|
| 1 | +# SOW-0015 - Codacy Scope And Maintainability |
| 2 | + |
| 3 | +## Status |
| 4 | + |
| 5 | +Status: in-progress |
| 6 | + |
| 7 | +Sub-state: Codacy test/bench exclusion and refreshed production-source maintainability baseline in progress. |
| 8 | + |
| 9 | +## Requirements |
| 10 | + |
| 11 | +### Purpose |
| 12 | + |
| 13 | +Keep Codacy complexity and duplication signals useful for production SDK hygiene by excluding test/benchmark code from Codacy maintainability metrics, then continue improving real production files one file at a time without hiding useful rules. |
| 14 | + |
| 15 | +### User Request |
| 16 | + |
| 17 | +The user approved proceeding after the assistant reported that test/bench exclusion was not properly completed and recommended committing/importing Codacy global excludes for `tests/**` and `bench/**`, reanalyzing Codacy, then continuing file-by-file on remaining production files. |
| 18 | + |
| 19 | +### Assistant Understanding |
| 20 | + |
| 21 | +Facts: |
| 22 | + |
| 23 | +- Codacy Cloud currently reports 0 issues, 88% coverage, 42% complex files, and 41% duplicated files for commit `dbf77a8595b01e3e335db41883d2d5f8b72dfac7`. |
| 24 | +- `.codacy/codacy.config.json` currently has top-level `"exclude": []`, so test and benchmark paths are not globally excluded in the committed local Codacy configuration. |
| 25 | +- The installed Codacy Cloud CLI skill states that committing `.codacy/codacy.config.json` does not by itself change Codacy Cloud; `codacy tools ... --import` is required. |
| 26 | +- `SOW-0013` recorded the decision to keep complexity and duplication metrics active and fix real source hotspots. |
| 27 | +- `SOW-0014` already implemented substantial production-source organization work, including C protocol splits, Rust/Go lookup codec splits, Rust raw service splits, and C service splits. |
| 28 | + |
| 29 | +Inferences: |
| 30 | + |
| 31 | +- Excluding test and benchmark paths should make Codacy maintainability percentages closer to the production SDK surface the user wants to improve. |
| 32 | +- Remaining production-source complexity and duplication should be selected from fresh Codacy data after the exclusion is applied and reanalysis completes. |
| 33 | + |
| 34 | +Unknowns: |
| 35 | + |
| 36 | +- Which production files remain above Codacy's complexity and duplication goals after Codacy reanalyzes with `tests/**` and `bench/**` excluded. |
| 37 | +- Whether Codacy Cloud reports file-level metric contributors through the CLI; if not, local Lizard/JSCPD approximations will be used for the next file decision. |
| 38 | + |
| 39 | +### Acceptance Criteria |
| 40 | + |
| 41 | +- `.codacy/codacy.config.json` excludes `tests/**` and `bench/**` at global scope. |
| 42 | +- The Codacy configuration is imported to Codacy Cloud. |
| 43 | +- Codacy Cloud reanalysis is triggered and checked after import. |
| 44 | +- Refreshed metrics are recorded. |
| 45 | +- The next production-file maintainability target is selected with evidence. |
| 46 | +- Validation passes for changed configuration and SOW state. |
| 47 | + |
| 48 | +## Analysis |
| 49 | + |
| 50 | +Sources checked: |
| 51 | + |
| 52 | +- `.codacy/codacy.config.json` |
| 53 | +- `.github/codeql.yml` |
| 54 | +- `.agents/sow/done/SOW-0013-20260603-codacy-metrics-investigation.md` |
| 55 | +- `.agents/sow/done/SOW-0014-20260603-maintainability-hotspots.md` |
| 56 | +- `~/.agents/skills/configure-codacy/SKILL.md` |
| 57 | +- `~/.agents/skills/codacy-cloud-cli/SKILL.md` |
| 58 | +- Codacy Cloud CLI repository query for `gh/netdata/plugin-ipc` |
| 59 | + |
| 60 | +Current state: |
| 61 | + |
| 62 | +- Codacy Cloud latest analyzed commit is `dbf77a8595b01e3e335db41883d2d5f8b72dfac7`. |
| 63 | +- Codacy Cloud metrics are: 0 issues, 107960 LOC, 88% coverage, 42% complex files, and 41% duplicated files. |
| 64 | +- Codacy Cloud goals are: max duplicated files 10%, max complex files 10%, file duplication block threshold 1, and file complexity value threshold 20. |
| 65 | +- `.codacy/codacy.config.json` has partial Opengrep tool-specific excludes for a few Windows fixture files, but top-level global excludes are empty. |
| 66 | +- CodeQL is intentionally broader and still scans `src`, `tests`, and `bench`; this SOW is about Codacy maintainability scope, not weakening GitHub code scanning. |
| 67 | + |
| 68 | +Risks: |
| 69 | + |
| 70 | +- Global Codacy excludes may remove Codacy issue scanning for test/bench paths, not only complexity/duplication metrics. |
| 71 | +- If Codacy Cloud import changes more than the global excludes, the Cloud configuration could drift unexpectedly. |
| 72 | +- If Codacy does not expose file-level complexity/duplication contributors through the CLI, the next-file decision needs local approximation plus dashboard confirmation. |
| 73 | + |
| 74 | +## Pre-Implementation Gate |
| 75 | + |
| 76 | +Status: ready. |
| 77 | + |
| 78 | +Problem / root-cause model: |
| 79 | + |
| 80 | +- Codacy maintainability percentages are still calculated with committed global exclusions set to an empty list. |
| 81 | +- Test and benchmark code is large and intentionally repetitive; including it in Codacy maintainability metrics makes production-source hygiene harder to read. |
| 82 | +- Previous production-source cleanup started and reduced real complexity/duplication, but follow-on target selection should use fresh metrics after Codacy scope is corrected. |
| 83 | + |
| 84 | +Evidence reviewed: |
| 85 | + |
| 86 | +- `.codacy/codacy.config.json:8185` has top-level `"exclude": []`. |
| 87 | +- `.codacy/codacy.config.json:7154` has only tool-specific Opengrep excludes for selected fixtures. |
| 88 | +- `SOW-0013` records the decision to keep complexity and duplication metrics active and treat real source hotspots as remediation work. |
| 89 | +- `SOW-0014` records completed C/Rust/Go production-source organization work and says further complexity or duplication work should start from fresh Codacy/GitHub evidence. |
| 90 | +- Codacy Cloud CLI repository query reports current metrics for commit `dbf77a8595b01e3e335db41883d2d5f8b72dfac7`. |
| 91 | +- Codacy Cloud CLI skill states `.codacy/codacy.config.json` is local-only until imported with `codacy tools ... --import`. |
| 92 | + |
| 93 | +Affected contracts and surfaces: |
| 94 | + |
| 95 | +- Local Codacy configuration file `.codacy/codacy.config.json`. |
| 96 | +- Codacy Cloud repository configuration after import. |
| 97 | +- Codacy Cloud maintainability metrics and issue scope. |
| 98 | +- SOW lifecycle records. |
| 99 | +- No protocol, API, wire format, runtime behavior, or public SDK behavior should change during the exclusion step. |
| 100 | + |
| 101 | +Existing patterns to reuse: |
| 102 | + |
| 103 | +- Preserve strong CodeQL and GitHub static-analysis coverage; do not alter `.github/codeql.yml` in this SOW unless evidence proves it is necessary. |
| 104 | +- Preserve Codacy rules and tools; this scope change should exclude non-production paths rather than disable useful rules. |
| 105 | +- Follow SOW-0014's one-file-at-a-time maintainability workflow for production-source remediation. |
| 106 | + |
| 107 | +Risk and blast radius: |
| 108 | + |
| 109 | +- Low runtime risk for the exclusion step because no product code changes are expected. |
| 110 | +- Medium quality-reporting risk because global Codacy excludes may also suppress Codacy issues in tests/bench paths. |
| 111 | +- Low to medium future implementation risk for the next production-file cleanup, depending on the selected file. |
| 112 | + |
| 113 | +Sensitive data handling plan: |
| 114 | + |
| 115 | +- Do not read `.env`. |
| 116 | +- Do not write raw secrets, credentials, tokens, customer data, personal data, private endpoints, or proprietary details into durable artifacts. |
| 117 | +- Codacy CLI output will be summarized without recording account tokens or credentials. |
| 118 | + |
| 119 | +Implementation plan: |
| 120 | + |
| 121 | +1. Update `.codacy/codacy.config.json` global excludes to include `tests/**` and `bench/**`. |
| 122 | +2. Validate JSON syntax and run local Codacy analysis enough to prove the config is accepted. |
| 123 | +3. Commit and push the configuration and SOW record. |
| 124 | +4. Import the committed Codacy configuration into Codacy Cloud and trigger reanalysis. |
| 125 | +5. Record refreshed Codacy metrics. |
| 126 | +6. Select the next production-file maintainability target from refreshed Codacy data or local production-source approximation if Codacy does not expose contributors. |
| 127 | + |
| 128 | +Validation plan: |
| 129 | + |
| 130 | +- `jq empty .codacy/codacy.config.json` |
| 131 | +- `codacy-analysis analyze --output-format json` with the updated configuration. |
| 132 | +- `codacy tools gh netdata plugin-ipc --import -y` |
| 133 | +- `codacy repository gh netdata plugin-ipc --reanalyze` |
| 134 | +- Re-query Codacy Cloud metrics after reanalysis completes. |
| 135 | +- `git diff --check` |
| 136 | +- `bash .agents/sow/audit.sh` |
| 137 | + |
| 138 | +Artifact impact plan: |
| 139 | + |
| 140 | +- AGENTS.md: no workflow or guardrail change expected. |
| 141 | +- Runtime project skills: no reusable workflow change expected. |
| 142 | +- Specs: no protocol/API behavior change expected. |
| 143 | +- End-user/operator docs: no public SDK docs change expected. |
| 144 | +- End-user/operator skills: no exported/operator skill change expected. |
| 145 | +- SOW lifecycle: new current SOW because this is a new Codacy scope correction plus next maintainability pass. |
| 146 | + |
| 147 | +Open-source reference evidence: |
| 148 | + |
| 149 | +- No external open-source reference is needed; this is repository-specific Codacy configuration and local source hygiene work. |
| 150 | + |
| 151 | +Open decisions: |
| 152 | + |
| 153 | +- Resolved: the user approved proceeding with Codacy test/bench exclusion and continued production-source maintainability work. |
| 154 | + |
| 155 | +## Implications And Decisions |
| 156 | + |
| 157 | +1. Codacy scope |
| 158 | + |
| 159 | +- Decision: exclude `tests/**` and `bench/**` from Codacy global analysis scope. |
| 160 | +- Benefit: Codacy complexity and duplication percentages should better represent production SDK files. |
| 161 | +- Implication: Codacy will likely stop reporting issues from test and benchmark paths too, not only maintainability metrics. |
| 162 | +- Mitigation: GitHub CodeQL and static-analysis workflows continue scanning test and benchmark paths separately. |
| 163 | + |
| 164 | +2. Production-source maintainability |
| 165 | + |
| 166 | +- Decision: continue one production file at a time after refreshed metrics. |
| 167 | +- Benefit: avoids broad mechanical refactors and keeps review/validation tractable. |
| 168 | +- Implication: metric reduction will be incremental, not a single bulk cleanup. |
| 169 | +- Mitigation: each target will use file-level evidence and validation appropriate to the touched language/runtime surface. |
| 170 | + |
| 171 | +## Plan |
| 172 | + |
| 173 | +1. Correct Codacy scope and import it to Cloud. |
| 174 | +2. Reanalyze Codacy and record refreshed metrics. |
| 175 | +3. Build the next production-file candidate list. |
| 176 | +4. Start the next low-risk production-file cleanup only after evidence shows the target and the intended refactor. |
| 177 | + |
| 178 | +## Execution Log |
| 179 | + |
| 180 | +### 2026-06-05 |
| 181 | + |
| 182 | +- Started SOW after user approval to proceed. |
| 183 | +- Updated `.codacy/codacy.config.json` global excludes from `[]` to: |
| 184 | + - `bench/**` |
| 185 | + - `tests/**` |
| 186 | +- Verified this is a Codacy-only scope change; `.github/codeql.yml` still scans `src`, `tests`, and `bench`. |
| 187 | +- Ran local Codacy analysis with the updated config: |
| 188 | + - total issues: 0. |
| 189 | + - Checkov: 10 files, 0 issues. |
| 190 | + - Opengrep/Semgrep: 264 files, 0 issues. |
| 191 | + - Trivy: 265 files, 0 issues. |
| 192 | + - cppcheck: 45 files, 0 issues. |
| 193 | + - ShellCheck: 3 files, 0 issues. |
| 194 | + - Spectral: 10 files, 0 issues. |
| 195 | + |
| 196 | +## Validation |
| 197 | + |
| 198 | +Acceptance criteria evidence: |
| 199 | + |
| 200 | +- Pending. |
| 201 | + |
| 202 | +Tests or equivalent validation: |
| 203 | + |
| 204 | +- Pending. |
| 205 | + |
| 206 | +Real-use evidence: |
| 207 | + |
| 208 | +- Pending. |
| 209 | + |
| 210 | +Reviewer findings: |
| 211 | + |
| 212 | +- No external reviewer used yet. |
| 213 | + |
| 214 | +Same-failure scan: |
| 215 | + |
| 216 | +- Pending. |
| 217 | + |
| 218 | +Sensitive data gate: |
| 219 | + |
| 220 | +- Pending final scan. |
| 221 | + |
| 222 | +Artifact maintenance gate: |
| 223 | + |
| 224 | +- AGENTS.md: pending. |
| 225 | +- Runtime project skills: pending. |
| 226 | +- Specs: pending. |
| 227 | +- End-user/operator docs: pending. |
| 228 | +- End-user/operator skills: pending. |
| 229 | +- SOW lifecycle: pending. |
| 230 | + |
| 231 | +Specs update: |
| 232 | + |
| 233 | +- Pending. |
| 234 | + |
| 235 | +Project skills update: |
| 236 | + |
| 237 | +- Pending. |
| 238 | + |
| 239 | +End-user/operator docs update: |
| 240 | + |
| 241 | +- Pending. |
| 242 | + |
| 243 | +End-user/operator skills update: |
| 244 | + |
| 245 | +- Pending. |
| 246 | + |
| 247 | +Lessons: |
| 248 | + |
| 249 | +- Pending. |
| 250 | + |
| 251 | +Follow-up mapping: |
| 252 | + |
| 253 | +- Pending. |
| 254 | + |
| 255 | +## Outcome |
| 256 | + |
| 257 | +Pending. |
| 258 | + |
| 259 | +## Lessons Extracted |
| 260 | + |
| 261 | +Pending. |
| 262 | + |
| 263 | +## Followup |
| 264 | + |
| 265 | +None yet. |
| 266 | + |
| 267 | +## Regression Log |
| 268 | + |
| 269 | +None yet. |
0 commit comments