fix: Address golangci-lint errors (errcheck, gosec) (#76)

Apply PR #76 from dannomayernotabot: - Add golangci exclusions for internal package false positives - Tighten file permissions (0644 -> 0600) for sensitive files - Add ReadHeaderTimeout to HTTP server (slowloris prevention) - Explicit error ignoring with _ = for intentional cases - Add //nolint comments with justifications - Spelling: cancelled -> canceled (US locale) Co-Authored-By: dannomayernotabot <noreply@github.com> 🤖 Generated with Claude Code
2026-01-03 16:11:40 -08:00
parent 62848065e3
commit 1b69576573
82 changed files with 325 additions and 355 deletions
--- a/internal/doctor/bd_daemon_check.go
+++ b/internal/doctor/bd_daemon_check.go
@@ -44,7 +44,7 @@ func (c *BdDaemonCheck) Run(ctx *CheckContext) *CheckResult {
 		healthCmd.Dir = ctx.TownRoot
 		var healthOut bytes.Buffer
 		healthCmd.Stdout = &healthOut
-		healthCmd.Run() // Ignore error, health check is optional
+		_ = healthCmd.Run() // Ignore error, health check is optional

 		healthOutput := healthOut.String()
 		if strings.Contains(healthOutput, "HEALTHY") {
--- a/internal/doctor/hook_check.go
+++ b/internal/doctor/hook_check.go
@@ -80,7 +80,7 @@ func (c *HookAttachmentValidCheck) Run(ctx *CheckContext) *CheckResult {
 }

 // checkBeadsDir checks all pinned beads in a directory for invalid attachments.
-func (c *HookAttachmentValidCheck) checkBeadsDir(beadsDir, location string) []invalidAttachment {
+func (c *HookAttachmentValidCheck) checkBeadsDir(beadsDir, _ string) []invalidAttachment { // location unused but kept for future diagnostic output
 	var invalid []invalidAttachment

 	b := beads.New(filepath.Dir(beadsDir))
--- a/internal/doctor/lifecycle_check.go
+++ b/internal/doctor/lifecycle_check.go
@@ -227,8 +227,8 @@ func (c *LifecycleHygieneCheck) findStateFiles(townRoot string) []stateFileInfo
 }

 // isSessionHealthy checks if the tmux session for this identity exists and is running.
-func (c *LifecycleHygieneCheck) isSessionHealthy(identity, townRoot string) bool {
-	sessionName := identityToSessionName(identity, townRoot)
+func (c *LifecycleHygieneCheck) isSessionHealthy(identity, _ string) bool {
+	sessionName := identityToSessionName(identity)
 	if sessionName == "" {
 		return false
 	}
@@ -239,7 +239,7 @@ func (c *LifecycleHygieneCheck) isSessionHealthy(identity, townRoot string) bool
 }

 // identityToSessionName converts an identity to its tmux session name.
-func identityToSessionName(identity, townRoot string) string {
+func identityToSessionName(identity string) string {
 	switch identity {
 	case "mayor":
 		return session.MayorSessionName()
@@ -259,7 +259,7 @@ func (c *LifecycleHygieneCheck) Fix(ctx *CheckContext) error {

 	// Delete stale lifecycle messages
 	for _, msg := range c.staleMessages {
-		cmd := exec.Command("gt", "mail", "delete", msg.ID)
+		cmd := exec.Command("gt", "mail", "delete", msg.ID) //nolint:gosec // G204: msg.ID is from internal state, not user input
 		cmd.Dir = ctx.TownRoot
 		if err := cmd.Run(); err != nil {
 			errors = append(errors, fmt.Sprintf("failed to delete message %s: %v", msg.ID, err))
--- a/internal/doctor/orphan_check.go
+++ b/internal/doctor/orphan_check.go
@@ -400,7 +400,7 @@ func (c *OrphanProcessCheck) hasCrewAncestor(pid int, crewPanePIDs map[int]bool)
 		}

 		// Get parent PID
-		out, err := exec.Command("ps", "-p", fmt.Sprintf("%d", currentPID), "-o", "ppid=").Output()
+		out, err := exec.Command("ps", "-p", fmt.Sprintf("%d", currentPID), "-o", "ppid=").Output() //nolint:gosec // G204: PID is numeric from internal state
 		if err != nil {
 			break
 		}
@@ -422,7 +422,7 @@ type processInfo struct {
 }

 // getTmuxSessionPIDs returns PIDs of all tmux server processes and pane shell PIDs.
-func (c *OrphanProcessCheck) getTmuxSessionPIDs() (map[int]bool, error) {
+func (c *OrphanProcessCheck) getTmuxSessionPIDs() (map[int]bool, error) { //nolint:unparam // error return kept for future use
 	// Get tmux server PID and all pane PIDs
 	pids := make(map[int]bool)

@@ -534,7 +534,7 @@ func (c *OrphanProcessCheck) isOrphanProcess(proc processInfo, tmuxPIDs map[int]
 		}

 		// Get parent's parent
-		out, err := exec.Command("ps", "-p", fmt.Sprintf("%d", currentPPID), "-o", "ppid=").Output()
+		out, err := exec.Command("ps", "-p", fmt.Sprintf("%d", currentPPID), "-o", "ppid=").Output() //nolint:gosec // G204: PID is numeric from internal state
 		if err != nil {
 			break
 		}
--- a/internal/doctor/patrol_check.go
+++ b/internal/doctor/patrol_check.go
@@ -115,7 +115,7 @@ func (c *PatrolMoleculesExistCheck) Fix(ctx *CheckContext) error {
 		rigPath := filepath.Join(ctx.TownRoot, rigName)
 		for _, mol := range missing {
 			desc := getPatrolMoleculeDesc(mol)
-			cmd := exec.Command("bd", "create",
+			cmd := exec.Command("bd", "create", //nolint:gosec // G204: args are constructed internally
 				"--type=molecule",
 				"--title="+mol,
 				"--description="+desc,
--- a/internal/doctor/rig_check.go
+++ b/internal/doctor/rig_check.go
@@ -162,7 +162,7 @@ func (c *GitExcludeConfiguredCheck) Run(ctx *CheckContext) *CheckResult {
 				existing[line] = true
 			}
 		}
-		file.Close()
+		_ = file.Close() //nolint:gosec // G104: best-effort close
 	}

 	// Check for missing entries
@@ -203,7 +203,7 @@ func (c *GitExcludeConfiguredCheck) Fix(ctx *CheckContext) error {
 	}

 	// Append missing entries
-	f, err := os.OpenFile(c.excludePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	f, err := os.OpenFile(c.excludePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to open exclude file: %w", err)
 	}