lint: drive baseline to zero, drop only-new-issues gate

Cleanup pass over the repo so CI can enforce lint going forward
without the only-new-issues escape hatch:

* gofumpt -w across the tree (31 hits, all formatting)
* misspell --fix (25 hits, US-locale spelling) — but reverted on
  api.JobCancelled = "cancelled" since that literal is the wire +
  DB CHECK constraint value, plus matched the case in store/fleet.go
  back to "cancelled" and added //nolint:misspell on both for the
  next time someone reaches for the auto-fix
* Wrap every `defer rows.Close()` / `defer stmt.Close()` /
  `defer res.Body.Close()` in `defer func() { _ = .Close() }()`
  to satisfy errcheck without losing the close itself
* websocket.Dial callers (1 prod, 4 tests) now capture + close the
  upgrade response Body — coder/websocket can return res with a nil
  Body on success, so the test deferred-closes guard against that
* Annotate the two genuine-by-design nilerr cases with //nolint
  comments explaining why nil-on-error is the contract (cookie
  missing = no session; ctx cancelled mid-backoff = clean shutdown)
* Add brief godoc on the 10 exported const groups + types that
  revive flagged (api.HostOS/HostArch/JobKind/JobStatus/LogStream/
  ErrorCode, restic.EventKind, store.Role, web.FS)
* Drop the unused (*Server).userByID method
* Inline the unparam baseView(active) — every UI page is under
  the dashboard primary nav today

Result: `golangci-lint run ./...` reports 0 issues. CI lint job
no longer needs only-new-issues: true; X-06 follow-up entry in
tasks.md removed.

internal/server/http/p2r01_test.go

@@ -215,24 +215,30 @@ func TestSchedulesCRUDValidation(t *testing.T) {
 
 	// Bad cron → 400.
 	status, body := doJSON(t, url, "POST", "/api/hosts/"+hostID+"/schedules",
-		map[string]any{"cron": "not-a-cron", "enabled": true,
-			"source_group_ids": []string{"x"}}, cookie)
+		map[string]any{
+			"cron": "not-a-cron", "enabled": true,
+			"source_group_ids": []string{"x"},
+		}, cookie)
 	if status != 400 {
 		t.Fatalf("bad cron: want 400, got %d (body=%+v)", status, body)
 	}
 
 	// Missing groups → 400.
 	status, _ = doJSON(t, url, "POST", "/api/hosts/"+hostID+"/schedules",
-		map[string]any{"cron": "0 3 * * *", "enabled": true,
-			"source_group_ids": []string{}}, cookie)
+		map[string]any{
+			"cron": "0 3 * * *", "enabled": true,
+			"source_group_ids": []string{},
+		}, cookie)
 	if status != 400 {
 		t.Errorf("missing groups: want 400, got %d", status)
 	}
 
 	// Group not on host → 400.
 	status, _ = doJSON(t, url, "POST", "/api/hosts/"+hostID+"/schedules",
-		map[string]any{"cron": "0 3 * * *", "enabled": true,
-			"source_group_ids": []string{"non-existent"}}, cookie)
+		map[string]any{
+			"cron": "0 3 * * *", "enabled": true,
+			"source_group_ids": []string{"non-existent"},
+		}, cookie)
 	if status != 400 {
 		t.Errorf("bogus group: want 400, got %d", status)
 	}
@@ -247,8 +253,10 @@ func TestSchedulesCRUDValidation(t *testing.T) {
 
 	// Happy create.
 	status, body = doJSON(t, url, "POST", "/api/hosts/"+hostID+"/schedules",
-		map[string]any{"cron": "0 3 * * *", "enabled": true,
-			"source_group_ids": []string{gid}}, cookie)
+		map[string]any{
+			"cron": "0 3 * * *", "enabled": true,
+			"source_group_ids": []string{gid},
+		}, cookie)
 	if status != 201 {
 		t.Fatalf("create: %d body=%+v", status, body)
 	}
@@ -269,8 +277,10 @@ func TestSchedulesCRUDValidation(t *testing.T) {
 
 	// Update — change cron, keep group.
 	status, body = doJSON(t, url, "PUT", "/api/hosts/"+hostID+"/schedules/"+sid,
-		map[string]any{"cron": "@hourly", "enabled": false,
-			"source_group_ids": []string{gid}}, cookie)
+		map[string]any{
+			"cron": "@hourly", "enabled": false,
+			"source_group_ids": []string{gid},
+		}, cookie)
 	if status != 200 {
 		t.Fatalf("update: %d body=%+v", status, body)
 	}
@@ -484,5 +494,7 @@ func equalStrings(a, b []string) bool {
 }
 
 // keep fmt import live — used for occasional debug.
-var _ = fmt.Sprintf
-var _ = strings.HasPrefix
+var (
+	_ = fmt.Sprintf
+	_ = strings.HasPrefix
+)