fix: Address golangci-lint errors (errcheck, gosec) (#76)

Apply PR #76 from dannomayernotabot:

- Add golangci exclusions for internal package false positives
- Tighten file permissions (0644 -> 0600) for sensitive files
- Add ReadHeaderTimeout to HTTP server (slowloris prevention)
- Explicit error ignoring with _ = for intentional cases
- Add //nolint comments with justifications
- Spelling: cancelled -> canceled (US locale)

Co-Authored-By: dannomayernotabot <noreply@github.com>

🤖 Generated with Claude Code

internal/deacon/heartbeat.go

@@ -55,7 +55,7 @@ func WriteHeartbeat(townRoot string, hb *Heartbeat) error {
 		return err
 	}
 
-	return os.WriteFile(hbFile, data, 0644)
+	return os.WriteFile(hbFile, data, 0600)
 }
 
 // ReadHeartbeat reads the Deacon heartbeat from disk.
@@ -63,7 +63,7 @@ func WriteHeartbeat(townRoot string, hb *Heartbeat) error {
 func ReadHeartbeat(townRoot string) *Heartbeat {
 	hbFile := HeartbeatFile(townRoot)
 
-	data, err := os.ReadFile(hbFile)
+	data, err := os.ReadFile(hbFile) //nolint:gosec // G304: path is constructed from trusted townRoot
 	if err != nil {
 		return nil
 	}

internal/deacon/stuck.go

@@ -73,7 +73,7 @@ func HealthCheckStateFile(townRoot string) string {
 func LoadHealthCheckState(townRoot string) (*HealthCheckState, error) {
 	stateFile := HealthCheckStateFile(townRoot)
 
-	data, err := os.ReadFile(stateFile)
+	data, err := os.ReadFile(stateFile) //nolint:gosec // G304: path is constructed from trusted townRoot
 	if err != nil {
 		if os.IsNotExist(err) {
 			// Return empty state
@@ -112,7 +112,7 @@ func SaveHealthCheckState(townRoot string, state *HealthCheckState) error {
 		return fmt.Errorf("marshaling health check state: %w", err)
 	}
 
-	return os.WriteFile(stateFile, data, 0644)
+	return os.WriteFile(stateFile, data, 0600)
 }
 
 // GetAgentState returns the health state for an agent, creating if needed.