fix: Address golangci-lint errors (errcheck, gosec) (#76)

Apply PR #76 from dannomayernotabot:

- Add golangci exclusions for internal package false positives
- Tighten file permissions (0644 -> 0600) for sensitive files
- Add ReadHeaderTimeout to HTTP server (slowloris prevention)
- Explicit error ignoring with _ = for intentional cases
- Add //nolint comments with justifications
- Spelling: cancelled -> canceled (US locale)

Co-Authored-By: dannomayernotabot <noreply@github.com>

🤖 Generated with Claude Code

internal/swarm/landing.go

@@ -195,7 +195,7 @@ func (m *Manager) gitRunOutput(dir string, args ...string) (string, error) {
 }
 
 // notifyMayorCodeAtRisk sends an alert to Mayor about code at risk.
-func (m *Manager) notifyMayorCodeAtRisk(townRoot, swarmID string, workers []string) {
+func (m *Manager) notifyMayorCodeAtRisk(_, swarmID string, workers []string) { // townRoot unused: router uses gitDir
 	router := mail.NewRouter(m.gitDir)
 	msg := &mail.Message{
 		From: fmt.Sprintf("%s/refinery", m.rig.Name),
@@ -214,7 +214,7 @@ Manual intervention required.`,
 }
 
 // notifyMayorLanded sends a landing report to Mayor.
-func (m *Manager) notifyMayorLanded(townRoot string, swarm *Swarm, result *LandingResult) {
+func (m *Manager) notifyMayorLanded(_ string, swarm *Swarm, result *LandingResult) { // townRoot unused: router uses gitDir
 	router := mail.NewRouter(m.gitDir)
 	msg := &mail.Message{
 		From: fmt.Sprintf("%s/refinery", m.rig.Name),

internal/swarm/manager.go

@@ -190,12 +190,12 @@ func (m *Manager) IsComplete(swarmID string) (bool, error) {
 // isValidTransition checks if a state transition is allowed.
 func isValidTransition(from, to SwarmState) bool {
 	transitions := map[SwarmState][]SwarmState{
-		SwarmCreated:   {SwarmActive, SwarmCancelled},
-		SwarmActive:    {SwarmMerging, SwarmFailed, SwarmCancelled},
-		SwarmMerging:   {SwarmLanded, SwarmFailed, SwarmCancelled},
-		SwarmLanded:    {}, // Terminal
-		SwarmFailed:    {}, // Terminal
-		SwarmCancelled: {}, // Terminal
+		SwarmCreated:  {SwarmActive, SwarmCanceled},
+		SwarmActive:   {SwarmMerging, SwarmFailed, SwarmCanceled},
+		SwarmMerging:  {SwarmLanded, SwarmFailed, SwarmCanceled},
+		SwarmLanded:   {}, // Terminal
+		SwarmFailed:   {}, // Terminal
+		SwarmCanceled: {}, // Terminal
 	}
 
 	allowed, ok := transitions[from]

internal/swarm/types.go

@@ -22,13 +22,13 @@ const (
 	// SwarmFailed means the swarm failed and cannot be recovered.
 	SwarmFailed SwarmState = "failed"
 
-	// SwarmCancelled means the swarm was explicitly cancelled.
-	SwarmCancelled SwarmState = "cancelled"
+	// SwarmCanceled means the swarm was explicitly canceled.
+	SwarmCanceled SwarmState = "canceled"
 )
 
 // IsTerminal returns true if the swarm is in a terminal state.
 func (s SwarmState) IsTerminal() bool {
-	return s == SwarmLanded || s == SwarmFailed || s == SwarmCancelled
+	return s == SwarmLanded || s == SwarmFailed || s == SwarmCanceled
 }
 
 // IsActive returns true if the swarm is actively running.

internal/swarm/types_test.go

@@ -15,7 +15,7 @@ func TestSwarmStateIsTerminal(t *testing.T) {
 		{SwarmMerging, false},
 		{SwarmLanded, true},
 		{SwarmFailed, true},
-		{SwarmCancelled, true},
+		{SwarmCanceled, true},
 	}
 
 	for _, tt := range tests {
@@ -35,7 +35,7 @@ func TestSwarmStateIsActive(t *testing.T) {
 		{SwarmMerging, true},
 		{SwarmLanded, false},
 		{SwarmFailed, false},
-		{SwarmCancelled, false},
+		{SwarmCanceled, false},
 	}
 
 	for _, tt := range tests {