mcias/.golangci.yaml

# golangci-lint v2 configuration for a security-critical IAM system.
# Principle: fail loudly. Security and correctness issues are errors, not warnings.

version: "2"

run:
  timeout: 5m
  # Include test files so security rules apply to test helpers too.
  tests: true

linters:
  default: none
  enable:
    # --- Correctness ---
    # Unhandled errors are silent failures; in auth code they become vulnerabilities.
    - errcheck
    # go vet: catches printf-verb mismatches, unreachable code, suspicious constructs.
    - govet
    # Detects assignments whose result is never used; dead writes hide logic bugs.
    - ineffassign
    # Detects variables and functions that are never used.
    - unused

    # --- Error handling ---
    # Enforces proper error wrapping (errors.Is/As instead of == comparisons) and
    # prevents accidental discard of wrapped sentinel errors.
    - errorlint

    # --- Security ---
    # Primary security scanner: hardcoded secrets, weak RNG, insecure crypto
    # (MD5/SHA1/DES/RC4), SQL injection, insecure TLS, file permission issues, etc.
    - gosec
    # Deep static analysis: deprecated APIs, incorrect mutex use, unreachable code,
    # incorrect string conversions, simplification suggestions, and hundreds of other checks.
    # (gosimple was merged into staticcheck in golangci-lint v2)
    - staticcheck

    # --- Style / conventions (per CLAUDE.md) ---
    # Enforces Go naming conventions and selected style rules.
    - revive

  settings:
    errcheck:
      # Treat blank-identifier assignment of errors as a failure: `_ = riskyCall()`
      check-blank: true
      # Also check error returns from type assertions.
      check-type-assertions: true

    govet:
      # Enable all analyzers, including shadow (variable shadowing is dangerous in
      # auth code where an outer `err` may be silently clobbered).
      enable-all: true

    gosec:
      # Treat all gosec findings as errors, not warnings.
      severity: medium
      confidence: medium
      excludes:
        # G104 (errors unhandled) overlaps with errcheck; let errcheck own this.
        - G104

    errorlint:
      errorf: true
      asserts: true
      comparison: true

    revive:
      rules:
        # error-return and unexported-return are correctness/API-safety rules.
        - name: error-return
          severity: error
        - name: unexported-return
          severity: error
        # Style rules.
        - name: error-strings
          severity: warning
        - name: if-return
          severity: warning
        - name: increment-decrement
          severity: warning
        - name: var-naming
          severity: warning
        - name: range
          severity: warning
        - name: time-naming
          severity: warning
        - name: indent-error-flow
          severity: warning
        - name: early-return
          severity: warning
        # exported and package-comments are omitted: this is a personal project,
        # not a public library; godoc completeness is not a CI requirement.

formatters:
  enable:
    # Enforces gofmt formatting. Non-formatted code is a CI failure.
    - gofmt
    # Manages import grouping and formatting; catches stray debug imports.
    - goimports

issues:
  # Do not cap the number of reported issues; in security code every finding matters.
  max-issues-per-linter: 0
  max-same-issues: 0

  exclusions:
    paths:
      - vendor
    rules:
      # In test files, allow hardcoded test credentials (gosec G101) since they are
      # intentional fixtures, not production secrets.
      - path: "_test\\.go"
        linters:
          - gosec
        text: "G101"

      # G101: Event-type string constants (e.g. "pgcred_updated") and environment
      # variable name constants (e.g. "MCIAS_MASTER_PASSPHRASE") are not credentials.
      # gosec pattern-matches on substrings like "cred" and "pass", causing false positives.
      - linters:
          - gosec
        text: "G101"
        source: "(Event|PassphraseEnv)"