fix(lint): eliminate G602 and guard ResolveSizing on abstract sizes only

intel352 · claude · intel352 · commit 10abef99449d · 2026-04-23T17:56:54.000-04:00
Two related fixes to the ResolveSizing loop in applyWithProviderAndStore: 1. G602 (gosec slice index out-of-range false positive): replace indexing via specs[i] with a local pointer `spec := &specs[i]` so gosec can confirm the slice access is safe. 2. isAbstractSize guard (Copilot #2): add isAbstractSize helper that returns true only for xs/s/m/l/xl. ResolveSizing is now skipped for provider-specific slugs (e.g. "db-s-1vcpu-1gb") which are already concrete and must not be re-resolved. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/cmd/wfctl/infra_apply.go b/cmd/wfctl/infra_apply.go
@@ -191,23 +191,26 @@ func applyWithProviderAndStore(ctx context.Context, provider interfaces.IaCProvi
 
 	// Resolve abstract sizing tiers into concrete provider-specific values
 	// (e.g. Size: "m" → instance_type: "s-1vcpu-2gb") for each spec that
-	// declares a Size. The resolved values are merged into spec.Config so that
-	// plan output and apply are always in sync.
+	// declares an abstract Size tier. Provider-specific slugs (e.g.
+	// "db-s-1vcpu-1gb") are passed through as-is to avoid double-resolution.
+	// The resolved values are merged into spec.Config so that plan output and
+	// apply are always in sync.
 	for i := range specs {
-		if specs[i].Size == "" {
+		spec := &specs[i]
+		if spec.Size == "" || !isAbstractSize(spec.Size) {
 			continue
 		}
-		sizing, err := provider.ResolveSizing(specs[i].Type, specs[i].Size, specs[i].Hints)
+		sizing, err := provider.ResolveSizing(spec.Type, spec.Size, spec.Hints)
 		if err != nil {
-			return fmt.Errorf("%s/%s: resolve sizing: %w", specs[i].Type, specs[i].Name, err)
+			return fmt.Errorf("%s/%s: resolve sizing: %w", spec.Type, spec.Name, err)
 		}
 		if sizing != nil {
-			if specs[i].Config == nil {
-				specs[i].Config = map[string]any{}
+			if spec.Config == nil {
+				spec.Config = map[string]any{}
 			}
-			specs[i].Config["instance_type"] = sizing.InstanceType
+			spec.Config["instance_type"] = sizing.InstanceType
 			for k, v := range sizing.Specs {
-				specs[i].Config[k] = v
+				spec.Config[k] = v
 			}
 		}
 	}
@@ -294,3 +297,15 @@ func applyWithProviderAndStore(ctx context.Context, provider interfaces.IaCProvi
 	}
 	return nil
 }
+
+// isAbstractSize reports whether s is one of the canonical abstract size tiers
+// (xs/s/m/l/xl). Provider-specific slugs such as "db-s-1vcpu-1gb" return false
+// so that ResolveSizing is not called for already-concrete values.
+func isAbstractSize(s interfaces.Size) bool {
+	switch s {
+	case interfaces.SizeXS, interfaces.SizeS, interfaces.SizeM, interfaces.SizeL, interfaces.SizeXL:
+		return true
+	default:
+		return false
+	}
+}
