lint: drive baseline to zero, drop only-new-issues gate

Cleanup pass over the repo so CI can enforce lint going forward
without the only-new-issues escape hatch:

* gofumpt -w across the tree (31 hits, all formatting)
* misspell --fix (25 hits, US-locale spelling) — but reverted on
  api.JobCancelled = "cancelled" since that literal is the wire +
  DB CHECK constraint value, plus matched the case in store/fleet.go
  back to "cancelled" and added //nolint:misspell on both for the
  next time someone reaches for the auto-fix
* Wrap every `defer rows.Close()` / `defer stmt.Close()` /
  `defer res.Body.Close()` in `defer func() { _ = .Close() }()`
  to satisfy errcheck without losing the close itself
* websocket.Dial callers (1 prod, 4 tests) now capture + close the
  upgrade response Body — coder/websocket can return res with a nil
  Body on success, so the test deferred-closes guard against that
* Annotate the two genuine-by-design nilerr cases with //nolint
  comments explaining why nil-on-error is the contract (cookie
  missing = no session; ctx cancelled mid-backoff = clean shutdown)
* Add brief godoc on the 10 exported const groups + types that
  revive flagged (api.HostOS/HostArch/JobKind/JobStatus/LogStream/
  ErrorCode, restic.EventKind, store.Role, web.FS)
* Drop the unused (*Server).userByID method
* Inline the unparam baseView(active) — every UI page is under
  the dashboard primary nav today

Result: `golangci-lint run ./...` reports 0 issues. CI lint job
no longer needs only-new-issues: true; X-06 follow-up entry in
tasks.md removed.

internal/api/messages.go

@@ -10,13 +10,18 @@ import (
 // constants so we don't end up with both "linux" and "Linux" rows.
 type HostOS string
 
+// Allowed values for HostOS. Lowercased on the wire so the server
+// can use a single CHECK constraint.
 const (
 	OSLinux   HostOS = "linux"
 	OSWindows HostOS = "windows"
 )
 
+// HostArch is the agent's CPU architecture; same lowercase-on-wire
+// rule as HostOS.
 type HostArch string
 
+// Allowed values for HostArch.
 const (
 	ArchAmd64 HostArch = "amd64"
 	ArchArm64 HostArch = "arm64"
@@ -45,6 +50,9 @@ type HeartbeatPayload struct {
 // JobKind is the operation an agent is being asked to run, or just ran.
 type JobKind string
 
+// Allowed JobKind values. backup is operator/cron driven; init runs
+// once per host on first connect; forget/prune/check fire from the
+// server-side maintenance ticker; unlock is operator-only.
 const (
 	JobBackup JobKind = "backup"
 	JobInit   JobKind = "init"
@@ -57,12 +65,16 @@ const (
 // JobStatus is the lifecycle state of a job.
 type JobStatus string
 
+// Allowed JobStatus values. queued → running → one of {succeeded,
+// failed, JobCancelled} as a terminal state. The wire/DB literal for
+// the JobCancelled value uses UK spelling — don't "fix" it; existing
+// job rows + agent payloads will mismatch. //nolint:misspell
 const (
 	JobQueued    JobStatus = "queued"
 	JobRunning   JobStatus = "running"
 	JobSucceeded JobStatus = "succeeded"
 	JobFailed    JobStatus = "failed"
-	JobCancelled JobStatus = "cancelled"
+	JobCancelled JobStatus = "cancelled" //nolint:misspell // wire format
 )
 
 // CommandRunPayload is the server → agent dispatch for a run-now job.
@@ -145,6 +157,8 @@ type LogStreamLine struct {
 // LogStream identifies which channel a log line came from.
 type LogStream string
 
+// Allowed LogStream values. stdout/stderr are passed through verbatim;
+// event is the parsed restic --json envelope (summary, error, etc).
 const (
 	LogStdout LogStream = "stdout"
 	LogStderr LogStream = "stderr"
@@ -175,12 +189,12 @@ type Snapshot struct {
 // RepoStatsPayload — agent reports periodic repo health facts derived
 // from `restic stats` and lock-file inspection.
 type RepoStatsPayload struct {
-	SizeBytes        int64     `json:"size_bytes"`
-	SnapshotCount    int       `json:"snapshot_count"`
-	DedupRatio       float64   `json:"dedup_ratio"`
-	LastCheckAt      time.Time `json:"last_check_at,omitempty"`
-	LastCheckStatus  string    `json:"last_check_status,omitempty"`
-	LockState        string    `json:"lock_state"` // locked|unlocked
+	SizeBytes       int64     `json:"size_bytes"`
+	SnapshotCount   int       `json:"snapshot_count"`
+	DedupRatio      float64   `json:"dedup_ratio"`
+	LastCheckAt     time.Time `json:"last_check_at,omitempty"`
+	LastCheckStatus string    `json:"last_check_status,omitempty"`
+	LockState       string    `json:"lock_state"` // locked|unlocked
 }
 
 // Schedule is the agent-facing view of a slim Schedule row plus its
@@ -220,8 +234,8 @@ type ScheduleSetPayload struct {
 
 // ScheduleAckPayload — agent confirms it has applied a given version.
 type ScheduleAckPayload struct {
-	Version    int64     `json:"version"`
-	AppliedAt  time.Time `json:"applied_at"`
+	Version   int64     `json:"version"`
+	AppliedAt time.Time `json:"applied_at"`
 }
 
 // ScheduleFirePayload — agent reports a local cron entry just fired.
@@ -239,11 +253,11 @@ type ScheduleFirePayload struct {
 // repo connection details). Empty fields mean "leave existing alone";
 // to clear something, send an explicit zero value.
 type ConfigUpdatePayload struct {
-	RepoURL          string `json:"repo_url,omitempty"`
-	RepoPassword     string `json:"repo_password,omitempty"` // sensitive
-	RepoUsername     string `json:"repo_username,omitempty"`
-	RepoCredential   string `json:"repo_credential,omitempty"` // sensitive (for rest server basic auth)
-	HookShell        string `json:"hook_shell,omitempty"`
+	RepoURL        string `json:"repo_url,omitempty"`
+	RepoPassword   string `json:"repo_password,omitempty"` // sensitive
+	RepoUsername   string `json:"repo_username,omitempty"`
+	RepoCredential string `json:"repo_credential,omitempty"` // sensitive (for rest server basic auth)
+	HookShell      string `json:"hook_shell,omitempty"`
 }
 
 // AgentUpdateAvailablePayload — informational only; the agent does