# .golangci.yml - steamcache2 lint config # Philosophy: enable reasonable linters by default (golangci curated set + key additions) # then use most specific suppressions possible (source //nosec with justification, # _ = discard for errcheck on unavoidable client writes, narrow exclude-rules only for tests). # This makes remaining accepted issues visible and actionable in the code. # Run with: make lint (or golangci-lint run ./...) # Install: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest run: timeout: 5m modules-download-mode: readonly linters: # No disable-all: use golangci defaults (errcheck, govet, ineffassign, staticcheck, unused, gosimple, etc.) # Explicitly enable the non-default linters we require for this LAN cache proxy. enable: - gosec # security checks (re-audited; see source //nosec for justified cases) - misspell # documentation hygiene - goimports # import formatting (enforced) # gofmt covered via linter or goimports; errcheck/govet etc. from defaults linters-settings: errcheck: check-type-assertions: false check-blank: false gosec: # Broad global excludes removed (G104/G115/G301/G304/G306). # - G301 addressed by switching cache MkdirAll to 0700 (least privilege for CDN content). # - Remaining justified cases documented with precise //nosec (or #nosec) + comments at the call sites. # - G104 largely eliminated by errcheck + explicit _ = handling (or defer wrappers). staticcheck: checks: ["all"] # SA1019 exclusion removed (no deprecated API usages in tree) govet: enable-all: true disable: - fieldalignment # performance tuning not a priority for this proxy appliance - shadow # common idiomatic "err" redeclarations in error-handling chains (large ServeHTTP, root, parse funcs); enabling adds noise with no real bugs; would require scope refactor for little gain # Old global errcheck disable + aspirational "re-enable after refactors" comments deleted. # errcheck is now on via defaults. Unavoidable cases handled at source with _ = or (rarely) narrow rules. issues: max-issues-per-linter: 0 max-same-issues: 0 exclude-use-default: false exclude-dirs: - dist - bin exclude-rules: - path: _test\.go linters: - errcheck - gosec # tests often use weak patterns intentionally (e.g. error injection, temp files) # NOTE: narrow SA9003 exclude retained only for the one remaining intentional empty branch in test (best-effort status check; main assert is metrics side-effect). # The config one was a truly redundant check (already errored above); deleted surgically in Fix Round 1 (Issue 1), eliminating its exclude-rule. - path: steamcache/steamcache_test.go linters: - staticcheck text: "SA9003: empty branch" # Narrow gosec excludes for unavoidable classes after re-audit (LAN proxy threat model): # - G115: int64<->uint casts in eviction/GC math (all sizes positive, guarded by capacity checks; API uses uint for bytesNeeded) # - G304: path vars for Read/Open/Remove under trusted disk.root or user config file (sanitized keys, no traversal, no arbitrary inclusion from untrusted URLs) # G306 for config WriteFile kept as source //nosec (one site). # G301 fixed at source (0700 dirs). G104 addressed via errcheck fixes. - path: vfs/memory/memory.go linters: - gosec text: "G115" - path: vfs/disk/disk.go linters: - gosec text: "G115" - path: vfs/gc/gc.go linters: - gosec text: "G115" - path: config/config.go linters: - gosec text: "G304" - path: vfs/disk/disk.go linters: - gosec text: "G304" # Predictive/* rules deleted: vfs/predictive/ removed in commit 0dbb2e0; rules were stale/dead. # All other suppressions use source-level //nosec (gosec) or _= (errcheck) for precision and visibility.