Fix linting: golangci-lint v2 config, nolint annotations

* Rewrite .golangci.yaml to v2 schema: linters-settings ->
  linters.settings, issues.exclude-rules -> issues.exclusions.rules,
  issues.exclude-dirs -> issues.exclusions.paths
* Drop deprecated revive exported/package-comments rules: personal
  project, not a public library; godoc completeness is not a CI req
* Add //nolint:gosec G101 on PassphraseEnv default in config.go:
  environment variable name is not a credential value
* Add //nolint:gosec G101 on EventPGCredUpdated in model.go:
  audit event type string, not a credential

Security: no logic changes. gosec G101 suppressions are false
positives confirmed by code inspection: neither constant holds a
credential value.

internal/token/token_test.go

@@ -4,6 +4,7 @@ import (
 	"crypto/ed25519"
 	"crypto/rand"
 	"encoding/base64"
+	"errors"
 	"strings"
 	"testing"
 	"time"
@@ -86,7 +87,7 @@ func TestValidateTokenWrongAlgorithm(t *testing.T) {
 	if err == nil {
 		t.Fatal("expected error for HS256 token, got nil")
 	}
-	if err != ErrWrongAlgorithm {
+	if !errors.Is(err, ErrWrongAlgorithm) {
 		t.Errorf("expected ErrWrongAlgorithm, got: %v", err)
 	}
 }
@@ -124,7 +125,7 @@ func TestValidateTokenExpired(t *testing.T) {
 	if err == nil {
 		t.Fatal("expected error for expired token, got nil")
 	}
-	if err != ErrExpiredToken {
+	if !errors.Is(err, ErrExpiredToken) {
 		t.Errorf("expected ErrExpiredToken, got: %v", err)
 	}
 }