fix(audit): exempt test code from layer-2 CRITICAL-pattern gate#45
Merged
Conversation
Observation-period unfreeze (2026-05-08 → 2026-06-01). 3 of 7 Layer-1 findings were test-code false positives: .expect()/panic!()/.unwrap() are idiomatic in tests and never run on the host. The gate's -U0 diff carries no enclosing-attribute context, so the scanner now reads each flagged file and brace-matches #[cfg(test)] modules and #[test]/#[<rt>::test] functions to compute test-scope line ranges; whole test files (tests.rs, tests/, *_test.rs) are exempted outright. Strings/comments are stripped before brace counting; unbalanced blocks are not exempted (bias toward flagging). Records the full observation-period triage in docs/audits/observed-fp.md (3 prod expects already remediated to .ok()/removed; 1 justified prod expect; LLM-dispatch kept stubbed).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Exempt test code from the Layer-2 pre-commit audit gate's CRITICAL-pattern
scan (
.expect()/panic!()/.unwrap()/unsafe/ shell-out).Why — observation-period unfreeze
The three-layer audit workflow ran frozen (C-layer) from 2026-05-08 to
2026-06-01. Triaging the accumulated Layer-1 findings (
.audit-state/findings.log,7 CRITICAL hits):
.expect()/panic!()intests.rs, an inline#[cfg(test)] modhelper, and a test assertion.expect()Regex::new(pat).ok(); provenance.rs → removedfrom_utf8(...).expect(...)with a documented SAFETY invariantSignal: the gate caught 3 real prod
.expect()s (all since remediated) —it works. Its only false-positive class is test code, which is idiomatic and
never executes on the host.
How
The gate diffs with
-U0, so the enclosing#[cfg(test)]attribute isn't inthe diff. The scanner now reads each flagged file and brace-matches to
compute test-scope line ranges:
tests.rs,**/tests/**,*_test.rs.#[cfg(test)]module or a#[test]/#[<runtime>::test]function."} {"in a string literal doesn't skew depth.silently letting a real prod
.expect()through.Verification
Ran the actual scanner block (extracted from the script, no copy) against a
synthetic fixture mixing prod and test
.expect()s plus a brace-bearing string:.expect()flagged (lines 2, 16) — including one placed immediatelyafter a test module, proving the range doesn't over-extend.
.expect()exempted (lines 8 inside#[cfg(test)] mod, 13 inside#[test]fn). PASS.bash -nclean.Decisions
high enough signal-to-noise ratio; the single justified-but-flagged prod case
doesn't justify synchronous per-commit LLM cost. Revisit if such cases grow.
docs/audits/observed-fp.md(gitignored bydesign — that dir is local Layer-3 observation state).
Scope
Only
.claude/workflows/pre-commit-review.sh. No Rust source, noaudit-rules.yamlor hook-registration changes.