version: "2"

run:
  timeout: 5m
  modules-download-mode: readonly

linters:
  default: all
  disable:
    # Genuinely incompatible with project patterns
    - exhaustruct      # Requires all struct fields
    - depguard         # Dependency allow/block lists
    - godot            # Requires comments to end with periods
    - wsl              # Deprecated, replaced by wsl_v5
    - wrapcheck        # Too verbose for internal packages
    - varnamelen       # Short names like db, id are idiomatic Go
  settings:
    gosec:
      excludes:
        - G117  # false positives on exported fields named Password/Secret/Key
        - G703  # path traversal — paths from internal config, not user input
        - G704  # SSRF — URLs come from server config, not user input
        - G705  # XSS — log endpoints with text/plain content type
    lll:
      line-length: 120
    funlen:
      lines: 80
      statements: 50
    cyclop:
      max-complexity: 15
    dupl:
      threshold: 150

issues:
  max-issues-per-linter: 0
  max-same-issues: 0