Add exhaustive switch vetting and enforce it across the tree

[evanphx]

Summary

Enables the exhaustive analyzer (bundled in golangci-lint) and makes every enum switch in the tree satisfy it, so adding a new enum member forces a compile-time decision at each relevant switch instead of silently slipping through a default.

What changed

• Lint config: enable the exhaustive linter in .golangci.yml with default-signifies-exhaustive: false (a bare default: does not by itself make a switch exhaustive). It honors //exhaustive:ignore directives.
• Enforcement (38 switches): each switch now enumerates all enum members explicitly. Where the missing members should behave exactly like the existing default, they're grouped into a case that fallthroughs into the default — so runtime behavior is unchanged, but the cases are now documented and checked. Each added case carries a short comment explaining why those members share that path (terminal / transient / unexpected / etc.).

Intentional exceptions

//exhaustive:ignore is kept only on switches over large external/stdlib enums where listing every arm is impractical, with the rationale inline:

Type	Members	Location
syscall.Errno	~130	servers/httpingress/httpingress.go
tea.KeyType	~90	pkg/ui/prompt.go, cli/commands/deploy_ui.go
reflect.Kind	~27	pkg/entity/reader.go, controllers/deployment/specs_match_test.go

Coverage note

golangci-lint's path exclusions are global, so the already lint-exempt paths (lsvd/, disk/, dataset/, pkg/cel, pkg/containerdx, *.gen.go) are not exhaustive-checked. The switches in those paths (3 in lsvd/) were still made exhaustive in this PR; they're just not re-enforced going forward.

Verification

• golangci-lint run ./... — no issues (exhaustive active; confirmed it flags a removed case)
• go build ./... and affected test packages compile

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request enables the exhaustive linter and makes switch statements explicit across the codebase. It adds explicit case branches, fallthroughs, and selective //exhaustive:ignore comments for many high-cardinality enums; updates disk/mount/volume reconciliation paths, sandbox lifecycle and health checks, watch/event conversion, authorization routing, saga terminal handling, value parsing/formatting, builder defaults, tests, and logging. No public APIs or behavioral changes were introduced; existing control flow and default behaviors are preserved.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[phinze]

Yay, one step closer to Rust ;) We checked the few no-op cases (SetPortStatus x2, lsvd FlushNo) and they're all safe.

One ask before merging: can we wire it through golangci-lint (already in the lint job, bundles the same exhaustive analyzer) instead of a standalone go vet step? We'd get the shared single load, parallelism, and caching for free, and drop the vet target, CI step, and go.mod/go.sum churn. With golangci-lint already pinned, the bundled version is just as deterministic.

Only difference: golangci-lint still excludes a few dirs (lsvd/, disk/, etc.), so those won't be covered. Fine to punt, whether those should be linted at all is a separate cleanup TODO.

[evanphx]

Sure, let me give it a look.

[coderabbitai]

🧹 Nitpick comments (1)

go.mod (1)

93-93: Go mod: gjson v1.18.0 looks safe; optionally bump for currency

github.com/tidwall/gjson v1.18.0 (now a direct dependency) has no known security vulnerabilities reported specifically for that version. Latest upstream release is v1.19.1 (May 2026), so updating is recommended for staying current, not for security remediation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 93, The go.mod currently pins github.com/tidwall/gjson at
v1.18.0; update the dependency to a newer release (e.g., v1.19.1) by editing the
module line for github.com/tidwall/gjson in go.mod, run go get
github.com/tidwall/gjson@v1.19.1 (or go get -u github.com/tidwall/gjson) to
update go.sum and tidy the module, and then run go mod tidy and go test to
ensure nothing breaks; target symbols: the dependency entry
"github.com/tidwall/gjson" in go.mod and the overall module's go.mod/go.sum
maintenance commands.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@go.mod`:
- Line 93: The go.mod currently pins github.com/tidwall/gjson at v1.18.0; update
the dependency to a newer release (e.g., v1.19.1) by editing the module line for
github.com/tidwall/gjson in go.mod, run go get github.com/tidwall/gjson@v1.19.1
(or go get -u github.com/tidwall/gjson) to update go.sum and tidy the module,
and then run go mod tidy and go test to ensure nothing breaks; target symbols:
the dependency entry "github.com/tidwall/gjson" in go.mod and the overall
module's go.mod/go.sum maintenance commands.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 479c618a-a96d-4217-ae67-aea51a26863b

📥 Commits

Reviewing files that changed from the base of the PR and between 1312315 and e0e1564.

📒 Files selected for processing (2)

• .golangci.yml
• go.mod

✅ Files skipped from review due to trivial changes (1)

• .golangci.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@components/ipalloc/ipalloc.go`:
- Around line 189-190: The EventDeleted branch currently no-ops, which leaks
reservations in the allocations map; update the indexwatch.EventDeleted case to
release any reserved IPs for the deleted service by looking up the entry in
allocations (use the service key/ID used elsewhere in this file), call the
existing release function (e.g., releaseIP, ReleaseReservedIP or whatever the
file provides for freeing an allocation) or if none exists implement the reverse
of the allocation path to return the IP to the pool, and then remove the entry
from allocations so the subnet capacity is reclaimed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1ca0879d-2d5f-478e-b5c6-222295e60b33

📥 Commits

Reviewing files that changed from the base of the PR and between 928cd9b and 79c370e.

📒 Files selected for processing (7)

• components/ipalloc/ipalloc.go
• controllers/sandbox/log.go
• controllers/sandbox/sandbox.go
• pkg/controller/controller.go
• pkg/entity/indexwatch/watcher.go
• servers/httpingress/httpingress.go
• servers/runner/registration_test.go

✅ Files skipped from review due to trivial changes (4)

• servers/httpingress/httpingress.go
• controllers/sandbox/log.go
• pkg/controller/controller.go
• servers/runner/registration_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• controllers/sandbox/sandbox.go