fix(ego-lint): resolve Dash to Panel false positives (-5 FP FAILs, -23 FP WARNs)

ZviBaratz · claude · ZviBaratz · commit 526a868b6eeb · 2026-03-03T13:03:26.000+02:00
Five targeted fixes for false positives found during Dash to Panel field test: 1. R-SEC-03 guard for GPL license headers: `http://www.gnu.org/licenses/` in GPL boilerplate no longer fires (-18 FP WARNs) 2. R-VER48-02 PACKAGE_VERSION guard: `Config.PACKAGE_VERSION >= '48'` recognized as version-compat guard with guard-window: 3 (-2 FP FAILs) 3. skip-comments field for pattern rules: new opt-in that skips matches inside // and /* */ comments. Applied to R-DEPR-05/06 (-3 FP FAILs) 4. guard-window-forward for forward-looking guard: new field that checks N lines after the match. Applied to R-SLOP-24 for multi-line system schema constructors (-5 FP WARNs) 5. Provenance post-filter output fix: R-SLOP-01/02 WARNs deferred until provenance score is known, fixing visual bug where suppressed WARNs still appeared in terminal output Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -44,7 +44,7 @@ bash skills/ego-lint/scripts/ego-lint.sh tests/fixtures/<fixture-name>
 `ego-lint.sh` is the main orchestrator. It uses a three-tier rule system (pattern → structural → semantic) and delegates to sub-scripts via `run_subscript`:
 
 - `rules/patterns.yaml` — Tier 1 pattern rules (124 regex-based, declarative rules). Note: at project root, not under `skills/ego-lint/`
-- `apply-patterns.py` — Tier 1 pattern engine (inline YAML parser, no PyYAML dependency). Supports `guard-pattern` + `guard-window` (sliding `deque` lookback), `replacement-pattern`, `exclude-dirs`, version-gating, `fix-min-version` (suppresses fix text when extension min shell-version is below threshold)
+- `apply-patterns.py` — Tier 1 pattern engine (inline YAML parser, no PyYAML dependency). Supports `guard-pattern` + `guard-window` (sliding `deque` lookback) + `guard-window-forward` (forward peeking), `replacement-pattern`, `exclude-dirs`, version-gating, `fix-min-version` (suppresses fix text when extension min shell-version is below threshold), `skip-comments` (skips matches inside `//` and `/* */` comments)
 - `check-quality.py` — Tier 2 heuristic AI slop detection (try-catch density, impossible states, pendulum patterns, empty catches, _destroyed density, mock detection, constructor resources, run_dispose comment, clipboard disclosure, network disclosure, excessive null checks, repeated getSettings, obfuscated names, mixed indentation, excessive logging, code provenance)
 - `check-metadata.py` — JSON validity, required fields, UUID format/match, shell-version (with VALID_GNOME_VERSIONS allowlist), session-modes, settings-schema, version-name, donations, gettext-domain consistency
 - `check-init.py` — Init-time Shell modification, GObject constructor detection (extension.js only; all GI namespaces, GObject.registerClass exempt, GLib value types exempt), Gio._promisify placement
@@ -67,7 +67,7 @@ Additional tooling:
 
 ### Three-tier rule system
 
-- **Tier 1 (patterns.yaml)**: 124 regex rules in YAML, processed by `apply-patterns.py`. Covers web APIs, deprecated APIs, security (telemetry, curl/gsettings spawn, base64), logging, import segregation, AI slop signals, subprocess safety, i18n, GSettings bind flags, GNOME 44-50 migration, code quality advisories. Add new rules by editing `rules/patterns.yaml`. Advanced fields: `min-version`/`max-version` (version-gating), `guard-pattern` + `guard-window` (line-level suppression with configurable lookback), `replacement-pattern` (file-level suppression), `exclude-dirs`.
+- **Tier 1 (patterns.yaml)**: 124 regex rules in YAML, processed by `apply-patterns.py`. Covers web APIs, deprecated APIs, security (telemetry, curl/gsettings spawn, base64), logging, import segregation, AI slop signals, subprocess safety, i18n, GSettings bind flags, GNOME 44-50 migration, code quality advisories. Add new rules by editing `rules/patterns.yaml`. Advanced fields: `min-version`/`max-version` (version-gating), `guard-pattern` + `guard-window` (line-level suppression with configurable lookback) + `guard-window-forward` (forward peeking), `replacement-pattern` (file-level suppression), `exclude-dirs`, `skip-comments` (comment-aware matching).
 - **Tier 2 (scripts)**: 17 structural heuristic check scripts in Python/bash. `check-quality.py` (AI slop heuristics), `check-init.py` (init-time safety), `check-lifecycle.py` (enable/disable symmetry + timeout verification), `check-resources.py` + `build-resource-graph.py` (cross-file resource tracking), `check-disclosures.py` (clipboard/network disclosure), `check-polkit.py` (polkit policy validation), `check-schema-usage.py` (unused/undefined schema keys), `check-accessibility.py` (a11y checks), plus metadata, prefs, GObject, async, CSS, imports, schema, and package checks. `ego-lint.sh` also has an inline minified JS check, code metrics, and a provenance-gated post-filter that suppresses R-SLOP-01/02 JSDoc warnings when `quality/code-provenance` score >= 4.
 - **Tier 3 (checklists)**: 6 semantic review checklists in `skills/ego-review/references/`: lifecycle, security, code-quality (with 10 additional quality items), ai-slop (46-item scoring model), licensing, accessibility (7 items). Applied by Claude during `ego-review` phases.
 
diff --git a/rules/README.md b/rules/README.md
@@ -176,6 +176,46 @@ if (global.compositor) {
 - Only use when the default 1-line lookback is insufficient — most guards are on the same or previous line
 - Keep the window as small as practical to avoid false suppressions
 
+### Forward Guard Lookback (`guard-window-forward`)
+
+When the guard evidence appears _after_ the flagged pattern (e.g., in a multi-line constructor), use `guard-window-forward` to look ahead:
+
+```yaml
+- id: R-SLOP-24
+  pattern: "\\bnew\\s+Gio\\.Settings\\s*\\("
+  guard-pattern: "schema.*org\\.gnome\\.(?!shell\\.extensions\\.)|KEYBINDINGS_SCHEMA"
+  guard-window-forward: 2
+```
+
+This checks the next 2 lines after the matched line for the guard pattern. The typical case is a multi-line constructor:
+
+```js
+this._mutter = new Gio.Settings({           // ← pattern fires here
+    schema_id: 'org.gnome.mutter'            // ← guard matches here (forward +1)
+});
+```
+
+**Guidelines:**
+- Set `guard-window-forward` to the maximum expected distance between the flagged pattern and the guard evidence
+- Can be combined with `guard-window` for bidirectional lookback
+- Keep the window as small as practical to avoid false suppressions
+
+### Comment Skipping (`skip-comments`)
+
+When a rule should not match inside comments (e.g., deprecated API names mentioned in code comments), use `skip-comments: true`:
+
+```yaml
+- id: R-DEPR-06
+  pattern: "\\bTweener\\b"
+  skip-comments: true
+```
+
+This skips matches inside `//` single-line comments and `/* */` block comments (including multi-line). Code on the same line as a comment is still checked — only the portion after `//` or between `/* */` is skipped.
+
+**Use cases:**
+- Deprecated API names mentioned in migration comments
+- Commented-out legacy code that hasn't been removed
+
 ### Fix Version Gating (`fix-min-version`)
 
 When a deprecation rule suggests a fix that only works on newer GNOME versions, use `fix-min-version` to suppress the fix text for extensions whose minimum shell-version is below the threshold. The warning still fires (developers should know about deprecations), but the fix suggestion is omitted when applying it would break backward compatibility.
diff --git a/rules/patterns.yaml b/rules/patterns.yaml
@@ -147,6 +147,7 @@
   message: "ExtensionUtils removed in GNOME 45+; use Extension/ExtensionPreferences class methods"
   category: deprecated
   fix: "Use this.getSettings(), this.gettext(), this.path, etc. from the Extension base class"
+  skip-comments: true
 
 - id: R-DEPR-06
   pattern: "\\bTweener\\b"
@@ -155,6 +156,7 @@
   message: "Tweener is removed; use Clutter animation framework"
   category: deprecated
   fix: "Use actor.ease({property: value, duration: ms, mode: Clutter.AnimationMode.EASE_OUT_QUAD})."
+  skip-comments: true
 
 - id: R-DEPR-07
   pattern: "imports\\.misc\\.convenience"
@@ -233,6 +235,7 @@
   message: "Use HTTPS instead of HTTP for network requests"
   category: security
   fix: "Change http:// to https://."
+  guard-pattern: "gnu\\.org/licenses|General Public License"
 
 - id: R-SEC-04
   pattern: "\\bsudo\\b"
@@ -671,7 +674,8 @@
   message: "new Gio.Settings() is incorrect in GNOME 45+; use this.getSettings() from Extension base class"
   category: ai-slop
   fix: "Use this.getSettings() in Extension subclass or this.getSettings() in ExtensionPreferences"
-  guard-pattern: "schema.*org\\.gnome\\.(?!shell\\.extensions\\.)"
+  guard-pattern: "schema.*org\\.gnome\\.(?!shell\\.extensions\\.)|KEYBINDINGS_SCHEMA"
+  guard-window-forward: 2
   exclude-dirs: ["service"]
 
 - id: R-SLOP-25
@@ -917,7 +921,8 @@
   category: version-compat
   fix: "Access via global.compositor instead of Meta directly"
   min-version: 48
-  guard-pattern: "if\\s*\\(\\s*Meta\\.disable_unredirect"
+  guard-pattern: "if\\s*\\(\\s*Meta\\.disable_unredirect|PACKAGE_VERSION.*['\"]4[89]|PACKAGE_VERSION.*['\"][5-9]"
+  guard-window: 3
 
 - id: R-VER48-03
   pattern: "\\bCursorTracker\\.get_for_display\\b"
diff --git a/skills/ego-lint/scripts/apply-patterns.py b/skills/ego-lint/scripts/apply-patterns.py
@@ -295,6 +295,10 @@ def main():
             guard_window = max(1, int(rule.get('guard-window', '1')))
         except (ValueError, TypeError):
             guard_window = 1
+        try:
+            guard_window_fwd = max(0, int(rule.get('guard-window-forward', '0')))
+        except (ValueError, TypeError):
+            guard_window_fwd = 0
 
         for scope in scopes:
             # Expand glob relative to extension dir
@@ -327,22 +331,69 @@ def main():
                     if replacement and replacement in file_content:
                         continue
 
+                    skip_comments = rule.get('skip-comments', '') == 'true'
+                    in_block_comment = False
+                    lines = file_content.splitlines(True)
                     line_buffer = deque(maxlen=guard_window)
-                    for lineno, line in enumerate(file_content.splitlines(True), 1):
+                    for line_idx in range(len(lines)):
+                        line = lines[line_idx]
+                        lineno = line_idx + 1
+                        # Track block comment state for skip-comments
+                        if skip_comments:
+                            if in_block_comment:
+                                if '*/' in line:
+                                    in_block_comment = False
+                                    # Line may have code after */
+                                    after_close = line[line.index('*/') + 2:]
+                                    if '/*' in after_close:
+                                        in_block_comment = True
+                                line_buffer.append(line)
+                                continue
+                            if '/*' in line:
+                                # Check if block comment closes on same line
+                                bc_start = line.index('/*')
+                                rest = line[bc_start + 2:]
+                                if '*/' in rest:
+                                    # Single-line block comment — check if match is inside
+                                    bc_end = bc_start + 2 + rest.index('*/')
+                                    m = compiled.search(line)
+                                    if m and bc_start <= m.start() < bc_end:
+                                        line_buffer.append(line)
+                                        continue
+                                else:
+                                    # Multi-line block comment starts here
+                                    m = compiled.search(line)
+                                    if m and m.start() >= bc_start:
+                                        in_block_comment = True
+                                        line_buffer.append(line)
+                                        continue
+                                    in_block_comment = True
                         if compiled.search(line):
+                            # Skip matches inside single-line comments
+                            if skip_comments and '//' in line:
+                                comment_pos = line.index('//')
+                                m = compiled.search(line)
+                                if m and m.start() >= comment_pos:
+                                    line_buffer.append(line)
+                                    continue
                             # Check for inline suppression (prev_line = last item in buffer)
                             prev_line = line_buffer[-1] if line_buffer else ''
                             if _is_suppressed(line, prev_line, rid):
                                 line_buffer.append(line)
                                 continue
-                            # Check guard-pattern: if guard matches
-                            # current line or any line in the lookback
-                            # window, suppress (runtime feature detection)
+                            # Check guard-pattern: backward lookback window
                             if guard_re and (guard_re.search(line) or
                                              any(guard_re.search(bl)
                                                  for bl in line_buffer)):
                                 line_buffer.append(line)
                                 continue
+                            # Check guard-pattern: forward look window
+                            if guard_re and guard_window_fwd > 0:
+                                fwd_end = min(line_idx + guard_window_fwd + 1, len(lines))
+                                if any(guard_re.search(lines[j])
+                                       for j in range(line_idx + 1, fwd_end)):
+                                    line_buffer.append(line)
+                                    continue
                             rel = os.path.relpath(filepath, ext_dir)
                             if deduplicate:
                                 dedup_files.add(rel)
diff --git a/skills/ego-lint/scripts/ego-lint.sh b/skills/ego-lint/scripts/ego-lint.sh
@@ -76,6 +76,7 @@ FAIL_COUNT=0
 WARN_COUNT=0
 PASS_COUNT=0
 SKIP_COUNT=0
+DEFERRED_SLOP_JSDOC=()  # R-SLOP-01/02 WARNs deferred until provenance score is known
 
 # ---------------------------------------------------------------------------
 # Output helpers
@@ -153,7 +154,13 @@ run_pattern_rules() {
         check="${check%"${check##*[![:space:]]}"}"
         detail="${detail#"${detail%%[![:space:]]*}"}"
         detail="${detail%"${detail##*[![:space:]]}"}"
-        print_result "$status" "$check" "$detail"
+        # Defer R-SLOP-01/02 WARNs until provenance score is known
+        if [[ "$status" == "WARN" && "$check" =~ ^R-SLOP-0[12]$ ]]; then
+            DEFERRED_SLOP_JSDOC+=("${status}|${check}|${detail}")
+            WARN_COUNT=$((WARN_COUNT + 1))
+        else
+            print_result "$status" "$check" "$detail"
+        fi
     done <<< "$output"
 }
 
@@ -570,17 +577,24 @@ if provenance_line=$(grep 'quality/code-provenance' "$RESULTS_FILE" 2>/dev/null)
     fi
 fi
 
-if [[ "$provenance_score" -ge 4 ]]; then
-    slop_jsdoc_count=$(grep -cE '^WARN\|R-SLOP-0[12]\|' "$RESULTS_FILE" 2>/dev/null || echo 0)
-    if [[ "$slop_jsdoc_count" -gt 0 ]]; then
-        tmp_results="$(mktemp)"
-        grep -vE '^WARN\|R-SLOP-0[12]\|' "$RESULTS_FILE" > "$tmp_results"
-        mv "$tmp_results" "$RESULTS_FILE"
-        WARN_COUNT=$((WARN_COUNT - slop_jsdoc_count))
-        PASS_COUNT=$((PASS_COUNT + 1))
-        print_result "PASS" "provenance/jsdoc-suppressed" \
-            "Suppressed $slop_jsdoc_count JSDoc warnings (R-SLOP-01/02) — provenance score $provenance_score indicates hand-written code"
-    fi
+deferred_count=${#DEFERRED_SLOP_JSDOC[@]}
+if [[ "$provenance_score" -ge 4 && "$deferred_count" -gt 0 ]]; then
+    # Suppress deferred R-SLOP-01/02 WARNs (high provenance = intentional JSDoc)
+    WARN_COUNT=$((WARN_COUNT - deferred_count))
+    PASS_COUNT=$((PASS_COUNT + 1))
+    print_result "PASS" "provenance/jsdoc-suppressed" \
+        "Suppressed $deferred_count JSDoc warnings (R-SLOP-01/02) — provenance score $provenance_score indicates hand-written code"
+else
+    # Flush deferred entries (low provenance or no deferred entries)
+    for entry in "${DEFERRED_SLOP_JSDOC[@]}"; do
+        _df_status="${entry%%|*}"
+        _df_rest="${entry#*|}"
+        _df_check="${_df_rest%%|*}"
+        _df_detail="${_df_rest#*|}"
+        _df_display="${_df_detail%%|fix:*}"
+        printf "[%-4s] %-38s %s\n" "$_df_status" "$_df_check" "$_df_display"
+        echo "${entry}" >> "$RESULTS_FILE"
+    done
 fi
 
 # ---------------------------------------------------------------------------
diff --git a/tests/assertions/dash-to-panel-fixes.sh b/tests/assertions/dash-to-panel-fixes.sh
@@ -0,0 +1,31 @@
+# Dash to Panel field test — FP fixes
+# Sourced by run-tests.sh — uses run_lint, assert_output_contains, assert_exit_code, etc.
+
+# --- gpl-license-header (R-SEC-03 guard for GPL boilerplate URLs) ---
+echo "=== gpl-license-header ==="
+run_lint "gpl-license-header@test"
+assert_exit_code "exits with 0 (advisory only)" 0
+assert_output_not_contains "R-SEC-03 suppressed for GPL license URL" "\[WARN\].*R-SEC-03.*gnu\.org"
+assert_output_contains "R-SEC-03 still fires on real HTTP URL" "\[WARN\].*R-SEC-03"
+echo ""
+
+# --- version-guard-pkgver (R-VER48-02 guard for PACKAGE_VERSION) ---
+echo "=== version-guard-pkgver ==="
+run_lint "version-guard-pkgver@test"
+assert_exit_code "exits with 0 (version guard suppresses R-VER48-02)" 0
+assert_output_not_contains "no FAIL for R-VER48-02 with PACKAGE_VERSION guard" "\[FAIL\].*R-VER48-02"
+echo ""
+
+# --- deprecated-in-comments (skip-comments for R-DEPR-05/06) ---
+echo "=== deprecated-in-comments ==="
+run_lint "deprecated-in-comments@test"
+assert_exit_code "exits with 0 (comments skipped)" 0
+assert_output_not_contains "R-DEPR-06 not fired in comment" "\[FAIL\].*R-DEPR-06"
+assert_output_not_contains "R-DEPR-05 not fired in comment" "\[FAIL\].*R-DEPR-05"
+echo ""
+
+# --- system-gsettings-multiline (R-SLOP-24 guard-window-forward) ---
+echo "=== system-gsettings-multiline ==="
+run_lint "system-gsettings-multiline@test"
+assert_output_not_contains "R-SLOP-24 suppressed for multiline system schema" "\[WARN\].*R-SLOP-24"
+echo ""
diff --git a/tests/assertions/provenance-jsdoc.sh b/tests/assertions/provenance-jsdoc.sh
@@ -7,4 +7,5 @@ run_lint "high-provenance-jsdoc@test"
 assert_exit_code "exits with 0 (no failures)" 0
 assert_output_contains "provenance suppresses JSDoc" "provenance/jsdoc-suppressed"
 assert_output_contains "provenance score 4+" "provenance-score=[4-9]"
+assert_output_not_contains "JSDoc WARNs suppressed from output" "\[WARN\].*R-SLOP-0[12]"
 echo ""
diff --git a/tests/fixtures/deprecated-in-comments@test/LICENSE b/tests/fixtures/deprecated-in-comments@test/LICENSE
@@ -0,0 +1 @@
+SPDX-License-Identifier: GPL-2.0-or-later
diff --git a/tests/fixtures/deprecated-in-comments@test/extension.js b/tests/fixtures/deprecated-in-comments@test/extension.js
@@ -0,0 +1,10 @@
+import {Extension} from 'resource:///org/gnome/shell/extensions/extension.js';
+
+// The original animations used Tweener instead of Clutter animations
+// this._settings = ExtensionUtils.getSettings('org.test.extension');
+/* ExtensionUtils was the old way */
+
+export default class CommentTestExtension extends Extension {
+    enable() {}
+    disable() {}
+}
diff --git a/tests/fixtures/deprecated-in-comments@test/metadata.json b/tests/fixtures/deprecated-in-comments@test/metadata.json
@@ -0,0 +1,7 @@
+{
+    "uuid": "deprecated-in-comments@test",
+    "name": "Deprecated in Comments Test",
+    "description": "Tests skip-comments for R-DEPR-05/06",
+    "shell-version": ["48"],
+    "url": "https://example.com"
+}
diff --git a/tests/fixtures/gpl-license-header@test/LICENSE b/tests/fixtures/gpl-license-header@test/LICENSE
@@ -0,0 +1 @@
+SPDX-License-Identifier: GPL-2.0-or-later
diff --git a/tests/fixtures/gpl-license-header@test/extension.js b/tests/fixtures/gpl-license-header@test/extension.js
@@ -0,0 +1,23 @@
+// Copyright 2024 Test Author
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 2 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import {Extension} from 'resource:///org/gnome/shell/extensions/extension.js';
+
+// This URL should still fire R-SEC-03 (not a license URL)
+const API_URL = 'http://example.com/api';
+
+export default class LicenseHeaderExtension extends Extension {
+    enable() {}
+    disable() {}
+}
diff --git a/tests/fixtures/gpl-license-header@test/metadata.json b/tests/fixtures/gpl-license-header@test/metadata.json
@@ -0,0 +1,7 @@
+{
+    "uuid": "gpl-license-header@test",
+    "name": "GPL License Header Test",
+    "description": "Tests R-SEC-03 guard for GPL license boilerplate URLs",
+    "shell-version": ["48"],
+    "url": "https://example.com"
+}
diff --git a/tests/fixtures/system-gsettings-multiline@test/LICENSE b/tests/fixtures/system-gsettings-multiline@test/LICENSE
@@ -0,0 +1 @@
+SPDX-License-Identifier: GPL-2.0-or-later
diff --git a/tests/fixtures/system-gsettings-multiline@test/extension.js b/tests/fixtures/system-gsettings-multiline@test/extension.js
diff --git a/tests/fixtures/system-gsettings-multiline@test/metadata.json b/tests/fixtures/system-gsettings-multiline@test/metadata.json
diff --git a/tests/fixtures/version-guard-pkgver@test/LICENSE b/tests/fixtures/version-guard-pkgver@test/LICENSE
diff --git a/tests/fixtures/version-guard-pkgver@test/extension.js b/tests/fixtures/version-guard-pkgver@test/extension.js
diff --git a/tests/fixtures/version-guard-pkgver@test/metadata.json b/tests/fixtures/version-guard-pkgver@test/metadata.json

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+SPDX-License-Identifier: GPL-2.0-or-later`