chore: add golangci-lint config and fix all lint issues

Enable 15 additional linters (gosec, errorlint, gocritic, modernize, misspell, bodyclose, sqlclosecheck, nilerr, unconvert, durationcheck, sloglint, wastedassign, usestdlibvars) with sensible exclusion rules. Fix all findings: errors.Is for error comparisons, run() pattern in main to avoid exitAfterDefer, ReadHeaderTimeout for Slowloris protection, bounds check in escape sequence reader, WaitGroup.Go, slices.Contains, range-over-int loops, and http.MethodGet constants. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-14 21:43:49 +01:00
parent 0ad6f4cb6a
commit d4380c0aea
10 changed files with 134 additions and 62 deletions
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,79 @@
+version: "2"
+
+linters:
+  enable:
+    # Bug detectors.
+    - bodyclose
+    - durationcheck
+    - errorlint
+    - gocritic
+    - nilerr
+    - sqlclosecheck
+
+    # Security.
+    - gosec
+
+    # Style and modernization.
+    - misspell
+    - modernize
+    - unconvert
+    - usestdlibvars
+
+    # Logging.
+    - sloglint
+
+    # Dead code.
+    - wastedassign
+
+  settings:
+    errcheck:
+      exclude-functions:
+        # Terminal I/O writes (honeypot shell output).
+        - fmt.Fprint
+        - fmt.Fprintf
+        # Low-level byte I/O in shell readLine (escape sequences, echo).
+        - (io.ReadWriter).Read
+        - (io.ReadWriter).Write
+        - (io.ReadWriteCloser).Read
+        - (io.ReadWriteCloser).Write
+        - (io.Reader).Read
+        - (io.Writer).Write
+
+    gosec:
+      excludes:
+        # File reads from config paths — expected in a CLI tool.
+        - G304
+        # Weak RNG for shell selection — crypto/rand not needed.
+        - G404
+
+  exclusions:
+    rules:
+      # Ignore unchecked Close() — standard resource cleanup.
+      - linters: [errcheck]
+        text: "Error return value of .+\\.Close.+ is not checked"
+
+      # Ignore unchecked Rollback() — called in error paths before returning.
+      - linters: [errcheck]
+        text: "Error return value of .+\\.Rollback.+ is not checked"
+
+      # Ignore unchecked Reply/Reject — SSH protocol; nothing useful on failure.
+      - linters: [errcheck]
+        text: "Error return value of .+\\.(Reply|Reject).+ is not checked"
+
+      # Test files: allow unchecked errors.
+      - linters: [errcheck]
+        path: "_test\\.go"
+
+      # Test files: InsecureIgnoreHostKey, file permissions, unhandled errors are expected.
+      - linters: [gosec]
+        path: "_test\\.go"
+
+      # Unhandled errors for cleanup/protocol ops — mirrors errcheck exclusions.
+      - linters: [gosec]
+        text: "G104"
+        source: "\\.(Close|Rollback|Reject|Reply|Read|Write)\\("
+
+      # SQL with safe column interpolation from a fixed switch — not user input.
+      - linters: [gosec]
+        text: "G201"
+        path: "internal/storage/"