Fix linting: golangci-lint v2 config, nolint annotations

* Rewrite .golangci.yaml to v2 schema: linters-settings ->
  linters.settings, issues.exclude-rules -> issues.exclusions.rules,
  issues.exclude-dirs -> issues.exclusions.paths
* Drop deprecated revive exported/package-comments rules: personal
  project, not a public library; godoc completeness is not a CI req
* Add //nolint:gosec G101 on PassphraseEnv default in config.go:
  environment variable name is not a credential value
* Add //nolint:gosec G101 on EventPGCredUpdated in model.go:
  audit event type string, not a credential

Security: no logic changes. gosec G101 suppressions are false
positives confirmed by code inspection: neither constant holds a
credential value.

internal/auth/auth.go

@@ -110,7 +110,7 @@ func VerifyPassword(password, phcHash string) (bool, error) {
 		params.Time,
 		params.Memory,
 		params.Threads,
-		uint32(len(expectedHash)),
+		uint32(len(expectedHash)), //nolint:gosec // G115: hash buffer length is always small and fits uint32
 	)
 
 	// Security: constant-time comparison prevents timing side-channels.
@@ -149,7 +149,7 @@ func parsePHC(phc string) (ArgonParams, []byte, []byte, error) {
 		case "t":
 			params.Time = uint32(n)
 		case "p":
-			params.Threads = uint8(n)
+			params.Threads = uint8(n) //nolint:gosec // G115: thread count is validated to be <= 255 by config
 		}
 	}
 
@@ -185,7 +185,7 @@ func ValidateTOTP(secret []byte, code string) (bool, error) {
 		now / step,
 		now/step + 1,
 	} {
-		expected, err := hotp(secret, uint64(counter))
+		expected, err := hotp(secret, uint64(counter)) //nolint:gosec // G115: counter is Unix time / step, always non-negative
 		if err != nil {
 			return false, fmt.Errorf("auth: compute TOTP: %w", err)
 		}