fix: resolve critical security vulnerabilities in debug logging and command execution

- Remove sensitive data from debug logs (vault/secrets.go, secret/version.go)
- Add input validation for GPG key IDs and keychain item names
- Resolve GPG key IDs to full fingerprints before storing in metadata
- Add comprehensive test coverage for validation functions
- Add golangci-lint configuration with additional linters

Security improvements:
- Debug logs no longer expose decrypted secret values or private keys
- GPG and keychain commands now validate input to prevent injection attacks
- All validation uses precompiled regex patterns for performance

.golangci.yml

@@ -0,0 +1,99 @@
+run:
+  timeout: 5m
+  go: "1.22"
+
+linters:
+  enable:
+    # Additional linters requested
+    - testifylint      # Checks usage of github.com/stretchr/testify
+    - usetesting       # usetesting is an analyzer that detects using os.Setenv instead of t.Setenv since Go 1.17
+    - tagliatelle      # Checks the struct tags
+    - nlreturn         # nlreturn checks for a new line before return and branch statements
+    - nilnil           # Checks that there is no simultaneous return of nil error and an invalid value
+    - nestif           # Reports deeply nested if statements
+    - mnd              # An analyzer to detect magic numbers
+    - lll              # Reports long lines
+    - intrange         # intrange is a linter to find places where for loops could make use of an integer range
+    - gofumpt          # Gofumpt checks whether code was gofumpt-ed
+    - gochecknoglobals # Check that no global variables exist
+
+    # Default/existing linters that are commonly useful
+    - govet
+    - errcheck
+    - staticcheck
+    - unused
+    - gosimple
+    - ineffassign
+    - typecheck
+    - gofmt
+    - goimports
+    - misspell
+    - revive
+    - gosec
+    - unconvert
+    - unparam
+
+linters-settings:
+  lll:
+    line-length: 120
+
+  mnd:
+    # List of enabled checks, see https://github.com/tommy-muehle/go-mnd/#checks for description.
+    checks:
+      - argument
+      - case
+      - condition
+      - operation
+      - return
+      - assign
+    ignored-numbers:
+      - '0'
+      - '1'
+      - '2'
+      - '8'
+      - '16'
+      - '40'  # GPG fingerprint length
+      - '64'
+      - '128'
+      - '256'
+      - '512'
+      - '1024'
+      - '2048'
+      - '4096'
+
+  nestif:
+    min-complexity: 4
+
+  nlreturn:
+    block-size: 2
+
+  tagliatelle:
+    case:
+      rules:
+        json: snake
+        yaml: snake
+        xml: snake
+        bson: snake
+
+  testifylint:
+    enable-all: true
+
+  usetesting:
+    strict: true
+
+issues:
+  exclude-rules:
+    # Exclude some linters from running on tests files
+    - path: _test\.go
+      linters:
+        - gochecknoglobals
+        - mnd
+        - unparam
+
+    # Allow long lines in generated code or test data
+    - path: ".*_gen\\.go"
+      linters:
+        - lll
+
+  max-issues-per-linter: 0
+  max-same-issues: 0