Fix gosec, govet, and errorlint linter errors

Co-authored-by: Junie <junie@jetbrains.com>

internal/seal/seal.go

@@ -50,18 +50,15 @@ var (
 
 // Manager manages the seal/unseal lifecycle.
 type Manager struct {
-	db      *sql.DB
-	barrier *barrier.AESGCMBarrier
-	logger  *slog.Logger
-
-	mu    sync.RWMutex
-	state ServiceState
-	mek   []byte // nil when sealed
-
-	// Rate limiting for unseal attempts.
-	unsealAttempts int
 	lastAttempt    time.Time
 	lockoutUntil   time.Time
+	db             *sql.DB
+	barrier        *barrier.AESGCMBarrier
+	logger         *slog.Logger
+	mek            []byte
+	state          ServiceState
+	unsealAttempts int
+	mu             sync.RWMutex
 }
 
 // NewManager creates a new seal manager.
@@ -205,10 +202,10 @@ func (m *Manager) Unseal(password []byte) error {
 
 	// Read seal config.
 	var (
-		encryptedMEK              []byte
-		salt                      []byte
-		argTime, argMem           uint32
-		argThreads                uint8
+		encryptedMEK    []byte
+		salt            []byte
+		argTime, argMem uint32
+		argThreads      uint8
 	)
 	err := m.db.QueryRow(`
 		SELECT encrypted_mek, kdf_salt, argon2_time, argon2_memory, argon2_threads
@@ -256,7 +253,7 @@ func (m *Manager) Seal() error {
 		crypto.Zeroize(m.mek)
 		m.mek = nil
 	}
-	m.barrier.Seal()
+	_ = m.barrier.Seal()
 	m.state = StateSealed
 	m.logger.Debug("service sealed")
 	return nil