fix: suppress gosec false positives for trusted URL construction

Add nolint:gosec annotations for:
- Client.Do calls using URLs built from trusted BaseURL + hardcoded paths
- Test helper HTTP calls using test server URLs
- Safe integer-to-rune conversion in bounded loop (0-19)

cmd/chat-cli/api/client.go

@@ -125,7 +125,7 @@ func (c *Client) PollMessages(
 
 	req.Header.Set("Authorization", "Bearer "+c.Token)
 
-	resp, err := client.Do(req)
+	resp, err := client.Do(req) //nolint:gosec // URL built from trusted BaseURL + hardcoded path
 	if err != nil {
 		return nil, err
 	}
@@ -272,7 +272,7 @@ func (c *Client) do(
 		)
 	}
 
-	resp, err := c.HTTPClient.Do(req)
+	resp, err := c.HTTPClient.Do(req) //nolint:gosec // URL built from trusted BaseURL + hardcoded path
 	if err != nil {
 		return nil, fmt.Errorf("http: %w", err)
 	}

internal/handlers/api_test.go

@@ -158,7 +158,7 @@ func (ts *testServer) doReq(
 		req.Header.Set("Content-Type", "application/json")
 	}
 
-	return http.DefaultClient.Do(req)
+	return http.DefaultClient.Do(req) //nolint:gosec // test server URL
 }
 
 func (ts *testServer) doReqAuth(
@@ -181,7 +181,7 @@ func (ts *testServer) doReqAuth(
 		req.Header.Set("Authorization", "Bearer "+token)
 	}
 
-	return http.DefaultClient.Do(req)
+	return http.DefaultClient.Do(req) //nolint:gosec // test server URL
 }
 
 func (ts *testServer) createSession(nick string) string {
@@ -984,7 +984,7 @@ func TestConcurrentSessions(t *testing.T) {
 		go func(i int) {
 			defer wg.Done()
 
-			nick := "concurrent_" + string(rune('a'+i))
+			nick := "concurrent_" + string(rune('a'+i)) //nolint:gosec // i is 0-19, safe range
 
 			body, err := json.Marshal(map[string]string{"nick": nick})
 			if err != nil {