refactor: use pinned golangci-lint Docker image for linting

Refactor Dockerfile to use a separate lint stage with a pinned
golangci-lint v2.11.3 Docker image instead of installing
golangci-lint via curl in the builder stage. This follows the
pattern used by sneak/pixa.

Changes:
- Dockerfile: separate lint stage using golangci/golangci-lint:v2.11.3
  (Debian-based, pinned by sha256) with COPY --from=lint dependency
- Bump Go from 1.24 to 1.26.1 (golang:1.26.1-bookworm, pinned)
- Bump golangci-lint from v1.64.8 to v2.11.3
- Migrate .golangci.yml from v1 to v2 format (same linters, format only)
- All Docker images pinned by sha256 digest
- Fix all lint issues from the v2 linter upgrade:
  - Add package comments to all packages
  - Add doc comments to all exported types, functions, and methods
  - Fix unchecked errors (errcheck)
  - Fix unused parameters (revive)
  - Fix gosec warnings (MaxBytesReader for form parsing)
  - Fix staticcheck suggestions (fmt.Fprintf instead of WriteString)
  - Rename DeliveryTask to Task to avoid stutter (delivery.Task)
  - Rename shadowed builtin 'max' parameter
- Update README.md version requirements

internal/handlers/auth.go

@@ -28,6 +28,9 @@ func (h *Handlers) HandleLoginPage() http.HandlerFunc {
 // HandleLoginSubmit handles the login form submission (POST)
 func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		// Limit request body to prevent memory exhaustion
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<20) // 1 MB
+
 		// Parse form data
 		if err := r.ParseForm(); err != nil {
 			h.log.Error("failed to parse form", "error", err)

internal/handlers/handlers.go

@@ -1,3 +1,4 @@
+// Package handlers provides HTTP request handlers for the webhooker web UI and API.
 package handlers
 
 import (
@@ -18,7 +19,7 @@ import (
 	"sneak.berlin/go/webhooker/templates"
 )
 
-// nolint:revive // HandlersParams is a standard fx naming convention
+//nolint:revive // HandlersParams is a standard fx naming convention.
 type HandlersParams struct {
 	fx.In
 	Logger       *logger.Logger
@@ -30,6 +31,7 @@ type HandlersParams struct {
 	Notifier     delivery.Notifier
 }
 
+// Handlers provides HTTP handler methods for all application routes.
 type Handlers struct {
 	params    *HandlersParams
 	log       *slog.Logger
@@ -53,6 +55,7 @@ func parsePageTemplate(pageFile string) *template.Template {
 	)
 }
 
+// New creates a Handlers instance, parsing all page templates at startup.
 func New(lc fx.Lifecycle, params HandlersParams) (*Handlers, error) {
 	s := new(Handlers)
 	s.params = &params
@@ -76,15 +79,15 @@ func New(lc fx.Lifecycle, params HandlersParams) (*Handlers, error) {
 	}
 
 	lc.Append(fx.Hook{
-		OnStart: func(ctx context.Context) error {
+		OnStart: func(_ context.Context) error {
 			return nil
 		},
 	})
 	return s, nil
 }
 
-//nolint:unparam // r parameter will be used in the future for request context
-func (s *Handlers) respondJSON(w http.ResponseWriter, r *http.Request, data interface{}, status int) {
+//nolint:unparam // r parameter will be used in the future for request context.
+func (s *Handlers) respondJSON(w http.ResponseWriter, _ *http.Request, data interface{}, status int) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)
 	if data != nil {
@@ -95,8 +98,8 @@ func (s *Handlers) respondJSON(w http.ResponseWriter, r *http.Request, data inte
 	}
 }
 
-//nolint:unparam,unused // will be used for handling JSON requests
-func (s *Handlers) decodeJSON(w http.ResponseWriter, r *http.Request, v interface{}) error {
+//nolint:unparam,unused // will be used for handling JSON requests.
+func (s *Handlers) decodeJSON(_ http.ResponseWriter, r *http.Request, v interface{}) error {
 	return json.NewDecoder(r.Body).Decode(v)
 }
 

internal/handlers/handlers_test.go

@@ -22,7 +22,7 @@ import (
 // noopNotifier is a no-op delivery.Notifier for tests.
 type noopNotifier struct{}
 
-func (n *noopNotifier) Notify([]delivery.DeliveryTask) {}
+func (n *noopNotifier) Notify([]delivery.Task) {}
 
 func TestHandleIndex(t *testing.T) {
 	var h *Handlers

internal/handlers/healthcheck.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 )
 
+// HandleHealthCheck returns an HTTP handler that reports application health.
 func (s *Handlers) HandleHealthCheck() http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		resp := s.hc.Healthcheck()

internal/handlers/index.go

@@ -8,6 +8,7 @@ import (
 	"sneak.berlin/go/webhooker/internal/database"
 )
 
+// HandleIndex returns an HTTP handler that renders the application dashboard.
 func (s *Handlers) HandleIndex() http.HandlerFunc {
 	// Calculate server start time
 	startTime := time.Now()

internal/handlers/source_management.go

@@ -76,6 +76,7 @@ func (h *Handlers) HandleSourceCreateSubmit() http.HandlerFunc {
 			return
 		}
 
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 		if err := r.ParseForm(); err != nil {
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
@@ -257,6 +258,7 @@ func (h *Handlers) HandleSourceEditSubmit() http.HandlerFunc {
 			return
 		}
 
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 		if err := r.ParseForm(); err != nil {
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
@@ -462,6 +464,7 @@ func (h *Handlers) HandleEntrypointCreate() http.HandlerFunc {
 			return
 		}
 
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 		if err := r.ParseForm(); err != nil {
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
@@ -503,6 +506,7 @@ func (h *Handlers) HandleTargetCreate() http.HandlerFunc {
 			return
 		}
 
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 		if err := r.ParseForm(); err != nil {
 			http.Error(w, "Bad request", http.StatusBadRequest)
 			return
@@ -529,7 +533,8 @@ func (h *Handlers) HandleTargetCreate() http.HandlerFunc {
 
 		// Build config JSON based on target type
 		var configJSON string
-		if targetType == database.TargetTypeHTTP {
+		switch targetType {
+		case database.TargetTypeHTTP:
 			if url == "" {
 				http.Error(w, "URL is required for HTTP targets", http.StatusBadRequest)
 				return
@@ -554,7 +559,7 @@ func (h *Handlers) HandleTargetCreate() http.HandlerFunc {
 				return
 			}
 			configJSON = string(configBytes)
-		} else if targetType == database.TargetTypeSlack {
+		case database.TargetTypeSlack:
 			if url == "" {
 				http.Error(w, "Webhook URL is required for Slack targets", http.StatusBadRequest)
 				return

internal/handlers/webhook.go

@@ -18,7 +18,7 @@ const (
 // HandleWebhook handles incoming webhook requests at entrypoint URLs.
 // Only POST requests are accepted; all other methods return 405 Method Not Allowed.
 // Events and deliveries are stored in the per-webhook database. The handler
-// builds self-contained DeliveryTask structs with all target and event data
+// builds self-contained Task structs with all target and event data
 // so the delivery engine can process them without additional DB reads.
 func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
@@ -119,7 +119,7 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
 		}
 
 		// Prepare body pointer for inline transport (≤16KB bodies are
-		// included in the DeliveryTask so the engine needs no DB read).
+		// included in the Task so the engine needs no DB read).
 		var bodyPtr *string
 		if len(body) < delivery.MaxInlineBodySize {
 			bodyStr := string(body)
@@ -127,7 +127,7 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
 		}
 
 		// Create delivery records and build self-contained delivery tasks
-		tasks := make([]delivery.DeliveryTask, 0, len(targets))
+		tasks := make([]delivery.Task, 0, len(targets))
 		for i := range targets {
 			dlv := &database.Delivery{
 				EventID:  event.ID,
@@ -144,7 +144,7 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
 				return
 			}
 
-			tasks = append(tasks, delivery.DeliveryTask{
+			tasks = append(tasks, delivery.Task{
 				DeliveryID:   dlv.ID,
 				EventID:      event.ID,
 				WebhookID:    entrypoint.WebhookID,