version: "2"

linters:
  enable:
    - errcheck
    - gosec
    - govet
    - ineffassign
    - staticcheck
    - unused
  exclusions:
    presets:
      - std-error-handling
    rules:
      # binary.Write in ICO header encoding — panic-level errors only
      - path: internal/icons/render\.go
        linters: [errcheck, gosec]
        source: "binary\\.Write"
      # systray ShowMenu return value is meaningless
      - path: internal/tray/
        linters: [errcheck, gosec]
        source: "ShowMenu"
      # Config files use 0755/0644 intentionally (user-readable config, not secrets)
      - linters: [gosec]
        text: "G301|G306"
        path: internal/config/
      # Process manager and panel launcher must exec with variable paths
      - linters: [gosec]
        text: "G204"
      # API key display string is not a hardcoded credential
      - linters: [gosec]
        text: "G101"
        path: internal/tray/
      # Setup binary is a CLI wizard; best-effort error handling is acceptable
      - path: cmd/setup/
        linters: [errcheck, gosec]
    paths:
      - cmd/panel
      - cmd/icongen