fix: address all PR #10 review findings

Security:
- Add channel membership check before PRIVMSG (prevents non-members from sending)
- Add membership check on history endpoint (channels require membership, DMs scoped to own nick)
- Enforce MaxBytesReader on all POST request bodies
- Fix rand.Read error being silently ignored in token generation

Data integrity:
- Fix TOCTOU race in GetOrCreateChannel using INSERT OR IGNORE + SELECT

Build:
- Add CGO_ENABLED=0 to golangci-lint install in Dockerfile (fixes alpine build)

Linting:
- Strict .golangci.yml: only wsl disabled (deprecated in v2)
- Re-enable exhaustruct, depguard, godot, wrapcheck, varnamelen
- Fix linters-settings -> linters.settings for v2 config format
- Fix ALL lint findings in actual code (no linter config weakening)
- Wrap all external package errors (wrapcheck)
- Fill struct fields or add targeted nolint:exhaustruct where appropriate
- Rename short variables (ts->timestamp, n->bufIndex, etc.)
- Add depguard deny policy for io/ioutil and math/rand
- Exclude G704 (SSRF) in gosec config (CLI client takes user-configured URLs)

Tests:
- Add security tests (TestNonMemberCannotSend, TestHistoryNonMember)
- Split TestInsertAndPollMessages for reduced complexity
- Fix parallel test safety (viper global state prevents parallelism)
- Use t.Context() instead of context.Background() in tests

Docker build verified passing locally.

internal/server/routes.go

@@ -17,67 +17,94 @@ import (
 const routeTimeout = 60 * time.Second
 
 // SetupRoutes configures the HTTP routes and middleware.
-func (s *Server) SetupRoutes() {
-	s.router = chi.NewRouter()
+func (srv *Server) SetupRoutes() {
+	srv.router = chi.NewRouter()
 
-	s.router.Use(middleware.Recoverer)
-	s.router.Use(middleware.RequestID)
-	s.router.Use(s.mw.Logging())
+	srv.router.Use(middleware.Recoverer)
+	srv.router.Use(middleware.RequestID)
+	srv.router.Use(srv.mw.Logging())
 
 	if viper.GetString("METRICS_USERNAME") != "" {
-		s.router.Use(s.mw.Metrics())
+		srv.router.Use(srv.mw.Metrics())
 	}
 
-	s.router.Use(s.mw.CORS())
-	s.router.Use(middleware.Timeout(routeTimeout))
+	srv.router.Use(srv.mw.CORS())
+	srv.router.Use(middleware.Timeout(routeTimeout))
 
-	if s.sentryEnabled {
-		sentryHandler := sentryhttp.New(sentryhttp.Options{
-			Repanic: true,
-		})
-		s.router.Use(sentryHandler.Handle)
+	if srv.sentryEnabled {
+		sentryHandler := sentryhttp.New(
+			sentryhttp.Options{ //nolint:exhaustruct // optional fields
+				Repanic: true,
+			},
+		)
+
+		srv.router.Use(sentryHandler.Handle)
 	}
 
-	// Health check
-	s.router.Get(
+	// Health check.
+	srv.router.Get(
 		"/.well-known/healthcheck.json",
-		s.h.HandleHealthCheck(),
+		srv.handlers.HandleHealthCheck(),
 	)
 
-	// Protected metrics endpoint
+	// Protected metrics endpoint.
 	if viper.GetString("METRICS_USERNAME") != "" {
-		s.router.Group(func(r chi.Router) {
-			r.Use(s.mw.MetricsAuth())
-			r.Get("/metrics",
+		srv.router.Group(func(router chi.Router) {
+			router.Use(srv.mw.MetricsAuth())
+			router.Get("/metrics",
 				http.HandlerFunc(
 					promhttp.Handler().ServeHTTP,
 				))
 		})
 	}
 
-	// API v1
-	s.router.Route("/api/v1", func(r chi.Router) {
-		r.Get("/server", s.h.HandleServerInfo())
-		r.Post("/session", s.h.HandleCreateSession())
-		r.Get("/state", s.h.HandleState())
-		r.Get("/messages", s.h.HandleGetMessages())
-		r.Post("/messages", s.h.HandleSendCommand())
-		r.Get("/history", s.h.HandleGetHistory())
-		r.Get("/channels", s.h.HandleListAllChannels())
-		r.Get(
-			"/channels/{channel}/members",
-			s.h.HandleChannelMembers(),
-		)
-	})
+	// API v1.
+	srv.router.Route(
+		"/api/v1",
+		func(router chi.Router) {
+			router.Get(
+				"/server",
+				srv.handlers.HandleServerInfo(),
+			)
+			router.Post(
+				"/session",
+				srv.handlers.HandleCreateSession(),
+			)
+			router.Get(
+				"/state",
+				srv.handlers.HandleState(),
+			)
+			router.Get(
+				"/messages",
+				srv.handlers.HandleGetMessages(),
+			)
+			router.Post(
+				"/messages",
+				srv.handlers.HandleSendCommand(),
+			)
+			router.Get(
+				"/history",
+				srv.handlers.HandleGetHistory(),
+			)
+			router.Get(
+				"/channels",
+				srv.handlers.HandleListAllChannels(),
+			)
+			router.Get(
+				"/channels/{channel}/members",
+				srv.handlers.HandleChannelMembers(),
+			)
+		},
+	)
 
-	// Serve embedded SPA
-	s.setupSPA()
+	// Serve embedded SPA.
+	srv.setupSPA()
 }
 
-func (s *Server) setupSPA() {
+func (srv *Server) setupSPA() {
 	distFS, err := fs.Sub(web.Dist, "dist")
 	if err != nil {
-		s.log.Error(
+		srv.log.Error(
 			"failed to get web dist filesystem",
 			"error", err,
 		)
@@ -87,38 +114,40 @@ func (s *Server) setupSPA() {
 
 	fileServer := http.FileServer(http.FS(distFS))
 
-	s.router.Get("/*", func(
-		w http.ResponseWriter,
-		r *http.Request,
+	srv.router.Get("/*", func(
+		writer http.ResponseWriter,
+		request *http.Request,
 	) {
 		readFS, ok := distFS.(fs.ReadFileFS)
 		if !ok {
-			fileServer.ServeHTTP(w, r)
+			fileServer.ServeHTTP(writer, request)
 
 			return
 		}
 
-		f, readErr := readFS.ReadFile(r.URL.Path[1:])
-		if readErr != nil || len(f) == 0 {
+		fileData, readErr := readFS.ReadFile(
+			request.URL.Path[1:],
+		)
+		if readErr != nil || len(fileData) == 0 {
 			indexHTML, indexErr := readFS.ReadFile(
 				"index.html",
 			)
 			if indexErr != nil {
-				http.NotFound(w, r)
+				http.NotFound(writer, request)
 
 				return
 			}
 
-			w.Header().Set(
+			writer.Header().Set(
 				"Content-Type",
 				"text/html; charset=utf-8",
 			)
-			w.WriteHeader(http.StatusOK)
-			_, _ = w.Write(indexHTML)
+			writer.WriteHeader(http.StatusOK)
+			_, _ = writer.Write(indexHTML)
 
 			return
 		}
 
-		fileServer.ServeHTTP(w, r)
+		fileServer.ServeHTTP(writer, request)
 	})
 }