version: "2"

run:
  timeout: 5m

linters:
  default: none
  enable:
    - govet
    - ineffassign
    - staticcheck
    - unused
    - gosec
    - bodyclose
    - copyloopvar
    - durationcheck
    - errname
    - exhaustive
  settings:
    gosec:
      excludes:
        - G104  # Unhandled errors in fire-and-forget
        - G112  # Slowloris — local-only servers
        - G115  # Integer overflow — CLI-safe conversions
        - G204  # Subprocess with variable — intentional for player/extractor launch
        - G301  # Directory perms > 0750 — standard for user dirs
        - G302  # File perms > 0600 — resume files need 0644
        - G304  # File inclusion via variable — config paths are trusted
        - G306  # WriteFile perms > 0600 — binaries need 0755
        - G702  # Command injection via taint — self-update uses trusted URLs
        - G703  # Path traversal via taint — internal paths only
        - G704  # SSRF via taint — user-configured URLs
        - G706  # Log injection via taint — internal log lines
    exhaustive:
      default-signifies-exhaustive: true
  exclusions:
    paths:
      - dist
    rules:
      # Allow misspell "cancelled" — API constant matching server
      - linters:
          - misspell
        text: "Cancell"
      # Ignore nilerr in intentional log-and-continue patterns
      - linters:
          - nilerr
        path: "(clean|scanner|usenet|engine)"
      # Ignore staticcheck style suggestions (QF/S/SA4/SA9)
      - linters:
          - staticcheck
        text: "^(QF|S1|SA4011|SA9003)"
      # Ignore gosec G101 (hardcoded creds) in tests
      - linters:
          - gosec
        path: _test\.go

formatters:
  enable:
    - gofmt
    - goimports
  exclusions:
    paths:
      - dist