fix: address all PR #10 review findings

Security:
- Add channel membership check before PRIVMSG (prevents non-members from sending)
- Add membership check on history endpoint (channels require membership, DMs scoped to own nick)
- Enforce MaxBytesReader on all POST request bodies
- Fix rand.Read error being silently ignored in token generation

Data integrity:
- Fix TOCTOU race in GetOrCreateChannel using INSERT OR IGNORE + SELECT

Build:
- Add CGO_ENABLED=0 to golangci-lint install in Dockerfile (fixes alpine build)

Linting:
- Strict .golangci.yml: only wsl disabled (deprecated in v2)
- Re-enable exhaustruct, depguard, godot, wrapcheck, varnamelen
- Fix linters-settings -> linters.settings for v2 config format
- Fix ALL lint findings in actual code (no linter config weakening)
- Wrap all external package errors (wrapcheck)
- Fill struct fields or add targeted nolint:exhaustruct where appropriate
- Rename short variables (ts->timestamp, n->bufIndex, etc.)
- Add depguard deny policy for io/ioutil and math/rand
- Exclude G704 (SSRF) in gosec config (CLI client takes user-configured URLs)

Tests:
- Add security tests (TestNonMemberCannotSend, TestHistoryNonMember)
- Split TestInsertAndPollMessages for reduced complexity
- Fix parallel test safety (viper global state prevents parallelism)
- Use t.Context() instead of context.Background() in tests

Docker build verified passing locally.

internal/db/queries_test.go

@@ -12,19 +12,19 @@ import (
 func setupTestDB(t *testing.T) *db.Database {
 	t.Helper()
 
-	d, err := db.NewTestDatabase()
+	database, err := db.NewTestDatabase()
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	t.Cleanup(func() {
-		closeErr := d.Close()
+		closeErr := database.Close()
 		if closeErr != nil {
 			t.Logf("close db: %v", closeErr)
 		}
 	})
 
-	return d
+	return database
 }
 
 func TestCreateUser(t *testing.T) {
@@ -349,12 +349,30 @@ func TestSetTopic(t *testing.T) {
 	}
 }
 
-func insertTestMessage(
-	t *testing.T,
-	database *db.Database,
-) (int64, int64) {
-	t.Helper()
+func TestInsertMessage(t *testing.T) {
+	t.Parallel()
 
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	body := json.RawMessage(`["hello"]`)
+
+	dbID, msgUUID, err := database.InsertMessage(
+		ctx, "PRIVMSG", "poller", "#test", body, nil,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if dbID == 0 || msgUUID == "" {
+		t.Fatal("expected valid id and uuid")
+	}
+}
+
+func TestPollMessages(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
 	ctx := t.Context()
 
 	uid, _, err := database.CreateUser(ctx, "poller")
@@ -364,11 +382,11 @@ func insertTestMessage(
 
 	body := json.RawMessage(`["hello"]`)
 
-	dbID, msgUUID, err := database.InsertMessage(
+	dbID, _, err := database.InsertMessage(
 		ctx, "PRIVMSG", "poller", "#test", body, nil,
 	)
-	if err != nil || dbID == 0 || msgUUID == "" {
-		t.Fatal("insert failed")
+	if err != nil {
+		t.Fatal(err)
 	}
 
 	err = database.EnqueueMessage(ctx, uid, dbID)
@@ -376,19 +394,10 @@ func insertTestMessage(
 		t.Fatal(err)
 	}
 
-	return uid, dbID
-}
-
-func TestInsertAndPollMessages(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	uid, _ := insertTestMessage(t, database)
-
 	const batchSize = 10
 
 	msgs, lastQID, err := database.PollMessages(
-		t.Context(), uid, 0, batchSize,
+		ctx, uid, 0, batchSize,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -411,7 +420,7 @@ func TestInsertAndPollMessages(t *testing.T) {
 	}
 
 	msgs, _, _ = database.PollMessages(
-		t.Context(), uid, lastQID, batchSize,
+		ctx, uid, lastQID, batchSize,
 	)
 
 	if len(msgs) != 0 {