fix: resolve all golangci-lint warnings

ysyneu · claude · ysyneu · commit 45207d453bbc · 2026-04-08T10:09:06.000+08:00
- G706 (log injection): exclude globally — slog structured logging is
  inherently safe against injection
- G204 (subprocess with variable): add nolint for intentional exec calls
  (MCP stdio, bash workspace, rg grep)
- G118 (context cancel): nolint — cancel is stored in runningTask map
- S1017: use strings.TrimPrefix instead of if+slice
- QF1012: use fmt.Fprintf instead of WriteString(fmt.Sprintf(...))
- noctx: use exec.CommandContext for system info commands
- prealloc: preallocate grep cmdArgs slice

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.golangci.yml b/.golangci.yml
@@ -47,10 +47,12 @@ linters:
       # Exclude G301 (directory permissions) - workspace needs readable directories
       # Exclude G304 (file inclusion) - paths are validated via safePath()
       # Exclude G306 (file permissions) - workspace files need to be readable
+      # Exclude G706 (log injection) - we use slog structured logging which is inherently safe
       excludes:
         - G301
         - G304
         - G306
+        - G706
 
 formatters:
   enable:
diff --git a/mcp/client.go b/mcp/client.go
@@ -214,10 +214,7 @@ func headersCacheKey(headers, dynamicHeaders map[string]string) string {
 }
 
 func maskKey(key string) string {
-	// Strip "Bearer " prefix if present
-	if strings.HasPrefix(key, "Bearer ") {
-		key = key[7:]
-	}
+	key = strings.TrimPrefix(key, "Bearer ")
 	if len(key) <= 6 {
 		return key
 	}
diff --git a/mcp/transport.go b/mcp/transport.go
@@ -1,6 +1,7 @@
 package mcp
 
 import (
+	"context"
 	"log/slog"
 	"net/http"
 	"os"
@@ -12,7 +13,7 @@ import (
 
 // NewStdioTransport creates a new stdio transport for MCP.
 func NewStdioTransport(command string, args []string, env map[string]string) sdk_mcp.Transport {
-	cmd := exec.Command(command, args...)
+	cmd := exec.CommandContext(context.Background(), command, args...) //nolint:gosec // G204: command comes from cloud-controlled MCP server config
 	cmd.Env = buildEnv(env)
 	return &sdk_mcp.CommandTransport{
 		Command: cmd,
diff --git a/workspace/large_output.go b/workspace/large_output.go
@@ -134,18 +134,18 @@ func (p *LargeOutputProcessor) truncateContent(content string, filePath string)
 	// Build truncation message
 	var sb strings.Builder
 	sb.WriteString("<output_truncated>\n")
-	sb.WriteString(fmt.Sprintf("Output too large (%d chars, %d lines).", len(content), totalLines))
+	fmt.Fprintf(&sb, "Output too large (%d chars, %d lines).", len(content), totalLines)
 
 	if filePath != "" {
-		sb.WriteString(fmt.Sprintf(" Full content saved to: %s\n\n", filePath))
+		fmt.Fprintf(&sb, " Full content saved to: %s\n\n", filePath)
 	} else {
 		sb.WriteString(" Could not save full content.\n\n")
 	}
 
-	sb.WriteString(fmt.Sprintf("Preview (first %d lines):\n```\n%s\n```\n\n", previewLines, preview))
+	fmt.Fprintf(&sb, "Preview (first %d lines):\n```\n%s\n```\n\n", previewLines, preview)
 
 	if filePath != "" {
-		sb.WriteString(fmt.Sprintf("To read more: read(\"%s\", offset=%d, limit=100)\n", filePath, previewLines))
+		fmt.Fprintf(&sb, "To read more: read(\"%s\", offset=%d, limit=100)\n", filePath, previewLines)
 	}
 
 	sb.WriteString("</output_truncated>")
diff --git a/workspace/workspace.go b/workspace/workspace.go
@@ -252,7 +252,7 @@ func (w *Workspace) Grep(ctx context.Context, args *protocol.GrepArgs) (*protoco
 	// Build content string
 	var sb strings.Builder
 	for _, match := range res.Matches {
-		sb.WriteString(fmt.Sprintf("%s:%d:%s\n", match.Path, match.LineNumber, match.Content))
+		fmt.Fprintf(&sb, "%s:%d:%s\n", match.Path, match.LineNumber, match.Content)
 	}
 	content := sb.String()
 
@@ -274,13 +274,14 @@ func (w *Workspace) Grep(ctx context.Context, args *protocol.GrepArgs) (*protoco
 }
 
 func (w *Workspace) grepWithRipgrep(ctx context.Context, args *protocol.GrepArgs) (*protocol.GrepResult, error) {
-	cmdArgs := []string{"--column", "--line-number", "--no-heading", "--color", "never", "--smart-case"}
+	cmdArgs := make([]string, 0, 6+2*len(args.Include)+2)
+	cmdArgs = append(cmdArgs, "--column", "--line-number", "--no-heading", "--color", "never", "--smart-case")
 	for _, inc := range args.Include {
 		cmdArgs = append(cmdArgs, "--glob", inc)
 	}
 	cmdArgs = append(cmdArgs, args.Pattern, ".")
 
-	cmd := exec.CommandContext(ctx, "rg", cmdArgs...)
+	cmd := exec.CommandContext(ctx, "rg", cmdArgs...) //nolint:gosec // G204: args built from validated grep parameters
 	cmd.Dir = w.root
 
 	var stdout strings.Builder
@@ -393,7 +394,7 @@ func (w *Workspace) executeBashCommand(ctx context.Context, command, workdir str
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 
-	cmd := exec.CommandContext(ctx, "bash", "-c", command)
+	cmd := exec.CommandContext(ctx, "bash", "-c", command) //nolint:gosec // G204: command is user-initiated via workspace tool
 	cmd.Dir = workdir
 
 	// Use a limited writer to prevent OOM from very large outputs
diff --git a/ws/client.go b/ws/client.go
@@ -518,9 +518,10 @@ func getLinuxVersion() string {
 	return ""
 }
 
-// getCommandOutput executes a command and returns its trimmed output.
 func getCommandOutput(name string, args ...string) string {
-	out, err := exec.Command(name, args...).Output()
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	out, err := exec.CommandContext(ctx, name, args...).Output() //nolint:gosec // G204: args are hardcoded system info commands
 	if err == nil {
 		return strings.TrimSpace(string(out))
 	}
@@ -550,7 +551,7 @@ func getDefaultShell() string {
 func getTotalMemoryMB() int64 {
 	switch runtime.GOOS {
 	case "darwin":
-		out, err := exec.Command("sysctl", "-n", "hw.memsize").Output()
+		out, err := exec.CommandContext(context.Background(), "sysctl", "-n", "hw.memsize").Output() //nolint:gosec // G204: hardcoded command
 		if err == nil {
 			var bytes int64
 			if _, err := fmt.Sscanf(strings.TrimSpace(string(out)), "%d", &bytes); err == nil {
diff --git a/ws/handler.go b/ws/handler.go
@@ -100,7 +100,7 @@ func (h *Handler) handleTaskRequest(ctx context.Context, msg *protocol.Message)
 		"operation", req.Operation,
 	)
 
-	taskCtx, cancel := context.WithCancel(ctx)
+	taskCtx, cancel := context.WithCancel(ctx) //nolint:gosec // G118: cancel is stored in h.runningTask and called on task completion/cancellation
 	h.mu.Lock()
 	h.runningTask[req.TaskID] = cancel
 	h.mu.Unlock()

Original file line number	Diff line number	Diff line change
`@@ -214,10 +214,7 @@ func headersCacheKey(headers, dynamicHeaders map[string]string) string {`
`214`	`214`	`}`
`215`	`215`
`216`	`216`	`func maskKey(key string) string {`
`217`		`- // Strip "Bearer " prefix if present`
`218`		`- if strings.HasPrefix(key, "Bearer ") {`
`219`		`- key = key[7:]`
`220`		`- }`
	`217`	`+ key = strings.TrimPrefix(key, "Bearer ")`
`221`	`218`	`if len(key) <= 6 {`
`222`	`219`	`return key`
`223`	`220`	`}`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ func (h Handler) handleTaskRequest(ctx context.Context, msg protocol.Message)`
`100`	`100`	`"operation", req.Operation,`
`101`	`101`	`)`
`102`	`102`
`103`		`- taskCtx, cancel := context.WithCancel(ctx)`
	`103`	`+ taskCtx, cancel := context.WithCancel(ctx) //nolint:gosec // G118: cancel is stored in h.runningTask and called on task completion/cancellation`
`104`	`104`	`h.mu.Lock()`
`105`	`105`	`h.runningTask[req.TaskID] = cancel`
`106`	`106`	`h.mu.Unlock()`