Initial import.

.golangci.yaml

@@ -0,0 +1,124 @@
+# golangci-lint configuration for a security-critical IAM system.
+# Principle: fail loudly. Security and correctness issues are errors, not warnings.
+
+run:
+  timeout: 5m
+  # Include test files so security rules apply to test helpers too.
+  tests: true
+
+linters:
+  disable-all: true
+  enable:
+    # --- Correctness ---
+    # Unhandled errors are silent failures; in auth code they become vulnerabilities.
+    - errcheck
+    # go vet: catches printf-verb mismatches, unreachable code, suspicious constructs.
+    - govet
+    # Detects assignments whose result is never used; dead writes hide logic bugs.
+    - ineffassign
+    # Reports code that is never executed.
+    - deadcode
+    # Detects variables and functions that are never used.
+    - unused
+
+    # --- Error handling ---
+    # Enforces proper error wrapping (errors.Is/As instead of == comparisons) and
+    # prevents accidental discard of wrapped sentinel errors.
+    - errorlint
+    # Detects returning (nil, nil) from functions that return (value, error), which
+    # is almost always a logic error in auth flows.
+    - nilnil
+
+    # --- Security ---
+    # Primary security scanner: hardcoded secrets, weak RNG, insecure crypto
+    # (MD5/SHA1/DES/RC4), SQL injection, insecure TLS, file permission issues, etc.
+    - gosec
+    # Deep static analysis: deprecated APIs, incorrect mutex use, unreachable code,
+    # incorrect string conversions, and hundreds of other checks.
+    - staticcheck
+    # Detects integer overflow-prone conversions (e.g., int64 → int32) that can
+    # corrupt length or index calculations in crypto/auth code.
+    - gosimple
+
+    # --- Style / conventions (per CLAUDE.md) ---
+    # Enforces gofmt formatting. Non-formatted code is a CI failure.
+    - gofmt
+    # Manages import grouping and formatting; catches stray debug imports.
+    - goimports
+    # Enforces Go naming conventions and exported-symbol documentation.
+    - revive
+
+linters-settings:
+  errcheck:
+    # Treat blank-identifier assignment of errors as a failure: `_ = riskyCall()`
+    check-blank: true
+    # Also check error returns from type assertions.
+    check-type-assertions: true
+
+  govet:
+    # Enable all analyzers, including shadow (variable shadowing is dangerous in
+    # auth code where an outer `err` may be silently clobbered).
+    enable-all: true
+
+  gosec:
+    # Treat all gosec findings as errors, not warnings.
+    severity: medium
+    confidence: medium
+    excludes:
+      # G104 (errors unhandled) overlaps with errcheck; let errcheck own this.
+      - G104
+
+  errorlint:
+    errorf: true
+    asserts: true
+    comparison: true
+
+  gofmt:
+    simplify: true
+
+  revive:
+    rules:
+      - name: exported
+        severity: warning
+      - name: error-return
+        severity: error
+      - name: error-strings
+        severity: warning
+      - name: if-return
+        severity: warning
+      - name: increment-decrement
+        severity: warning
+      - name: var-naming
+        severity: warning
+      - name: package-comments
+        severity: warning
+      - name: range
+        severity: warning
+      - name: time-naming
+        severity: warning
+      - name: unexported-return
+        severity: error
+      - name: indent-error-flow
+        severity: warning
+      - name: early-return
+        severity: warning
+
+issues:
+  # Do not cap the number of reported issues; in security code every finding matters.
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+  # Exclude vendor and generated code only.
+  exclude-dirs:
+    - vendor
+  exclude-files:
+    - ".*\\.pb\\.go$"
+    - ".*_gen\\.go$"
+
+  exclude-rules:
+    # In test files, allow hardcoded test credentials (gosec G101) since they are
+    # intentional fixtures, not production secrets.
+    - path: "_test\\.go"
+      linters:
+        - gosec
+      text: "G101"