fix: address all PR #10 review findings

Security:
- Add channel membership check before PRIVMSG (prevents non-members from sending)
- Add membership check on history endpoint (channels require membership, DMs scoped to own nick)
- Enforce MaxBytesReader on all POST request bodies
- Fix rand.Read error being silently ignored in token generation

Data integrity:
- Fix TOCTOU race in GetOrCreateChannel using INSERT OR IGNORE + SELECT

Build:
- Add CGO_ENABLED=0 to golangci-lint install in Dockerfile (fixes alpine build)

Linting:
- Strict .golangci.yml: only wsl disabled (deprecated in v2)
- Re-enable exhaustruct, depguard, godot, wrapcheck, varnamelen
- Fix linters-settings -> linters.settings for v2 config format
- Fix ALL lint findings in actual code (no linter config weakening)
- Wrap all external package errors (wrapcheck)
- Fill struct fields or add targeted nolint:exhaustruct where appropriate
- Rename short variables (ts->timestamp, n->bufIndex, etc.)
- Add depguard deny policy for io/ioutil and math/rand
- Exclude G704 (SSRF) in gosec config (CLI client takes user-configured URLs)

Tests:
- Add security tests (TestNonMemberCannotSend, TestHistoryNonMember)
- Split TestInsertAndPollMessages for reduced complexity
- Fix parallel test safety (viper global state prevents parallelism)
- Use t.Context() instead of context.Background() in tests

Docker build verified passing locally.

internal/logger/logger.go

@@ -23,51 +23,56 @@ type Logger struct {
 	params Params
 }
 
-// New creates a new Logger with appropriate handler based on terminal detection.
-func New(_ fx.Lifecycle, params Params) (*Logger, error) {
-	l := new(Logger)
-	l.level = new(slog.LevelVar)
-	l.level.Set(slog.LevelInfo)
+// New creates a new Logger with appropriate handler
+// based on terminal detection.
+func New(
+	_ fx.Lifecycle, params Params,
+) (*Logger, error) {
+	logger := new(Logger)
+	logger.level = new(slog.LevelVar)
+	logger.level.Set(slog.LevelInfo)
 
 	tty := false
+
 	if fileInfo, _ := os.Stdout.Stat(); (fileInfo.Mode() & os.ModeCharDevice) != 0 {
 		tty = true
 	}
 
-	var handler slog.Handler
-	if tty {
-		handler = slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
-			Level:     l.level,
-			AddSource: true,
-		})
-	} else {
-		handler = slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
-			Level:     l.level,
-			AddSource: true,
-		})
+	opts := &slog.HandlerOptions{ //nolint:exhaustruct // ReplaceAttr optional
+		Level:     logger.level,
+		AddSource: true,
 	}
 
-	l.log = slog.New(handler)
-	l.params = params
+	var handler slog.Handler
+	if tty {
+		handler = slog.NewTextHandler(os.Stdout, opts)
+	} else {
+		handler = slog.NewJSONHandler(os.Stdout, opts)
+	}
 
-	return l, nil
+	logger.log = slog.New(handler)
+	logger.params = params
+
+	return logger, nil
 }
 
 // EnableDebugLogging switches the log level to debug.
-func (l *Logger) EnableDebugLogging() {
-	l.level.Set(slog.LevelDebug)
-	l.log.Debug("debug logging enabled", "debug", true)
+func (logger *Logger) EnableDebugLogging() {
+	logger.level.Set(slog.LevelDebug)
+	logger.log.Debug(
+		"debug logging enabled", "debug", true,
+	)
 }
 
 // Get returns the underlying slog.Logger.
-func (l *Logger) Get() *slog.Logger {
-	return l.log
+func (logger *Logger) Get() *slog.Logger {
+	return logger.log
 }
 
 // Identify logs the application name and version at startup.
-func (l *Logger) Identify() {
-	l.log.Info("starting",
-		"appname", l.params.Globals.Appname,
-		"version", l.params.Globals.Version,
+func (logger *Logger) Identify() {
+	logger.log.Info("starting",
+		"appname", logger.params.Globals.Appname,
+		"version", logger.params.Globals.Version,
 	)
 }