version: "2" linters: enable: # Bug detectors. - bodyclose - durationcheck - errorlint - gocritic - nilerr - sqlclosecheck # Security. - gosec # Style and modernization. - misspell - modernize - unconvert - usestdlibvars # Logging. - sloglint # Dead code. - wastedassign settings: errcheck: exclude-functions: # Terminal I/O writes (honeypot shell output). - fmt.Fprint - fmt.Fprintf # Low-level byte I/O in shell readLine (escape sequences, echo). - (io.ReadWriter).Read - (io.ReadWriter).Write - (io.ReadWriteCloser).Read - (io.ReadWriteCloser).Write - (io.Reader).Read - (io.Writer).Write gosec: excludes: # File reads from config paths — expected in a CLI tool. - G304 # Weak RNG for shell selection — crypto/rand not needed. - G404 exclusions: rules: # Ignore unchecked Close() — standard resource cleanup. - linters: [errcheck] text: "Error return value of .+\\.Close.+ is not checked" # Ignore unchecked Rollback() — called in error paths before returning. - linters: [errcheck] text: "Error return value of .+\\.Rollback.+ is not checked" # Ignore unchecked Reply/Reject — SSH protocol; nothing useful on failure. - linters: [errcheck] text: "Error return value of .+\\.(Reply|Reject).+ is not checked" # Test files: allow unchecked errors. - linters: [errcheck] path: "_test\\.go" # Test files: InsecureIgnoreHostKey, file permissions, unhandled errors are expected. - linters: [gosec] path: "_test\\.go" # Unhandled errors for cleanup/protocol ops — mirrors errcheck exclusions. - linters: [gosec] text: "G104" source: "\\.(Close|Rollback|Reject|Reply|Read|Write)\\(" # SQL with safe column interpolation from a fixed switch — not user input. - linters: [gosec] text: "G201" path: "internal/storage/"