fix: resolve all golangci-lint and gofumpt issues

Author: nnemirovsky

.github/workflows/lint.yml

@@ -44,3 +44,15 @@ jobs:
             echo "Run 'gofumpt -w .' to fix."
             exit 1
           fi
+
+  openapi:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Lint OpenAPI spec
+        run: npx @redocly/cli lint api/openapi.yaml

.golangci.yml

@@ -0,0 +1,18 @@
+version: "2"
+
+linters:
+  enable:
+    - errcheck
+    - govet
+    - staticcheck
+    - unused
+    - ineffassign
+    - unparam
+    - revive
+    - errorlint
+    - recvcheck
+    - bodyclose
+
+formatters:
+  enable:
+    - gci

cmd/sluice/audit_test.go

@@ -87,7 +87,7 @@ func TestHandleAuditVerifyBroken(t *testing.T) {
 		t.Fatal(err)
 	}
 	tampered := strings.Replace(string(data), `"prev_hash":"`, `"prev_hash":"00`, 1)
-	if err := os.WriteFile(logPath, []byte(tampered), 0600); err != nil {
+	if err := os.WriteFile(logPath, []byte(tampered), 0o600); err != nil {
 		t.Fatal(err)
 	}
 

cmd/sluice/cert_test.go

@@ -108,7 +108,7 @@ func TestCertGeneratePermissions(t *testing.T) {
 		t.Fatalf("stat ca-key.pem: %v", err)
 	}
 	perm := info.Mode().Perm()
-	if perm != 0600 {
+	if perm != 0o600 {
 		t.Errorf("ca-key.pem permissions: %o, want 0600", perm)
 	}
 
@@ -119,7 +119,7 @@ func TestCertGeneratePermissions(t *testing.T) {
 		t.Fatalf("stat ca-cert.pem: %v", err)
 	}
 	perm = info.Mode().Perm()
-	if perm != 0644 {
+	if perm != 0o644 {
 		t.Errorf("ca-cert.pem permissions: %o, want 0644", perm)
 	}
 }

cmd/sluice/channel.go

@@ -11,7 +11,7 @@ import (
 
 func handleChannelCommand(args []string) error {
 	if len(args) == 0 {
-		return fmt.Errorf("usage: sluice channel [list|add|update|remove] ...")
+		return fmt.Errorf("usage: sluice channel [list|add|update|remove]")
 	}
 
 	switch args[0] {
@@ -24,7 +24,7 @@ func handleChannelCommand(args []string) error {
 	case "remove":
 		return handleChannelRemove(args[1:])
 	default:
-		return fmt.Errorf("unknown channel command: %s\nusage: sluice channel [list|add|update|remove] ...", args[0])
+		return fmt.Errorf("unknown channel command: %s, usage: sluice channel [list|add|update|remove]", args[0])
 	}
 }
 

cmd/sluice/cred.go

@@ -25,7 +25,7 @@ const credAddSourcePrefix = "cred-add:"
 
 func handleCredCommand(args []string) error {
 	if len(args) == 0 {
-		return fmt.Errorf("usage: sluice cred [add|list|remove] ...")
+		return fmt.Errorf("usage: sluice cred [add|list|remove]")
 	}
 
 	switch args[0] {
@@ -36,7 +36,7 @@ func handleCredCommand(args []string) error {
 	case "remove":
 		return handleCredRemove(args[1:])
 	default:
-		return fmt.Errorf("unknown cred command: %s\nusage: sluice cred [add|list|remove] ...", args[0])
+		return fmt.Errorf("unknown cred command: %s (usage: sluice cred [add|list|remove] ...)", args[0])
 	}
 }
 
@@ -85,9 +85,9 @@ func openVaultStore(dbPath string) (*vault.Store, error) {
 					}
 				}
 				if !hasAge {
-					return nil, fmt.Errorf("vault_providers is configured as %v without the age backend. "+
-						"CLI credential management only supports the age backend. "+
-						"Manage credentials through the configured providers' native tools.", cfg.VaultProviders)
+					return nil, fmt.Errorf("vault_providers is configured as %v without the age backend, "+
+						"CLI credential management only supports the age backend, "+
+						"manage credentials through the configured providers' native tools", cfg.VaultProviders)
 				}
 				if !ageFirst {
 					log.Printf("warning: vault_providers is %v. The age backend is not the "+
@@ -96,8 +96,8 @@ func openVaultStore(dbPath string) (*vault.Store, error) {
 				}
 			} else if cfg.VaultProvider != "" && cfg.VaultProvider != "age" {
 				// Single provider that is not age.
-				return nil, fmt.Errorf("vault provider is %q; CLI credential management only supports the age backend. "+
-					"Manage credentials through the %s provider's native tools.", cfg.VaultProvider, cfg.VaultProvider)
+				return nil, fmt.Errorf("vault provider is %q, CLI credential management only supports the age backend, "+
+					"manage credentials through the %s provider's native tools", cfg.VaultProvider, cfg.VaultProvider)
 			}
 		}
 	}

cmd/sluice/main.go

@@ -1,3 +1,4 @@
+// Package main implements the sluice CLI.
 package main
 
 import (
@@ -669,12 +670,12 @@ func readBindings(db *store.Store) ([]vault.Binding, error) {
 	bindings := make([]vault.Binding, len(rows))
 	for i, r := range rows {
 		bindings[i] = vault.Binding{
-			Destination:  r.Destination,
-			Ports:        r.Ports,
-			Credential:   r.Credential,
-			Header: r.Header,
-			Template:     r.Template,
-			Protocols:    r.Protocols,
+			Destination: r.Destination,
+			Ports:       r.Ports,
+			Credential:  r.Credential,
+			Header:      r.Header,
+			Template:    r.Template,
+			Protocols:   r.Protocols,
 		}
 	}
 	return bindings, nil

cmd/sluice/main_test.go

@@ -158,7 +158,7 @@ func TestDrainSignals(t *testing.T) {
 }
 
 // TestDrainSignalsEmpty verifies drainSignals is a no-op on empty channel.
-func TestDrainSignalsEmpty(t *testing.T) {
+func TestDrainSignalsEmpty(_ *testing.T) {
 	ch := make(chan os.Signal, 5)
 	drainSignals(ch) // should not block
 }
@@ -357,7 +357,7 @@ credential = "example_key"
 header = "Authorization"
 template = "Bearer {value}"
 `
-	if err := os.WriteFile(tomlPath, []byte(tomlData), 0644); err != nil {
+	if err := os.WriteFile(tomlPath, []byte(tomlData), 0o644); err != nil {
 		t.Fatal(err)
 	}
 
@@ -522,8 +522,8 @@ func TestReadVaultConfig(t *testing.T) {
 	vaddr := "https://vault.example.com:8200"
 	vmount := "secret"
 	_ = db.UpdateConfig(store.ConfigUpdate{
-		VaultProvider:      &vprov,
-		VaultHashicorpAddr: &vaddr,
+		VaultProvider:       &vprov,
+		VaultHashicorpAddr:  &vaddr,
 		VaultHashicorpMount: &vmount,
 	})
 
@@ -733,7 +733,7 @@ func TestIsDockerSocketAvailable(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer l.Close()
+	defer func() { _ = l.Close() }()
 
 	if !isDockerSocketAvailable(sockPath) {
 		t.Error("expected true for real Unix socket")
@@ -746,7 +746,7 @@ func TestIsDockerSocketAvailable(t *testing.T) {
 
 	// Regular file is not a socket.
 	regularPath := filepath.Join(dir, "file.txt")
-	if err := os.WriteFile(regularPath, []byte("hello"), 0644); err != nil {
+	if err := os.WriteFile(regularPath, []byte("hello"), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	if isDockerSocketAvailable(regularPath) {
@@ -765,7 +765,7 @@ func TestIsAppleCLIAvailable(t *testing.T) {
 }
 
 // TestIsTartCLIAvailable verifies the function returns without panicking.
-func TestIsTartCLIAvailable(t *testing.T) {
+func TestIsTartCLIAvailable(_ *testing.T) {
 	// Just verify the function doesn't panic. tart may or may not be installed.
 	_ = isTartCLIAvailable()
 }
@@ -835,13 +835,12 @@ func TestStandaloneModeStartup(t *testing.T) {
 	}
 }
 
-
 // TestBuildSelfBypass verifies the self-bypass address expansion.
 func TestBuildSelfBypass(t *testing.T) {
 	tests := []struct {
-		name      string
-		addr      string
-		want      []string
+		name string
+		addr string
+		want []string
 	}{
 		{
 			name: "specific IP",
@@ -1007,7 +1006,7 @@ ports = [443]
 credential = "seeded_key"
 header = "Authorization"
 `
-	if err := os.WriteFile(tomlPath, []byte(tomlData), 0644); err != nil {
+	if err := os.WriteFile(tomlPath, []byte(tomlData), 0o644); err != nil {
 		t.Fatal(err)
 	}
 
@@ -1141,7 +1140,7 @@ default = "deny"
 destination = "seeded.example.com"
 ports = [443]
 `
-	if err := os.WriteFile(tomlPath, []byte(tomlData), 0644); err != nil {
+	if err := os.WriteFile(tomlPath, []byte(tomlData), 0o644); err != nil {
 		t.Fatal(err)
 	}
 
@@ -1190,7 +1189,7 @@ func TestSeedStoreFromConfigMissing(t *testing.T) {
 func TestSeedStoreFromConfigMalformed(t *testing.T) {
 	dir := t.TempDir()
 	tomlPath := filepath.Join(dir, "bad.toml")
-	if err := os.WriteFile(tomlPath, []byte("not valid toml [[["), 0644); err != nil {
+	if err := os.WriteFile(tomlPath, []byte("not valid toml [[["), 0o644); err != nil {
 		t.Fatal(err)
 	}
 
@@ -1355,7 +1354,7 @@ func TestMacOSRuntimeSelectionRequiresExplicit(t *testing.T) {
 // shutdownMacOSVM accepts the expected parameter types (including nil router
 // and ownership boolean).
 var (
-	_ container.ContainerManager                                        = (*container.TartManager)(nil)
+	_ container.ContainerManager                                   = (*container.TartManager)(nil)
 	_ func(*container.TartManager, *container.NetworkRouter, bool) = shutdownMacOSVM
 )
 

cmd/sluice/mcp.go

@@ -427,7 +427,7 @@ func writeMCPServersJSON(phantomDir, sluiceURL string) {
 		return
 	}
 	path := filepath.Join(phantomDir, "mcp-servers.json")
-	if err := os.WriteFile(path, data, 0600); err != nil {
+	if err := os.WriteFile(path, data, 0o600); err != nil {
 		log.Printf("WARNING: failed to write %s: %v", path, err)
 	}
 }

cmd/sluice/mcp_test.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@@ -557,7 +558,8 @@ func TestHandleMCPGatewayInvalidChatID(t *testing.T) {
 		"TEST_DB_PATH="+dbPath,
 	)
 	err = cmd.Run()
-	if e, ok := err.(*exec.ExitError); ok && !e.Success() {
+	var e *exec.ExitError
+	if errors.As(err, &e) && !e.Success() {
 		return
 	}
 	t.Fatal("expected non-zero exit code for invalid chat ID")
@@ -751,7 +753,7 @@ func TestWriteMCPServersJSONCustomURL(t *testing.T) {
 }
 
 // TestWriteMCPServersJSONInvalidDir verifies graceful handling of invalid dir.
-func TestWriteMCPServersJSONInvalidDir(t *testing.T) {
+func TestWriteMCPServersJSONInvalidDir(_ *testing.T) {
 	// Should not panic on unwritable path.
 	writeMCPServersJSON("/nonexistent/path/foo", "http://127.0.0.1:3000/mcp")
 }
@@ -805,7 +807,7 @@ default = "deny"
 destination = "api.example.com"
 ports = [443]
 name = "test rule"
-`), 0600); err != nil {
+`), 0o600); err != nil {
 		t.Fatal(err)
 	}