version: "2"

run:
  timeout: 5m
  tests: true

linters:
  exclusions:
    paths:
      - vendor
    rules:
      # In test files, suppress gosec rules that are false positives:
      # G101: hardcoded test credentials
      # G304: file paths from variables (t.TempDir paths)
      # G306: WriteFile with 0644 (cert files need to be readable)
      # G404: weak RNG (not security-relevant in tests)
      - path: "_test\\.go"
        linters:
          - gosec
        text: "G101|G304|G306|G404"
      # Nil context is acceptable in tests for nil-receiver safety checks.
      - path: "_test\\.go"
        linters:
          - staticcheck
        text: "SA1012"
  default: none
  enable:
    - errcheck
    - govet
    - ineffassign
    - unused
    - errorlint
    - gosec
    - staticcheck
    - revive

  settings:
    errcheck:
      check-blank: false
      check-type-assertions: true

    govet:
      enable-all: true
      disable:
        - shadow
        - fieldalignment

    gosec:
      severity: medium
      confidence: medium
      excludes:
        - G104

    errorlint:
      errorf: true
      asserts: true
      comparison: true

    revive:
      rules:
        - name: error-return
          severity: error
        - name: unexported-return
          severity: error
        - name: error-strings
          severity: warning
        - name: if-return
          severity: warning
        - name: increment-decrement
          severity: warning
        - name: var-naming
          severity: warning
        - name: range
          severity: warning
        - name: time-naming
          severity: warning
        - name: indent-error-flow
          severity: warning
        - name: early-return
          severity: warning

formatters:
  enable:
    - gofmt
    - goimports

issues:
  max-issues-per-linter: 0
  max-same-issues: 0