fix(config): resolve golangci-lint failures

- errcheck: explicitly discard f.Close() error in EnsureConfigFile
- errorlint: use errors.As instead of type assertion for HaltError
- goconst: suppress "windows" constant warning (standard runtime value)
- gocritic appendAssign: use copy+append instead of append to different slice
- gosec G301/G302: tighten permissions to 0750/0600 for config dir/file
- gosec G304: nolint for OpenFile/ReadFile on known-safe paths
- gosec G306: tighten test WriteFile permissions to 0600
- noctx: use exec.CommandContext instead of exec.Command
- testifylint: use assert.Positive instead of assert.Greater with 0
- wrapcheck: wrap all errors from external packages (fmt.Fprintln,
  io.Writer.Write, shlex.Split, exec.Cmd.Run)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: cpcloud

cmd/micasa/main.go

@@ -226,11 +226,17 @@ func (cmd *configEditCmd) Run() error {
 	if err != nil {
 		return err
 	}
-	c := exec.Command(name, args...) //nolint:gosec // user-controlled editor from $VISUAL/$EDITOR
+	c := exec.CommandContext(
+		context.Background(),
+		name,
+		args...) //nolint:gosec // user-controlled editor from $VISUAL/$EDITOR
 	c.Stdin = os.Stdin
 	c.Stdout = os.Stdout
 	c.Stderr = os.Stderr
-	return c.Run()
+	if err := c.Run(); err != nil {
+		return fmt.Errorf("run editor: %w", err)
+	}
+	return nil
 }
 
 func (cmd *backupCmd) Run() error {

cmd/micasa/main_test.go

@@ -206,23 +206,23 @@ func TestConfigCmd(t *testing.T) {
 		configPath := filepath.Join(tmpDir, "micasa", "config.toml")
 		info, statErr := os.Stat(configPath)
 		require.NoError(t, statErr, "config file should have been created")
-		assert.Greater(t, info.Size(), int64(0), "config file should not be empty")
+		assert.Positive(t, info.Size(), "config file should not be empty")
 	})
 
 	t.Run("EditExistingConfig", func(t *testing.T) {
 		tmpDir := t.TempDir()
 		dir := filepath.Join(tmpDir, "micasa")
-		require.NoError(t, os.MkdirAll(dir, 0o755))
+		require.NoError(t, os.MkdirAll(dir, 0o750))
 		configPath := filepath.Join(dir, "config.toml")
 		original := "[locale]\ncurrency = \"EUR\"\n"
-		require.NoError(t, os.WriteFile(configPath, []byte(original), 0o644))
+		require.NoError(t, os.WriteFile(configPath, []byte(original), 0o600))
 
 		cmd := exec.CommandContext(t.Context(), bin, "config", "edit")
 		cmd.Env = envWithEditor(tmpDir, noopEditor())
 		out, err := cmd.CombinedOutput()
 		require.NoError(t, err, "config edit failed: %s", out)
 
-		content, readErr := os.ReadFile(configPath)
+		content, readErr := os.ReadFile(configPath) //nolint:gosec // test reads its own temp file
 		require.NoError(t, readErr)
 		assert.Equal(t, original, string(content), "existing config should be untouched")
 	})

internal/config/config_test.go

@@ -1341,7 +1341,7 @@ func writeConfigPerm(t *testing.T, content string, perm os.FileMode) string {
 }
 
 func TestPermissionWarningWithAPIKey(t *testing.T) {
-	if runtime.GOOS == "windows" {
+	if runtime.GOOS == "windows" { //nolint:goconst // standard runtime value
 		t.Skip("os.Chmod is a no-op on Windows")
 	}
 	path := writeConfigPerm(t, `[llm]

internal/config/edit.go

@@ -45,7 +45,9 @@ func EditorCommand(configPath string) (string, []string, error) {
 	if len(parts) == 0 {
 		return "", nil, fmt.Errorf("editor command resolved to empty")
 	}
-	args := append(parts[1:], configPath)
+	args := make([]string, len(parts)-1, len(parts))
+	copy(args, parts[1:])
+	args = append(args, configPath)
 	return parts[0], args, nil
 }
 
@@ -54,17 +56,21 @@ func EditorCommand(configPath string) (string, []string, error) {
 // O_CREATE|O_EXCL to atomically check-and-create, avoiding TOCTOU races.
 func EnsureConfigFile(path string) error {
 	dir := filepath.Dir(path)
-	if err := os.MkdirAll(dir, 0o755); err != nil {
+	if err := os.MkdirAll(dir, 0o750); err != nil {
 		return fmt.Errorf("create config directory %s: %w", dir, err)
 	}
-	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o644)
+	f, err := os.OpenFile(
+		path,
+		os.O_WRONLY|os.O_CREATE|os.O_EXCL,
+		0o600,
+	) //nolint:gosec // path from config.Path(), not user input
 	if err != nil {
 		if errors.Is(err, os.ErrExist) {
 			return nil
 		}
 		return fmt.Errorf("create config file %s: %w", path, err)
 	}
-	defer f.Close()
+	defer func() { _ = f.Close() }()
 	if _, err := f.WriteString(ExampleTOML()); err != nil {
 		return fmt.Errorf("write initial config: %w", err)
 	}

internal/config/edit_test.go

@@ -59,7 +59,7 @@ func TestEditorCommand_SimpleEditor(t *testing.T) {
 }
 
 func TestEditorCommand_QuotedPath(t *testing.T) {
-	if runtime.GOOS == "windows" {
+	if runtime.GOOS == "windows" { //nolint:goconst // standard runtime value
 		t.Skip("POSIX quoting not applicable on Windows")
 	}
 	t.Setenv("VISUAL", "")
@@ -76,24 +76,24 @@ func TestEnsureConfigFile_CreatesNewFile(t *testing.T) {
 	err := EnsureConfigFile(path)
 	require.NoError(t, err)
 
-	content, err := os.ReadFile(path)
+	content, err := os.ReadFile(path) //nolint:gosec // test reads its own temp file
 	require.NoError(t, err)
 	assert.Contains(t, string(content), "[llm]")
 	assert.Contains(t, string(content), "model =")
 }
 
 func TestEnsureConfigFile_ExistingFileUntouched(t *testing.T) {
 	dir := filepath.Join(t.TempDir(), "micasa")
-	require.NoError(t, os.MkdirAll(dir, 0o755))
+	require.NoError(t, os.MkdirAll(dir, 0o750))
 
 	path := filepath.Join(dir, "config.toml")
 	original := []byte("[locale]\ncurrency = \"EUR\"\n")
-	require.NoError(t, os.WriteFile(path, original, 0o644))
+	require.NoError(t, os.WriteFile(path, original, 0o600))
 
 	err := EnsureConfigFile(path)
 	require.NoError(t, err)
 
-	content, err := os.ReadFile(path)
+	content, err := os.ReadFile(path) //nolint:gosec // test reads its own temp file
 	require.NoError(t, err)
 	assert.Equal(t, original, content)
 }

internal/config/edit_unix.go

@@ -5,12 +5,20 @@
 
 package config
 
-import "github.com/google/shlex"
+import (
+	"fmt"
+
+	"github.com/google/shlex"
+)
 
 // SplitEditorCommand splits an editor command string into argv using POSIX
 // shell splitting, correctly handling quoted paths and escape sequences.
 func SplitEditorCommand(cmd string) ([]string, error) {
-	return shlex.Split(cmd)
+	parts, err := shlex.Split(cmd)
+	if err != nil {
+		return nil, fmt.Errorf("split editor command: %w", err)
+	}
+	return parts, nil
 }
 
 // editorFallbacks returns Unix-appropriate fallback editor names.

internal/config/query.go

@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"strings"
@@ -62,7 +63,8 @@ func (c Config) Query(w io.Writer, filter string) error {
 			break
 		}
 		if err, ok := v.(error); ok {
-			if haltErr, isHalt := err.(*gojq.HaltError); isHalt {
+			var haltErr *gojq.HaltError
+			if errors.As(err, &haltErr) {
 				if haltErr.ExitCode() == 0 {
 					return nil
 				}
@@ -151,14 +153,20 @@ func writeValue(w io.Writer, v any) error {
 	case []any:
 		return writeJSON(w, val)
 	case nil:
-		_, err := fmt.Fprintln(w, "null")
-		return err
+		if _, err := fmt.Fprintln(w, "null"); err != nil {
+			return fmt.Errorf("write null: %w", err)
+		}
+		return nil
 	case string:
-		_, err := fmt.Fprintln(w, val)
-		return err
+		if _, err := fmt.Fprintln(w, val); err != nil {
+			return fmt.Errorf("write string: %w", err)
+		}
+		return nil
 	default:
-		_, err := fmt.Fprintln(w, v)
-		return err
+		if _, err := fmt.Fprintln(w, v); err != nil {
+			return fmt.Errorf("write value: %w", err)
+		}
+		return nil
 	}
 }
 
@@ -171,12 +179,13 @@ func writeTOML(w io.Writer, m map[string]any) error {
 		return fmt.Errorf("encode TOML: %w", err)
 	}
 	out := bytes.TrimRight(buf.Bytes(), "\n")
-	_, err := w.Write(out)
-	if err != nil {
-		return err
+	if _, err := w.Write(out); err != nil {
+		return fmt.Errorf("write TOML: %w", err)
+	}
+	if _, err := fmt.Fprintln(w); err != nil {
+		return fmt.Errorf("write TOML newline: %w", err)
 	}
-	_, err = fmt.Fprintln(w)
-	return err
+	return nil
 }
 
 // writeJSON encodes an array as JSON.
@@ -185,6 +194,8 @@ func writeJSON(w io.Writer, v []any) error {
 	if err != nil {
 		return fmt.Errorf("encode array: %w", err)
 	}
-	_, err = fmt.Fprintln(w, string(data))
-	return err
+	if _, err = fmt.Fprintln(w, string(data)); err != nil {
+		return fmt.Errorf("write JSON: %w", err)
+	}
+	return nil
 }