
 
-	// Extract all symbols from the directory
+	// Extract all symbols from the directory — tree-sitter cgo requires mutex
+	e.tsMu.Lock()
 	allSymbols, err := e.treesitterExtractor.ExtractDirectory(ctx, searchRoot, nil)
+	e.tsMu.Unlock()
 	if err != nil {
 		e.logger.Warn("Tree-sitter extraction failed",
 			"error", err.Error(),
diff --git a/internal/secrets/patterns.go b/internal/secrets/patterns.go
@@ -212,7 +212,7 @@ var BuiltinPatterns = []Pattern{
 		Name:        "generic_secret",
 		Type:        SecretTypeGenericSecret,
 		Severity:    SeverityMedium,
-		Regex:       regexp.MustCompile(`(?i)(?:secret|password|passwd|pwd|token)['":\s=]+['"]?([A-Za-z0-9!@#$%^&*()_+\-=]{8,64})['"]?`),
+		Regex:       regexp.MustCompile(`(?i)(?:secret|password|passwd|pwd|token)\s*[=:]\s*['"]([A-Za-z0-9!@#$%^&*()_+\-=]{8,64})['"]`),
 		MinEntropy:  3.0,
 		Description: "Generic Secret or Password",
 	},
diff --git a/internal/secrets/scanner.go b/internal/secrets/scanner.go
@@ -409,7 +409,7 @@ func isLikelyFalsePositive(line, secret string) bool {
 		return true
 	}
 
-	// Check for test/example indicators
+	// Check for test/example/dev indicators
 	falsePositiveIndicators := []string{
 		"example",
 		"sample",
@@ -426,6 +426,12 @@ func isLikelyFalsePositive(line, secret string) bool {
 		"insert",
 		"fixme",
 		"todo",
+		"local-dev",
+		"dev-token",
+		"dev-secret",
+		"default",
+		"template",
+		"demo",
 	}
 
 	for _, indicator := range falsePositiveIndicators {
