Running govulncheck
=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 3 vulnerabilities in packages you import and 0
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
Running golangci-lint with the following configuration:
golangci-lint has version 2.4.0 built with go1.25.0 from 43d03392 on 2025-08-13T23:36:29Z
version: "2"
linters:
  default: none
  enable:
    # For errcheck, we could add exceptions for various writes and tx.Rollback (io.Write, gomponents.Render?)
    - errcheck
    - staticcheck
    - govet
    - gosec

    - ineffassign
    - dogsled

    - gocheckcompilerdirectives
    - gochecknoinits
    - loggercheck
    - noctx
    - nosprintfhostport
    - reassign
    - rowserrcheck
    - sloglint
    - misspell
    - whitespace
    - usestdlibvars
    - fatcontext
    - nakedret

    # Receiver check seems good, but is weird around Error()s
    # - recvcheck

    # This is like... nice, but it's going to be annoying in dev
    #- unused
    #- unparam

    # Go mod guard would let us block specific modules if we wanted to
    # - gomodguard

  settings:
    govet:
      disable:
        - unreachable

    # errcheck:
    #   # Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
    #   # Such cases aren't reported by default.
    #   # Default: false
    #   check-type-assertions: true
    #   # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`.
    #   # Such cases aren't reported by default.
    #   # Default: false
    #   check-blank: true
    #   # To disable the errcheck built-in exclude list.
    #   # See `-excludeonly` option in https://github.com/kisielk/errcheck#excluding-functions for details.
    #   # Default: false
    #   disable-default-exclusions: true
    #   # List of functions to exclude from checking, where each entry is a single function to exclude.
    #   # See https://github.com/kisielk/errcheck#excluding-functions for details.
    #   exclude-functions:
    #     - io/ioutil.ReadFile
    #     - io.Copy(*bytes.Buffer)
    #     - io.Copy(os.Stdout)

    staticcheck:
      checks:
        - all
        - "-ST1000" # missing package comment
        - "-ST1003" # strings.Index -> strings.Contains
        - "-ST1016" # signals that can't be trapped
        - "-ST1020" # invalid host:port pair in listen
        - "-ST1021" # bytes.Equal for IP addresses
        - "-ST1022" # start docs with package name
        # Above list is default staticcheck config
        # Disable check for dot imports. I agree, but using Gomponents is way nicer with it... maybe
        - "-ST1001"

    gosec:
      severity: low
      confidence: low
      config:
        global:
          audit: true
        # Maximum allowed permissions mode for os.Mkdir and os.MkdirAll.
        # Default: "0750"
        G301: "0755"
        # Maximum allowed permissions mode for os.OpenFile and os.Chmod.
        # Default: "0600"
        G302: "0755"
        # Maximum allowed permissions mode for os.WriteFile and ioutil.WriteFile.
        # Default: "0600"
        G306: "0644"
      excludes:
        - G204
        - G115

    loggercheck:
      no-printf-like: true

    exhaustive:
      # Presence of "default" case in switch statements satisfies exhaustiveness,
      # even if all enum members are not listed.
      # Default: false
      # TODO debate this
      default-signifies-exhaustive: true
      # Enum members matching the supplied regex do not have to be listed in
      # switch statements to satisfy exhaustiveness.
      # Default: ""
      ignore-enum-members: ".*(Unknown|Unset).*"
      # Only run exhaustive check on switches with "//exhaustive:enforce" comment.
      # Default: false
      #explicit-exhaustive-switch: true
      # Only run exhaustive check on map literals with "//exhaustive:enforce" comment.
      # Default: false
      #explicit-exhaustive-map: true
      # Switch statement requires default case even if exhaustive.
      # Default: false
      # TODO debate
      default-case-required: false

    sloglint:
      # Enforce not using global loggers.
      # Values:
      # - "": disabled
      # - "all": report all global loggers
      # - "default": report only the default slog logger
      # https://github.com/go-simpler/sloglint?tab=readme-ov-file#no-global
      # Default: ""
      no-global: "all"
      # Enforce using methods that accept a context.
      # Values:
      # - "": disabled
      # - "all": report all contextless calls
      # - "scope": report only if a context exists in the scope of the outermost function
      # https://github.com/go-simpler/sloglint?tab=readme-ov-file#context-only
      # Default: ""
      # TODO enable for all or scope eventually
      context: ""
      # Enforce message style.
      # Values: lowercased, capitalized
      # https://github.com/go-simpler/sloglint?tab=readme-ov-file#message-style
      # Default: ""
      # TODO decide if we should force capitalized, it flags for things like `fapolicy-cli XYZ`
      #msg-style: capitalized
      # Enforce key naming convention.
      # Values: snake, kebab, camel, pascal
      # https://github.com/go-simpler/sloglint?tab=readme-ov-file#key-naming-convention
      # Default: ""
      # TODO make this camel someday
      key-naming-case: ""
      # Enforce not using specific keys.
      # https://github.com/go-simpler/sloglint?tab=readme-ov-file#forbidden-keys
      # Default: []
      forbidden-keys:
        - time
        - level
        - msg
        - source
      # Enforce putting arguments on separate lines.
      # https://github.com/go-simpler/sloglint?tab=readme-ov-file#arguments-on-separate-lines
      # Default: false
      args-on-sep-lines: false

  exclusions:
    generated: lax
    presets:
      - comments
      - common-false-positives
      - legacy
      - std-error-handling
    paths:
      - third_party$
      - builtin$
      - examples$

issues:
  max-issues-per-linter: 0
  max-same-issues: 0

formatters:
  exclusions:
    generated: lax
    paths:
      - third_party$
      - builtin$
      - examples$

  enable:
    #- gofmt
    #- gofumpt

  settings:
    gofumpt:
      # Choose whether to use the extra rules.
      # Default: false
      extra-rules: true

    gofmt:
      # Apply the rewrite rules to the source before reformatting.
      # https://pkg.go.dev/cmd/gofmt
      # Default: []
      rewrite-rules:
        - pattern: 'interface{}'
          replacement: 'any'
        - pattern: 'a[b:len(a)]'
          replacement: 'a[b:]'

severity:
  # Set the default severity for issues.
  #
  # If severity rules are defined and the issues do not match or no severity is provided to the rule
  # this will be the default severity applied.
  # Severities should match the supported severity names of the selected out format.
  # - Code climate: https://docs.codeclimate.com/docs/issues#issue-severity
  # - Checkstyle: https://checkstyle.sourceforge.io/property_types.html#SeverityLevel
  # - GitHub: https://help.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-error-message
  # - TeamCity: https://www.jetbrains.com/help/teamcity/service-messages.html#Inspection+Instance
  #
  # `@linter` can be used as severity value to keep the severity from linters (e.g. revive, gosec, ...)
  #
  # Default: ""
  default: error
  # When a list of severity rules are provided, severity information will be added to lint issues.
  # Severity rules have the same filtering capability as exclude rules
  # except you are allowed to specify one matcher per severity rule.
  #
  # `@linter` can be used as severity value to keep the severity from linters (e.g. revive, gosec, ...)
  #
  # Only affects out formats that support setting severity information.
  #
  # Default: []
  rules:
    - linters:
        - tagliatelle
      severity: info

Lint output (no output indicates no issues were found):
0 issues.
End of lint output