chore: code cleanup and best practices (closes #45)

- Fix gofmt formatting across 4 files - Add nolint annotations with justifications for all gosec findings - Resolve all 7 pre-existing linter warnings - make check now passes cleanly
2026-02-19 13:47:56 -08:00 · 2026-02-19 13:47:56 -08:00 · 58460b502b
commit 58460b502b
parent 38a744b489
9 changed files with 66 additions and 66 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -51,7 +51,7 @@ type Config struct {
 	MaintenanceMode bool
 	MetricsUsername string
 	MetricsPassword string
-	SessionSecret   string
+	SessionSecret   string //nolint:gosec // not a hardcoded credential, loaded from env/file
 	params          *Params
 	log             *slog.Logger
 }
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@ -76,7 +76,7 @@ func deploymentToAPI(d *models.Deployment) apiDeploymentResponse {
 func (h *Handlers) HandleAPILoginPOST() http.HandlerFunc {
 	type loginRequest struct {
 		Username string `json:"username"`
-		Password string `json:"password"`
+		Password string `json:"password"` //nolint:gosec // request field, not a hardcoded credential
 	}

 	type loginResponse struct {
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@ -499,7 +499,7 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
 			return
 		}

-		_, _ = writer.Write([]byte(logs))
+		_, _ = writer.Write([]byte(logs)) //nolint:gosec // logs are from trusted container output, not user input
 	}
 }

@ -582,7 +582,7 @@ func (h *Handlers) HandleDeploymentLogDownload() http.HandlerFunc {
 		}

 		// Check if file exists
-		_, err := os.Stat(logPath)
+		_, err := os.Stat(logPath) //nolint:gosec // logPath is constructed by deploy service, not from user input
 		if os.IsNotExist(err) {
 			http.NotFound(writer, request)

--- a/internal/service/notify/notify.go
+++ b/internal/service/notify/notify.go
@ -260,7 +260,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", svc.ntfyPriority(priority))

-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) //nolint:gosec // URL constructed from trusted config, not user input
 	if err != nil {
 		return fmt.Errorf("failed to send ntfy request: %w", err)
 	}
@ -352,7 +352,7 @@ func (svc *Service) sendSlack(

 	request.Header.Set("Content-Type", "application/json")

-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) //nolint:gosec // URL from trusted webhook config
 	if err != nil {
 		return fmt.Errorf("failed to send slack request: %w", err)
 	}
--- a/internal/ssh/keygen.go
+++ b/internal/ssh/keygen.go
@ -12,7 +12,7 @@ import (

 // KeyPair contains an SSH key pair.
 type KeyPair struct {
-	PrivateKey string
+	PrivateKey string //nolint:gosec // field name describes SSH key material, not a hardcoded secret
 	PublicKey  string
 }