lint: drive baseline to zero, drop only-new-issues gate

Cleanup pass over the repo so CI can enforce lint going forward
without the only-new-issues escape hatch:

* gofumpt -w across the tree (31 hits, all formatting)
* misspell --fix (25 hits, US-locale spelling) — but reverted on
  api.JobCancelled = "cancelled" since that literal is the wire +
  DB CHECK constraint value, plus matched the case in store/fleet.go
  back to "cancelled" and added //nolint:misspell on both for the
  next time someone reaches for the auto-fix
* Wrap every `defer rows.Close()` / `defer stmt.Close()` /
  `defer res.Body.Close()` in `defer func() { _ = .Close() }()`
  to satisfy errcheck without losing the close itself
* websocket.Dial callers (1 prod, 4 tests) now capture + close the
  upgrade response Body — coder/websocket can return res with a nil
  Body on success, so the test deferred-closes guard against that
* Annotate the two genuine-by-design nilerr cases with //nolint
  comments explaining why nil-on-error is the contract (cookie
  missing = no session; ctx cancelled mid-backoff = clean shutdown)
* Add brief godoc on the 10 exported const groups + types that
  revive flagged (api.HostOS/HostArch/JobKind/JobStatus/LogStream/
  ErrorCode, restic.EventKind, store.Role, web.FS)
* Drop the unused (*Server).userByID method
* Inline the unparam baseView(active) — every UI page is under
  the dashboard primary nav today

Result: `golangci-lint run ./...` reports 0 issues. CI lint job
no longer needs only-new-issues: true; X-06 follow-up entry in
tasks.md removed.

.gitea/workflows/ci.yml

@@ -41,13 +41,6 @@ jobs:
           # Bumping to a v2.x release built against current Go.
           version: v2.1.6
           args: --timeout=5m
-          # Only flag issues introduced by the PR. The repo carries
-          # ~90 pre-existing findings (mostly missing godoc comments
-          # + gofumpt drift + misspell) accumulated before lint was
-          # actually wired into CI; cleaning them up is its own piece
-          # of work tracked separately. Without this, every PR fails
-          # on baseline noise instead of its own changes.
-          only-new-issues: true
 
   build:
     name: Build (${{ matrix.goos }}/${{ matrix.goarch }})

internal/agent/runner/runner.go

@@ -99,13 +99,13 @@ func (r *Runner) RunBackup(ctx context.Context, jobID string, paths, excludes, t
 			}
 			lastProgress = time.Now()
 			progEnv, _ := api.Marshal(api.MsgJobProgress, jobID, api.JobProgressPayload{
-				JobID:       jobID,
-				PercentDone: status.PercentDone,
-				FilesDone:   status.FilesDone,
-				TotalFiles:  status.TotalFiles,
-				BytesDone:   status.BytesDone,
-				TotalBytes:  status.TotalBytes,
-				ETASeconds:  status.SecondsRem,
+				JobID:         jobID,
+				PercentDone:   status.PercentDone,
+				FilesDone:     status.FilesDone,
+				TotalFiles:    status.TotalFiles,
+				BytesDone:     status.BytesDone,
+				TotalBytes:    status.TotalBytes,
+				ETASeconds:    status.SecondsRem,
 				ThroughputBps: throughput(status.BytesDone, status.SecondsElapsed),
 			})
 			_ = r.tx.Send(progEnv)

internal/agent/scheduler/scheduler.go

@@ -110,7 +110,7 @@ func (s *Scheduler) Apply(payload api.ScheduleSetPayload, tx Sender) {
 		"received", len(payload.Schedules), "active", added)
 
 	// Ack outside the lock — Send() shouldn't take long, but holding
-	// s.mu across an external call would needlessly serialise other
+	// s.mu across an external call would needlessly serialize other
 	// callers (e.g. a future Status() inspection from the UI).
 	ackEnv, err := api.Marshal(api.MsgScheduleAck, "", api.ScheduleAckPayload{
 		Version:   payload.Version,
@@ -167,4 +167,3 @@ func (s *Scheduler) fire(entry api.Schedule) {
 			"schedule_id", entry.ID, "err", err)
 	}
 }
-

internal/agent/secrets/secrets.go

@@ -20,7 +20,7 @@ import (
 
 // additionalData binds ciphertexts to the agent-secrets context, so a
 // blob lifted from one role's file can't be replayed into another's
-// row in some unrelated table that uses the same key. (Defence in
+// row in some unrelated table that uses the same key. (Defense in
 // depth — the key is per-host today, but cheap to be careful.)
 const additionalData = "rm-agent-repo-creds-v1"
 

internal/agent/sysinfo/sysinfo.go

@@ -48,7 +48,9 @@ func Collect(ctx context.Context, resticPath string) (Snapshot, error) {
 
 // detectResticVersion runs `restic version` and parses the first line.
 // Output looks like:
-//   restic 0.17.1 compiled with go1.22.5 on linux/amd64
+//
+//	restic 0.17.1 compiled with go1.22.5 on linux/amd64
+//
 // Returns the version token (e.g. "0.17.1") or "" if restic isn't
 // found. We never block startup on a missing restic — the operator
 // might not have installed it yet, and the agent should still be
@@ -74,5 +76,5 @@ func detectResticVersion(ctx context.Context, override string) (string, error) {
 	if len(parts) >= 2 && parts[0] == "restic" {
 		return parts[1], nil
 	}
-	return "", fmt.Errorf("sysinfo: unrecognised restic version output: %q", first)
+	return "", fmt.Errorf("sysinfo: unrecognized restic version output: %q", first)
 }

internal/agent/wsclient/client.go

@@ -40,7 +40,7 @@ type Config struct {
 // Sender is what handlers use to push agent → server messages
 // (job.progress, job.finished, log.stream, command.result, …).
 // Returned by the WS client to the dispatch handler. Write operations
-// serialise behind a single mutex on the conn; concurrent calls are
+// serialize behind a single mutex on the conn; concurrent calls are
 // safe.
 type Sender interface {
 	Send(env api.Envelope) error
@@ -52,7 +52,7 @@ type Sender interface {
 type Handler func(ctx context.Context, env api.Envelope, tx Sender) error
 
 // Run keeps the agent connected indefinitely. Returns when ctx is
-// cancelled. Errors during a single connection attempt are logged and
+// canceled. Errors during a single connection attempt are logged and
 // trigger reconnect-with-backoff; only ctx.Done() ends the loop.
 func Run(ctx context.Context, cfg Config, handle Handler) error {
 	if cfg.HeartbeatPeriod <= 0 {
@@ -69,7 +69,10 @@ func Run(ctx context.Context, cfg Config, handle Handler) error {
 			slog.Warn("ws agent disconnect", "err", err)
 		}
 		if err := sleepCtx(ctx, backoff.next()); err != nil {
-			return nil
+			// ctx cancellation mid-backoff means the parent shut us down —
+			// exit the reconnect loop quietly rather than propagating
+			// a context error up to a caller that will discard it.
+			return nil //nolint:nilerr
 		}
 	}
 }
@@ -100,11 +103,15 @@ func connectOnce(ctx context.Context, cfg Config, handle Handler) error {
 	}
 
 	dialCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	conn, _, err := websocket.Dial(dialCtx, wsURL, dialOpts)
+	conn, res, err := websocket.Dial(dialCtx, wsURL, dialOpts)
 	cancel()
 	if err != nil {
 		return fmt.Errorf("dial: %w", err)
 	}
+	// websocket.Dial returns the upgrade response separately from the
+	// conn. Body is empty on a successful upgrade but Go's net/http
+	// still expects it closed to release the connection.
+	defer func() { _ = res.Body.Close() }()
 	defer conn.CloseNow() //nolint:errcheck
 
 	// Send hello.

internal/agent/wsclient/enroll.go

@@ -50,7 +50,7 @@ func Enroll(ctx context.Context, serverURL string, req EnrollRequest) (*EnrollRe
 	if err != nil {
 		return nil, fmt.Errorf("agent enroll: post: %w", err)
 	}
-	defer res.Body.Close()
+	defer func() { _ = res.Body.Close() }()
 	rawRes, _ := io.ReadAll(res.Body)
 	if res.StatusCode != stdhttp.StatusCreated {
 		return nil, fmt.Errorf("agent enroll: server returned %d: %s",

internal/api/messages.go

@@ -10,13 +10,18 @@ import (
 // constants so we don't end up with both "linux" and "Linux" rows.
 type HostOS string
 
+// Allowed values for HostOS. Lowercased on the wire so the server
+// can use a single CHECK constraint.
 const (
 	OSLinux   HostOS = "linux"
 	OSWindows HostOS = "windows"
 )
 
+// HostArch is the agent's CPU architecture; same lowercase-on-wire
+// rule as HostOS.
 type HostArch string
 
+// Allowed values for HostArch.
 const (
 	ArchAmd64 HostArch = "amd64"
 	ArchArm64 HostArch = "arm64"
@@ -45,6 +50,9 @@ type HeartbeatPayload struct {
 // JobKind is the operation an agent is being asked to run, or just ran.
 type JobKind string
 
+// Allowed JobKind values. backup is operator/cron driven; init runs
+// once per host on first connect; forget/prune/check fire from the
+// server-side maintenance ticker; unlock is operator-only.
 const (
 	JobBackup JobKind = "backup"
 	JobInit   JobKind = "init"
@@ -57,12 +65,16 @@ const (
 // JobStatus is the lifecycle state of a job.
 type JobStatus string
 
+// Allowed JobStatus values. queued → running → one of {succeeded,
+// failed, JobCancelled} as a terminal state. The wire/DB literal for
+// the JobCancelled value uses UK spelling — don't "fix" it; existing
+// job rows + agent payloads will mismatch. //nolint:misspell
 const (
 	JobQueued    JobStatus = "queued"
 	JobRunning   JobStatus = "running"
 	JobSucceeded JobStatus = "succeeded"
 	JobFailed    JobStatus = "failed"
-	JobCancelled JobStatus = "cancelled"
+	JobCancelled JobStatus = "cancelled" //nolint:misspell // wire format
 )
 
 // CommandRunPayload is the server → agent dispatch for a run-now job.
@@ -145,6 +157,8 @@ type LogStreamLine struct {
 // LogStream identifies which channel a log line came from.
 type LogStream string
 
+// Allowed LogStream values. stdout/stderr are passed through verbatim;
+// event is the parsed restic --json envelope (summary, error, etc).
 const (
 	LogStdout LogStream = "stdout"
 	LogStderr LogStream = "stderr"
@@ -175,12 +189,12 @@ type Snapshot struct {
 // RepoStatsPayload — agent reports periodic repo health facts derived
 // from `restic stats` and lock-file inspection.
 type RepoStatsPayload struct {
-	SizeBytes        int64     `json:"size_bytes"`
-	SnapshotCount    int       `json:"snapshot_count"`
-	DedupRatio       float64   `json:"dedup_ratio"`
-	LastCheckAt      time.Time `json:"last_check_at,omitempty"`
-	LastCheckStatus  string    `json:"last_check_status,omitempty"`
-	LockState        string    `json:"lock_state"` // locked|unlocked
+	SizeBytes       int64     `json:"size_bytes"`
+	SnapshotCount   int       `json:"snapshot_count"`
+	DedupRatio      float64   `json:"dedup_ratio"`
+	LastCheckAt     time.Time `json:"last_check_at,omitempty"`
+	LastCheckStatus string    `json:"last_check_status,omitempty"`
+	LockState       string    `json:"lock_state"` // locked|unlocked
 }
 
 // Schedule is the agent-facing view of a slim Schedule row plus its
@@ -220,8 +234,8 @@ type ScheduleSetPayload struct {
 
 // ScheduleAckPayload — agent confirms it has applied a given version.
 type ScheduleAckPayload struct {
-	Version    int64     `json:"version"`
-	AppliedAt  time.Time `json:"applied_at"`
+	Version   int64     `json:"version"`
+	AppliedAt time.Time `json:"applied_at"`
 }
 
 // ScheduleFirePayload — agent reports a local cron entry just fired.
@@ -239,11 +253,11 @@ type ScheduleFirePayload struct {
 // repo connection details). Empty fields mean "leave existing alone";
 // to clear something, send an explicit zero value.
 type ConfigUpdatePayload struct {
-	RepoURL          string `json:"repo_url,omitempty"`
-	RepoPassword     string `json:"repo_password,omitempty"` // sensitive
-	RepoUsername     string `json:"repo_username,omitempty"`
-	RepoCredential   string `json:"repo_credential,omitempty"` // sensitive (for rest server basic auth)
-	HookShell        string `json:"hook_shell,omitempty"`
+	RepoURL        string `json:"repo_url,omitempty"`
+	RepoPassword   string `json:"repo_password,omitempty"` // sensitive
+	RepoUsername   string `json:"repo_username,omitempty"`
+	RepoCredential string `json:"repo_credential,omitempty"` // sensitive (for rest server basic auth)
+	HookShell      string `json:"hook_shell,omitempty"`
 }
 
 // AgentUpdateAvailablePayload — informational only; the agent does

internal/api/wire.go

@@ -12,35 +12,35 @@ type MessageType string
 
 // Agent → server message types.
 const (
-	MsgHello          MessageType = "hello"
-	MsgHeartbeat      MessageType = "heartbeat"
-	MsgJobStarted     MessageType = "job.started"
-	MsgJobProgress    MessageType = "job.progress"
-	MsgJobFinished    MessageType = "job.finished"
-	MsgSnapshotsRpt   MessageType = "snapshots.report"
-	MsgRepoStats      MessageType = "repo.stats"
-	MsgLogStream      MessageType = "log.stream"
-	MsgScheduleAck    MessageType = "schedule.ack"
-	MsgScheduleFire   MessageType = "schedule.fire"  // agent: a local cron entry fired, please dispatch a job
-	MsgCommandResult  MessageType = "command.result"  // ack for command.run
-	MsgError          MessageType = "error"
+	MsgHello         MessageType = "hello"
+	MsgHeartbeat     MessageType = "heartbeat"
+	MsgJobStarted    MessageType = "job.started"
+	MsgJobProgress   MessageType = "job.progress"
+	MsgJobFinished   MessageType = "job.finished"
+	MsgSnapshotsRpt  MessageType = "snapshots.report"
+	MsgRepoStats     MessageType = "repo.stats"
+	MsgLogStream     MessageType = "log.stream"
+	MsgScheduleAck   MessageType = "schedule.ack"
+	MsgScheduleFire  MessageType = "schedule.fire"  // agent: a local cron entry fired, please dispatch a job
+	MsgCommandResult MessageType = "command.result" // ack for command.run
+	MsgError         MessageType = "error"
 )
 
 // Server → agent message types.
 const (
-	MsgCommandRun         MessageType = "command.run"
-	MsgCommandCancel      MessageType = "command.cancel"
-	MsgScheduleSet        MessageType = "schedule.set"
-	MsgConfigUpdate       MessageType = "config.update"
-	MsgAgentUpdateAvail   MessageType = "agent.update.available"
+	MsgCommandRun       MessageType = "command.run"
+	MsgCommandCancel    MessageType = "command.cancel"
+	MsgScheduleSet      MessageType = "schedule.set"
+	MsgConfigUpdate     MessageType = "config.update"
+	MsgAgentUpdateAvail MessageType = "agent.update.available"
 )
 
 // Envelope is the framing for every WS message in either direction.
 // Payload is parsed into the concrete struct chosen by Type.
 //
-//   ID is set on RPC-style messages (command.run / command.result) so
-//   responses can be correlated. For one-shot pushes (heartbeat,
-//   job.progress) it is empty.
+//	ID is set on RPC-style messages (command.run / command.result) so
+//	responses can be correlated. For one-shot pushes (heartbeat,
+//	job.progress) it is empty.
 type Envelope struct {
 	Type    MessageType     `json:"type"`
 	ID      string          `json:"id,omitempty"`
@@ -71,6 +71,8 @@ func (e Envelope) UnmarshalPayload(v any) error {
 // These are stable identifiers; client code may switch on them.
 type ErrorCode string
 
+// Stable ErrorCode values surfaced over the wire. Clients switch on
+// these; renaming requires a wire-version bump.
 const (
 	ErrProtocolTooOld ErrorCode = "protocol_too_old"
 	ErrProtocolTooNew ErrorCode = "protocol_too_new"

internal/auth/passwords.go

@@ -16,6 +16,7 @@ import (
 // argon2id parameters following RFC 9106 §4 "second
 // recommended option" (memory-constrained):
 //   - 64 MiB memory, 3 iterations, 4 lanes, 32-byte tag.
+//
 // These are tunable per-deployment if a beefy controller wants to
 // crank them; we ship a defensible default.
 const (
@@ -27,7 +28,9 @@ const (
 )
 
 // HashPassword returns an argon2id-encoded string of the form
-//   $argon2id$v=19$m=...,t=...,p=...$<salt>$<hash>
+//
+//	$argon2id$v=19$m=...,t=...,p=...$<salt>$<hash>
+//
 // safe to store in a TEXT column. The salt is freshly random per call.
 func HashPassword(password string) (string, error) {
 	salt := make([]byte, defaultSaltLen)
@@ -53,7 +56,7 @@ func VerifyPassword(encoded, password string) error {
 	parts := strings.Split(encoded, "$")
 	// "$argon2id$v=...$m=...,t=...,p=...$<salt>$<hash>" → 6 parts (leading empty)
 	if len(parts) != 6 || parts[1] != "argon2id" {
-		return errors.New("auth: unrecognised hash format")
+		return errors.New("auth: unrecognized hash format")
 	}
 	var version int
 	if _, err := fmt.Sscanf(parts[2], "v=%d", &version); err != nil {

internal/auth/passwords_test.go

@@ -41,7 +41,7 @@ func TestVerifyRejectsMalformed(t *testing.T) {
 		"",
 		"not-a-hash",
 		"$argon2i$v=19$m=64,t=3,p=4$AAAA$BBBB",  // wrong variant
-		"$argon2id$",                             // truncated
+		"$argon2id$",                            // truncated
 		"$argon2id$v=99$m=64,t=3,p=4$AAAA$BBBB", // bad version
 	}
 	for _, c := range cases {

internal/crypto/aead.go

@@ -65,7 +65,7 @@ func GenerateKeyFile(path string) error {
 	if err != nil {
 		return fmt.Errorf("create key file %q: %w", path, err)
 	}
-	defer f.Close()
+	defer func() { _ = f.Close() }()
 	key := make([]byte, KeyLen)
 	if _, err := io.ReadFull(rand.Reader, key); err != nil {
 		return fmt.Errorf("read random: %w", err)

internal/restic/runner.go

@@ -15,7 +15,7 @@ import (
 	"time"
 )
 
-// Locate resolves the path to the restic binary. Honour an explicit
+// Locate resolves the path to the restic binary. Honor an explicit
 // override if provided, else fall back to PATH.
 func Locate(override string) (string, error) {
 	if override != "" {
@@ -41,12 +41,12 @@ func Locate(override string) (string, error) {
 // never assign it back to Env, never pass it to slog. If anything
 // in this package ever needs to *log* a URL, use RedactURL.
 type Env struct {
-	Bin           string            // path to restic binary
-	RepoURL       string            // RESTIC_REPOSITORY (no embedded creds)
-	RepoUsername  string            // optional HTTP basic-auth user for rest: URLs
-	RepoPassword  string            // doubles as RESTIC_PASSWORD and (for rest:) HTTP basic-auth password
-	ExtraEnv      map[string]string // any other RESTIC_* / passthrough
-	WorkDir       string            // CWD; default = current
+	Bin          string            // path to restic binary
+	RepoURL      string            // RESTIC_REPOSITORY (no embedded creds)
+	RepoUsername string            // optional HTTP basic-auth user for rest: URLs
+	RepoPassword string            // doubles as RESTIC_PASSWORD and (for rest:) HTTP basic-auth password
+	ExtraEnv     map[string]string // any other RESTIC_* / passthrough
+	WorkDir      string            // CWD; default = current
 }
 
 // EventKind enumerates what we care about in restic's --json output
@@ -54,10 +54,12 @@ type Env struct {
 // switch on message_type.
 type EventKind string
 
+// Known message_type values restic --json emits during a backup.
+// Kept as constants so callers can switch without typo risk.
 const (
-	EventStatus     EventKind = "status"      // periodic progress
+	EventStatus     EventKind = "status" // periodic progress
 	EventVerbose    EventKind = "verbose_status"
-	EventSummary    EventKind = "summary"     // emitted once at end of backup
+	EventSummary    EventKind = "summary" // emitted once at end of backup
 	EventErrorEvent EventKind = "error"
 )
 
@@ -90,7 +92,7 @@ type BackupSummary struct {
 }
 
 // LineHandler receives every stdout/stderr line. event is non-nil
-// when the line is a recognised JSON status; raw always carries the
+// when the line is a recognized JSON status; raw always carries the
 // original text (so we can also tee to job_logs as `stdout`).
 type LineHandler func(stream string, raw string, event any)
 
@@ -256,7 +258,7 @@ func (e Env) RunInit(ctx context.Context, handle LineHandler) error {
 
 	// Sniff for "config file already exists" on stderr; if we see it
 	// we'll treat the non-zero exit as a soft success — running init
-	// against an already-initialised repo is a no-op semantically,
+	// against an already-initialized repo is a no-op semantically,
 	// not a failure. Wraps the caller's handle so the line still
 	// gets streamed verbatim to the operator-facing log.
 	alreadyInited := false
@@ -280,7 +282,7 @@ func (e Env) RunInit(ctx context.Context, handle LineHandler) error {
 	if werr := cmd.Wait(); werr != nil {
 		if alreadyInited {
 			if handle != nil {
-				handle("event", "repo already initialised — treating as success", nil)
+				handle("event", "repo already initialized — treating as success", nil)
 			}
 			return nil
 		}

internal/restic/url_test.go

@@ -8,9 +8,11 @@ func TestMergeRestCreds(t *testing.T) {
 	}{
 		{"rest with creds", "rest:http://h:8000/p/", "u", "p", "rest:http://u:p@h:8000/p/"},
 		{"rest no user — no-op", "rest:http://h:8000/p/", "", "p", "rest:http://h:8000/p/"},
-		{"rest creds already inline — no-op",
+		{
+			"rest creds already inline — no-op",
 			"rest:http://existing:secret@h:8000/p/", "u", "p",
-			"rest:http://existing:secret@h:8000/p/"},
+			"rest:http://existing:secret@h:8000/p/",
+		},
 		{"non-rest s3 — no-op", "s3:s3.amazonaws.com/bucket", "u", "p", "s3:s3.amazonaws.com/bucket"},
 		{"unparseable — pass through", "rest:not a url", "u", "p", "rest:not a url"},
 		{"https URL kept intact", "rest:https://h/p/", "u", "p", "rest:https://u:p@h/p/"},

internal/server/config/config.go

@@ -34,9 +34,9 @@ type Config struct {
 }
 
 // Load resolves config in this order:
-//   1. defaults
-//   2. YAML at the given path (if non-empty and exists)
-//   3. environment variables (RM_LISTEN, RM_DATA_DIR, …)
+//  1. defaults
+//  2. YAML at the given path (if non-empty and exists)
+//  3. environment variables (RM_LISTEN, RM_DATA_DIR, …)
 //
 // The result is validated; a zero-error return means the server is
 // safe to start.

internal/server/http/agent_assets.go

@@ -57,7 +57,7 @@ func (s *Server) handleAgentBinary(w stdhttp.ResponseWriter, r *stdhttp.Request)
 }
 
 func (s *Server) handleInstallAsset(w stdhttp.ResponseWriter, r *stdhttp.Request) {
-	// chi's TrimPrefix-like behaviour: r.URL.Path is "/install/<file>".
+	// chi's TrimPrefix-like behavior: r.URL.Path is "/install/<file>".
 	rel := strings.TrimPrefix(r.URL.Path, "/install/")
 	// Reject any path traversal — must be a flat filename.
 	if rel == "" || strings.ContainsAny(rel, "/\\") {

internal/server/http/auth.go

@@ -137,7 +137,7 @@ func (s *Server) handleBootstrap(w stdhttp.ResponseWriter, r *stdhttp.Request) {
 		return
 	}
 	if n > 0 {
-		writeJSONError(w, stdhttp.StatusConflict, "already_initialised",
+		writeJSONError(w, stdhttp.StatusConflict, "already_initialized",
 			"a user already exists; bootstrap is disabled")
 		return
 	}

internal/server/http/auth_test.go

@@ -36,7 +36,7 @@ func newTestServer(t *testing.T, withBootstrapToken bool) (*Server, string) {
 	aead, _ := crypto.NewAEAD(key)
 
 	deps := Deps{
-		Cfg: config.Config{Listen: ":0", DataDir: dir, SecretKeyFile: keyPath},
+		Cfg:   config.Config{Listen: ":0", DataDir: dir, SecretKeyFile: keyPath},
 		Store: st,
 		AEAD:  aead,
 	}
@@ -125,7 +125,9 @@ func TestLoginAndLogout(t *testing.T) {
 	bs, _ := json.Marshal(bootstrapRequest{
 		Token: "test-token", Username: "alice", Password: "averylongpassword",
 	})
-	stdhttp.Post(url+"/api/bootstrap", "application/json", bytes.NewReader(bs)) //nolint:errcheck
+	if bsRes, err := stdhttp.Post(url+"/api/bootstrap", "application/json", bytes.NewReader(bs)); err == nil {
+		_ = bsRes.Body.Close()
+	}
 
 	// Login.
 	body, _ := json.Marshal(loginRequest{Username: "alice", Password: "averylongpassword"})

internal/server/http/enrollment.go

@@ -3,6 +3,7 @@ package http
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log/slog"
 	stdhttp "net/http"
@@ -142,7 +143,7 @@ func (s *Server) handleAgentEnroll(w stdhttp.ResponseWriter, r *stdhttp.Request)
 
 	// Seed the host's "default" source group with whatever paths the
 	// operator typed into Add-host (empty allowed; group is editable
-	// from the Sources tab post-enrol). Also seed the host's
+	// from the Sources tab post-enroll). Also seed the host's
 	// repo-maintenance row with default cadences so forget/prune/check
 	// start ticking on their own. Auto-init dispatch lands in Phase 6
 	// of the redesign.
@@ -222,12 +223,11 @@ func (s *Server) handleCreateEnrollmentToken(w stdhttp.ResponseWriter, r *stdhtt
 		return
 	}
 	token, expiresAt, err := s.mintEnrollmentToken(r.Context(), req.RepoURL, req.RepoUsername, req.RepoPassword, req.InitialPaths)
-	switch err {
-	case nil:
+	switch {
+	case err == nil:
 		writeJSON(w, stdhttp.StatusCreated, enrollOperatorResponse{Token: token, ExpiresAt: expiresAt})
-	case errMissingRepoCreds:
-		writeJSONError(w, stdhttp.StatusBadRequest, "missing_field",
-			"repo_url and repo_password are required so the agent can run backups on first connect")
+	case errors.Is(err, errMissingRepoCreds):
+		writeJSONError(w, stdhttp.StatusBadRequest, "missing_field", "repo_url and repo_password are required so the agent can run backups on first connect")
 	default:
 		writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
 	}

internal/server/http/host_credentials.go

@@ -162,7 +162,7 @@ func (s *Server) handleSetHostCredentials(w stdhttp.ResponseWriter, r *stdhttp.R
 	w.WriteHeader(stdhttp.StatusNoContent)
 }
 
-// pushRepoCredsToAgent serialises blob into a config.update envelope
+// pushRepoCredsToAgent serializes blob into a config.update envelope
 // and ships it down the agent's WS. Returns an error from the hub
 // (no-op if not connected — caller is expected to check first when it
 // matters).

internal/server/http/hosts.go

@@ -10,23 +10,23 @@ import (
 // store row, but with explicit time-strings so wire format is stable
 // across DB driver changes.
 type hostView struct {
-	ID                string  `json:"id"`
-	Name              string  `json:"name"`
-	OS                string  `json:"os"`
-	Arch              string  `json:"arch"`
-	AgentVersion      string  `json:"agent_version,omitempty"`
-	ResticVersion     string  `json:"restic_version,omitempty"`
-	ProtocolVersion   int     `json:"protocol_version"`
-	EnrolledAt        string  `json:"enrolled_at"`
-	LastSeenAt        *string `json:"last_seen_at,omitempty"`
-	Status            string  `json:"status"`
-	Tags              []string `json:"tags"`
-	CurrentJobID      *string `json:"current_job_id,omitempty"`
-	LastBackupAt      *string `json:"last_backup_at,omitempty"`
-	LastBackupStatus  *string `json:"last_backup_status,omitempty"`
-	RepoSizeBytes     int64   `json:"repo_size_bytes"`
-	SnapshotCount     int     `json:"snapshot_count"`
-	OpenAlertCount    int     `json:"open_alert_count"`
+	ID               string   `json:"id"`
+	Name             string   `json:"name"`
+	OS               string   `json:"os"`
+	Arch             string   `json:"arch"`
+	AgentVersion     string   `json:"agent_version,omitempty"`
+	ResticVersion    string   `json:"restic_version,omitempty"`
+	ProtocolVersion  int      `json:"protocol_version"`
+	EnrolledAt       string   `json:"enrolled_at"`
+	LastSeenAt       *string  `json:"last_seen_at,omitempty"`
+	Status           string   `json:"status"`
+	Tags             []string `json:"tags"`
+	CurrentJobID     *string  `json:"current_job_id,omitempty"`
+	LastBackupAt     *string  `json:"last_backup_at,omitempty"`
+	LastBackupStatus *string  `json:"last_backup_status,omitempty"`
+	RepoSizeBytes    int64    `json:"repo_size_bytes"`
+	SnapshotCount    int      `json:"snapshot_count"`
+	OpenAlertCount   int      `json:"open_alert_count"`
 }
 
 // handleListHosts returns the full fleet as JSON. Authenticated; the

internal/server/http/jobs.go

@@ -16,8 +16,8 @@ import (
 
 // runNowRequest is the body of POST /api/hosts/:id/jobs.
 type runNowRequest struct {
-	Kind  api.JobKind `json:"kind"`
-	Args  []string    `json:"args,omitempty"`  // restic CLI args (paths for backup, etc.)
+	Kind api.JobKind `json:"kind"`
+	Args []string    `json:"args,omitempty"` // restic CLI args (paths for backup, etc.)
 }
 
 type runNowResponse struct {

internal/server/http/p2r01_test.go

@@ -215,24 +215,30 @@ func TestSchedulesCRUDValidation(t *testing.T) {
 
 	// Bad cron → 400.
 	status, body := doJSON(t, url, "POST", "/api/hosts/"+hostID+"/schedules",
-		map[string]any{"cron": "not-a-cron", "enabled": true,
-			"source_group_ids": []string{"x"}}, cookie)
+		map[string]any{
+			"cron": "not-a-cron", "enabled": true,
+			"source_group_ids": []string{"x"},
+		}, cookie)
 	if status != 400 {
 		t.Fatalf("bad cron: want 400, got %d (body=%+v)", status, body)
 	}
 
 	// Missing groups → 400.
 	status, _ = doJSON(t, url, "POST", "/api/hosts/"+hostID+"/schedules",
-		map[string]any{"cron": "0 3 * * *", "enabled": true,
-			"source_group_ids": []string{}}, cookie)
+		map[string]any{
+			"cron": "0 3 * * *", "enabled": true,
+			"source_group_ids": []string{},
+		}, cookie)
 	if status != 400 {
 		t.Errorf("missing groups: want 400, got %d", status)
 	}
 
 	// Group not on host → 400.
 	status, _ = doJSON(t, url, "POST", "/api/hosts/"+hostID+"/schedules",
-		map[string]any{"cron": "0 3 * * *", "enabled": true,
-			"source_group_ids": []string{"non-existent"}}, cookie)
+		map[string]any{
+			"cron": "0 3 * * *", "enabled": true,
+			"source_group_ids": []string{"non-existent"},
+		}, cookie)
 	if status != 400 {
 		t.Errorf("bogus group: want 400, got %d", status)
 	}
@@ -247,8 +253,10 @@ func TestSchedulesCRUDValidation(t *testing.T) {
 
 	// Happy create.
 	status, body = doJSON(t, url, "POST", "/api/hosts/"+hostID+"/schedules",
-		map[string]any{"cron": "0 3 * * *", "enabled": true,
-			"source_group_ids": []string{gid}}, cookie)
+		map[string]any{
+			"cron": "0 3 * * *", "enabled": true,
+			"source_group_ids": []string{gid},
+		}, cookie)
 	if status != 201 {
 		t.Fatalf("create: %d body=%+v", status, body)
 	}
@@ -269,8 +277,10 @@ func TestSchedulesCRUDValidation(t *testing.T) {
 
 	// Update — change cron, keep group.
 	status, body = doJSON(t, url, "PUT", "/api/hosts/"+hostID+"/schedules/"+sid,
-		map[string]any{"cron": "@hourly", "enabled": false,
-			"source_group_ids": []string{gid}}, cookie)
+		map[string]any{
+			"cron": "@hourly", "enabled": false,
+			"source_group_ids": []string{gid},
+		}, cookie)
 	if status != 200 {
 		t.Fatalf("update: %d body=%+v", status, body)
 	}
@@ -484,5 +494,7 @@ func equalStrings(a, b []string) bool {
 }
 
 // keep fmt import live — used for occasional debug.
-var _ = fmt.Sprintf
-var _ = strings.HasPrefix
+var (
+	_ = fmt.Sprintf
+	_ = strings.HasPrefix
+)

internal/server/http/p2r01_ws_test.go

@@ -6,8 +6,8 @@ package http
 import (
 	"context"
 	"encoding/json"
-	"net/http/httptest"
 	stdhttp "net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
@@ -29,13 +29,18 @@ func agentDial(t *testing.T, srv *Server, ts *httptest.Server, hostID, token str
 	url := "ws" + strings.TrimPrefix(ts.URL, "http") + "/ws/agent"
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
-	c, _, err := websocket.Dial(ctx, url, &websocket.DialOptions{
+	c, res, err := websocket.Dial(ctx, url, &websocket.DialOptions{
 		HTTPHeader: stdhttp.Header{"Authorization": []string{"Bearer " + token}},
 	})
 	if err != nil {
 		t.Fatalf("dial: %v", err)
 	}
-	t.Cleanup(func() { _ = c.CloseNow() })
+	t.Cleanup(func() {
+		_ = c.CloseNow()
+		if res != nil && res.Body != nil {
+			_ = res.Body.Close()
+		}
+	})
 	return c
 }
 
@@ -76,7 +81,7 @@ func drainUntil(t *testing.T, c *websocket.Conn, wantType api.MessageType) api.E
 	return api.Envelope{}
 }
 
-// enrolHostForWS pre-enrols a host with bound repo creds so the server
+// enrolHostForWS pre-enrolls a host with bound repo creds so the server
 // will treat it as ready to receive command.run.
 func enrolHostForWS(t *testing.T, srv *Server, st *store.Store, name string) (hostID, token string) {
 	t.Helper()

internal/server/http/repo_maintenance.go

@@ -142,4 +142,3 @@ func (s *Server) handleUpdateRepoMaintenance(w stdhttp.ResponseWriter, r *stdhtt
 	}
 	writeJSON(w, stdhttp.StatusOK, toRepoMaintenanceView(m))
 }
-

internal/server/http/schedule_push.go

@@ -4,7 +4,7 @@
 // The slim-schedule wire shape is built here from the (Schedule,
 // SourceGroup) pair. Each schedule is sent with its resolved source
 // groups inlined so the agent doesn't have to keep its own copy of
-// the group catalogue. Cron + enabled drive the agent's local timer;
+// the group catalog. Cron + enabled drive the agent's local timer;
 // when an entry fires the agent ships back a schedule.fire and
 // dispatchScheduledJob below resolves the schedule's groups and
 // dispatches one backup command.run per group.

internal/server/http/schedules.go

@@ -212,7 +212,7 @@ func (s *Server) validateScheduleRequest(r *stdhttp.Request, hostID string, req
 	for _, gid := range req.SourceGroupIDs {
 		g, err := s.deps.Store.GetSourceGroup(r.Context(), hostID, gid)
 		if err != nil || g == nil {
-			return "invalid_group", "source group "+gid+" not found on this host", false
+			return "invalid_group", "source group " + gid + " not found on this host", false
 		}
 	}
 	return "", "", true

internal/server/http/server.go

@@ -184,7 +184,7 @@ func (s *Server) routes(r chi.Router) {
 		// Durable post-Add-host page (operator can refresh / come
 		// back; password decrypted from the token row each render).
 		// Polled fragment under /awaiting flips to "connected" once
-		// the agent enrols.
+		// the agent enrolls.
 		r.Get("/hosts/pending/{token}", s.handleUIPendingHost)
 		r.Get("/hosts/pending/{token}/awaiting", s.handleUIPendingAwaiting)
 		// Host detail (Snapshots tab is the default).

internal/server/http/ui_handlers.go

@@ -44,7 +44,11 @@ func staticHandler() stdhttp.Handler {
 func (s *Server) sessionUser(r *stdhttp.Request) (*ui.User, error) {
 	c, err := r.Cookie(sessionCookieName)
 	if err != nil {
-		return nil, nil
+		// Missing or invalid cookie just means the caller isn't logged
+		// in — that's a normal state, not a server error. Return
+		// (nil, nil) so callers can decide between "redirect to login"
+		// and "treat as anonymous".
+		return nil, nil //nolint:nilerr
 	}
 	sess, err := s.deps.Store.LookupSession(r.Context(), auth.HashToken(c.Value))
 	if err != nil {
@@ -81,11 +85,13 @@ func (s *Server) requireUIUser(w stdhttp.ResponseWriter, r *stdhttp.Request) *ui
 }
 
 // baseView populates the fields the nav partial needs on every
-// authenticated page.
-func (s *Server) baseView(u *ui.User, active string) ui.ViewData {
+// authenticated page. Every UI page sits under the dashboard primary
+// nav today; if a future page lives under a different primary nav
+// tab (e.g. Settings, Audit), accept an Active arg again.
+func (s *Server) baseView(u *ui.User) ui.ViewData {
 	return ui.ViewData{
 		User:    u,
-		Active:  active,
+		Active:  "dashboard",
 		Version: s.version(),
 	}
 }
@@ -200,7 +206,7 @@ func (s *Server) handleUIDashboard(w stdhttp.ResponseWriter, r *stdhttp.Request)
 		rows = append(rows, row)
 	}
 
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.OpenAlerts = summary.OpenAlerts
 	view.Page = dashboardPage{
 		Hosts:     rows,
@@ -249,16 +255,16 @@ type addHostPage struct {
 }
 
 // pendingHostPage is the GET /hosts/pending/{token} view. Lives
-// for as long as the token does (1h ttl); once the agent enrols,
+// for as long as the token does (1h ttl); once the agent enrolls,
 // the handler redirects to /hosts/{host_id} and this page is gone.
 type pendingHostPage struct {
-	Token             string
-	ServerURL         string
-	ExpiresAt         time.Time
-	RepoURL           string
-	RepoUsername      string
-	RepoPassword      string
-	InitialPaths      []string
+	Token        string
+	ServerURL    string
+	ExpiresAt    time.Time
+	RepoURL      string
+	RepoUsername string
+	RepoPassword string
+	InitialPaths []string
 }
 
 // handleUIAddHostGet renders the empty Add host form.
@@ -267,7 +273,7 @@ func (s *Server) handleUIAddHostGet(w stdhttp.ResponseWriter, r *stdhttp.Request
 	if u == nil {
 		return
 	}
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = "Add host · restic-manager"
 	view.Page = addHostPage{ServerURL: s.publicURL(r)}
 	if err := s.deps.UI.Render(w, "add_host", view); err != nil {
@@ -327,11 +333,11 @@ func (s *Server) handleUIAddHostPost(w stdhttp.ResponseWriter, r *stdhttp.Reques
 
 	if page.Error == "" {
 		token, _, err := s.mintEnrollmentToken(r.Context(), page.RepoURL, repoUsername, repoPassword, splitPaths(page.Paths))
-		switch err {
-		case nil:
+		switch {
+		case err == nil:
 			stdhttp.Redirect(w, r, "/hosts/pending/"+token, stdhttp.StatusSeeOther)
 			return
-		case errMissingRepoCreds:
+		case errors.Is(err, errMissingRepoCreds):
 			page.Error = "Repo URL and password are both required."
 		default:
 			slog.Error("ui add_host: mint token", "err", err)
@@ -339,7 +345,7 @@ func (s *Server) handleUIAddHostPost(w stdhttp.ResponseWriter, r *stdhttp.Reques
 		}
 	}
 
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = "Add host · restic-manager"
 	view.Page = page
 	w.WriteHeader(stdhttp.StatusUnprocessableEntity)
@@ -350,7 +356,7 @@ func (s *Server) handleUIAddHostPost(w stdhttp.ResponseWriter, r *stdhttp.Reques
 
 // handleUIPendingHost serves the durable Add-host result page —
 // shown after a successful POST /hosts/new and reachable until the
-// agent enrols (the page redirects to /hosts/{id} once that
+// agent enrolls (the page redirects to /hosts/{id} once that
 // happens) or the token expires (1h ttl). The password is
 // re-decrypted from the encrypted token row on every render so
 // the operator can refresh, bookmark, navigate away and come back.
@@ -406,7 +412,7 @@ func (s *Server) handleUIPendingHost(w stdhttp.ResponseWriter, r *stdhttp.Reques
 		}
 	}
 
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = "Pending host · restic-manager"
 	view.Page = page
 	if err := s.deps.UI.Render(w, "pending_host", view); err != nil {
@@ -546,7 +552,7 @@ func (s *Server) handleUIHostDetail(w stdhttp.ResponseWriter, r *stdhttp.Request
 		shown = shown[:cap]
 	}
 
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = host.Name + " · restic-manager"
 	view.Page = hostDetailPage{
 		hostChromeData: s.loadHostChrome(r, *host, "snapshots", "snapshots"),
@@ -645,7 +651,7 @@ func (s *Server) handleUIJobDetail(w stdhttp.ResponseWriter, r *stdhttp.Request)
 		nextSeq = logs[n-1].Seq
 	}
 
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = job.Kind + " · " + host.Name + " · restic-manager"
 	view.Page = jobDetailPage{
 		Job:      *job,
@@ -742,21 +748,6 @@ func buildSyntheticJobFinished(job *store.Job) (api.Envelope, error) {
 	})
 }
 
-// userByID fetches the full store.User the UI session represents.
-// Returns the user, ok-flag, error. Used by handlers that need the
-// store-side row (e.g. for audit_log.user_id) rather than just the
-// projected ui.User.
-func (s *Server) userByID(r *stdhttp.Request, id string) (*store.User, bool, error) {
-	u, err := s.deps.Store.GetUserByID(r.Context(), id)
-	if err != nil {
-		if errors.Is(err, store.ErrNotFound) {
-			return nil, false, nil
-		}
-		return nil, false, err
-	}
-	return u, true, nil
-}
-
 // handleUILoginGet renders the login form. If the user is already
 // signed in we redirect them home — login is for the unauthenticated.
 func (s *Server) handleUILoginGet(w stdhttp.ResponseWriter, r *stdhttp.Request) {

internal/server/http/ui_repo.go

@@ -143,7 +143,7 @@ func (s *Server) handleUIHostRepo(w stdhttp.ResponseWriter, r *stdhttp.Request)
 		return
 	}
 	page.SavedSection = r.URL.Query().Get("saved")
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = host.Name + " repo · restic-manager"
 	view.Page = *page
 	if err := s.deps.UI.Render(w, "host_repo", view); err != nil {
@@ -166,7 +166,7 @@ func (s *Server) renderRepoPage(w stdhttp.ResponseWriter, r *stdhttp.Request, u
 	page.CredentialsError = credErr
 	page.BandwidthError = bwErr
 	page.MaintenanceError = mntErr
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = host.Name + " repo · restic-manager"
 	view.Page = *page
 	w.WriteHeader(stdhttp.StatusUnprocessableEntity)

internal/server/http/ui_schedules.go

@@ -78,7 +78,7 @@ func (s *Server) handleUISchedulesList(w stdhttp.ResponseWriter, r *stdhttp.Requ
 	chrome.ScheduleCount = len(scheds)
 	chrome.SourceGroupCount = len(groups)
 
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = host.Name + " schedules · restic-manager"
 	view.Page = hostSchedulesPage{
 		hostChromeData: chrome,
@@ -106,7 +106,7 @@ func (s *Server) handleUIScheduleNewGet(w stdhttp.ResponseWriter, r *stdhttp.Req
 		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
 		return
 	}
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = "New schedule · " + host.Name + " · restic-manager"
 	view.Page = scheduleEditPage{
 		hostChromeData:   s.loadHostChrome(r, *host, "schedules", "new schedule"),
@@ -152,7 +152,7 @@ func (s *Server) handleUIScheduleEditGet(w stdhttp.ResponseWriter, r *stdhttp.Re
 	for _, gid := range sc.SourceGroupIDs {
 		selected[gid] = true
 	}
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = "Edit schedule · " + host.Name + " · restic-manager"
 	view.Page = scheduleEditPage{
 		hostChromeData: s.loadHostChrome(r, *host, "schedules", "edit schedule"),
@@ -381,7 +381,7 @@ func (s *Server) renderScheduleFormError(w stdhttp.ResponseWriter, r *stdhttp.Re
 		saveAction = "/hosts/" + host.ID + "/schedules/" + sid + "/edit"
 		crumb = "edit schedule"
 	}
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = "Schedule · " + host.Name + " · restic-manager"
 	view.Page = scheduleEditPage{
 		hostChromeData:   s.loadHostChrome(r, *host, "schedules", crumb),

internal/server/http/ui_sources.go

@@ -119,7 +119,7 @@ func (s *Server) handleUIHostSources(w stdhttp.ResponseWriter, r *stdhttp.Reques
 	// loadHostChrome already counted groups; reuse count we just got.
 	chrome.SourceGroupCount = len(groups)
 
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = host.Name + " sources · restic-manager"
 	view.Page = hostSourcesPage{hostChromeData: chrome, Groups: rows}
 	if err := s.deps.UI.Render(w, "host_sources", view); err != nil {
@@ -137,7 +137,7 @@ func (s *Server) handleUISourceGroupNewGet(w stdhttp.ResponseWriter, r *stdhttp.
 	if !ok {
 		return
 	}
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = "New source group · " + host.Name + " · restic-manager"
 	view.Page = sourceGroupEditPage{
 		hostChromeData: s.loadHostChrome(r, *host, "sources", "new source group"),
@@ -171,7 +171,7 @@ func (s *Server) handleUISourceGroupEditGet(w stdhttp.ResponseWriter, r *stdhttp
 		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
 		return
 	}
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = g.Name + " · " + host.Name + " · restic-manager"
 	view.Page = sourceGroupEditPage{
 		hostChromeData: s.loadHostChrome(r, *host, "sources", g.Name),
@@ -341,7 +341,7 @@ func (s *Server) handleUISourceGroupDelete(w stdhttp.ResponseWriter, r *stdhttp.
 // typed input intact + an error banner. Returns 422 to signal "form
 // rejected" while still returning HTML (mirrors handleUIAddHostPost).
 func (s *Server) renderSourceFormError(w stdhttp.ResponseWriter, r *stdhttp.Request, u *ui.User, host *store.Host, gid string, isNew bool, form sourceFormData, msg string) {
-	view := s.baseView(u, "dashboard")
+	view := s.baseView(u)
 	view.Title = "Source group · " + host.Name + " · restic-manager"
 	saveAction := "/hosts/" + host.ID + "/sources/new"
 	crumb := "new source group"

internal/server/ui/funcs.go

@@ -13,10 +13,10 @@ import (
 // which can pre-compute and pass primitives into the view.
 func funcMap() template.FuncMap {
 	return template.FuncMap{
-		"bytes":   formatBytes,
-		"relTime": formatRelTime,
-		"comma":   formatComma,
-		"deref":   derefStr,
+		"bytes":       formatBytes,
+		"relTime":     formatRelTime,
+		"comma":       formatComma,
+		"deref":       derefStr,
 		"timeNotZero": func(t *time.Time) bool { return t != nil && !t.IsZero() },
 		"joinDot":     func(parts []string) string { return strings.Join(parts, " · ") },
 		"absTime": func(t time.Time) string {

internal/server/ws/handler.go

@@ -42,14 +42,14 @@ type HandlerDeps struct {
 // enrollment) before the WS upgrade.
 //
 // Lifecycle:
-//   1. Bearer token resolves to a Host row.
-//   2. Upgrade.
-//   3. First message must be `hello`; protocol_version checked here.
-//   4. Loop: read messages, dispatch by type. Heartbeats touch the
-//      host row; job/log/repo messages forward to the relevant
-//      handlers (TODO: lands with P1-18 onward).
-//   5. On Read error or context cancel, mark host offline, unregister
-//      from the hub.
+//  1. Bearer token resolves to a Host row.
+//  2. Upgrade.
+//  3. First message must be `hello`; protocol_version checked here.
+//  4. Loop: read messages, dispatch by type. Heartbeats touch the
+//     host row; job/log/repo messages forward to the relevant
+//     handlers (TODO: lands with P1-18 onward).
+//  5. On Read error or context cancel, mark host offline, unregister
+//     from the hub.
 func AgentHandler(deps HandlerDeps) stdhttp.Handler {
 	return stdhttp.HandlerFunc(func(w stdhttp.ResponseWriter, r *stdhttp.Request) {
 		host, ok := authenticateAgent(r, deps.Store)
@@ -204,7 +204,7 @@ func dispatchAgentMessage(ctx context.Context, c *Conn, hostID string, env api.E
 			string(p.Status), p.ExitCode, p.Stats, errMsg, p.FinishedAt); err != nil {
 			slog.Warn("ws: mark job finished", "job_id", p.JobID, "err", err)
 		}
-		// repo_initialised_at projection has been removed — auto-init
+		// repo_initialized_at projection has been removed — auto-init
 		// at host enrolment makes "is the repo init'd" derivable from
 		// the latest init job's status, no separate column needed.
 		if deps.JobHub != nil {

internal/server/ws/hub.go

@@ -100,7 +100,7 @@ func NewConn(hostID string, c *websocket.Conn) *Conn {
 }
 
 // Send writes an envelope as a JSON text message. Concurrent calls
-// are serialised; the underlying socket is not safe for parallel
+// are serialized; the underlying socket is not safe for parallel
 // writers.
 func (c *Conn) Send(ctx context.Context, env api.Envelope) error {
 	c.writeMu.Lock()

internal/server/ws/hub_test.go

@@ -57,13 +57,18 @@ func TestWSHelloAndHeartbeat(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	c, _, err := websocket.Dial(ctx, url, &websocket.DialOptions{
+	c, res, err := websocket.Dial(ctx, url, &websocket.DialOptions{
 		HTTPHeader: stdhttp.Header{"Authorization": []string{"Bearer " + token}},
 	})
 	if err != nil {
 		t.Fatalf("dial: %v", err)
 	}
 	defer c.CloseNow()
+	defer func() {
+		if res != nil && res.Body != nil {
+			_ = res.Body.Close()
+		}
+	}()
 
 	// Send hello.
 	hello := api.HelloPayload{
@@ -125,13 +130,18 @@ func TestWSRejectsOldProtocol(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	c, _, err := websocket.Dial(ctx, url, &websocket.DialOptions{
+	c, res, err := websocket.Dial(ctx, url, &websocket.DialOptions{
 		HTTPHeader: stdhttp.Header{"Authorization": []string{"Bearer " + token}},
 	})
 	if err != nil {
 		t.Fatalf("dial: %v", err)
 	}
 	defer c.CloseNow()
+	defer func() {
+		if res != nil && res.Body != nil {
+			_ = res.Body.Close()
+		}
+	}()
 
 	hello := api.HelloPayload{ProtocolVersion: 0} // below minimum
 	env, _ := api.Marshal(api.MsgHello, "", hello)
@@ -170,6 +180,13 @@ func TestWSRejectsBadToken(t *testing.T) {
 	_, res, err := websocket.Dial(ctx, url, &websocket.DialOptions{
 		HTTPHeader: stdhttp.Header{"Authorization": []string{"Bearer wrong"}},
 	})
+	if res != nil {
+		defer func() {
+			if res != nil && res.Body != nil {
+				_ = res.Body.Close()
+			}
+		}()
+	}
 	if err == nil {
 		t.Fatal("dial should fail")
 	}

internal/server/ws/jobhub.go

@@ -33,7 +33,7 @@ func NewJobHub() *JobHub {
 // the hub's set (so concurrent Broadcasts will reach it), but no
 // pump goroutine runs yet. The caller can prime the channel via Send
 // — useful for late-subscriber catch-up — and then call Run to start
-// the pump. Run blocks until ctx is cancelled or conn dies, and
+// the pump. Run blocks until ctx is canceled or conn dies, and
 // unregisters on return.
 type Subscriber struct {
 	hub   *JobHub
@@ -73,7 +73,7 @@ func (s *Subscriber) Send(env api.Envelope) {
 }
 
 // Run pumps messages from the subscriber's channel onto conn until
-// ctx is cancelled or conn dies. Unregisters on return. Caller is
+// ctx is canceled or conn dies. Unregisters on return. Caller is
 // expected to invoke this from the goroutine that owns conn.
 func (s *Subscriber) Run(ctx context.Context, conn *Conn) {
 	defer s.unregister()

internal/store/audit.go

@@ -26,7 +26,7 @@ func (s *Store) AppendAudit(ctx context.Context, e AuditEntry) error {
 }
 
 // nullable returns nil for nil/empty *string so SQLite stores NULL.
-// SQLite's driver treats Go nil as NULL but treats *string("") as ''.
+// SQLite's driver treats Go nil as NULL but treats *string("") as ”.
 // We want NULL semantics for "absent."
 func nullable(p *string) any {
 	if p == nil || *p == "" {

internal/store/enrollment.go

@@ -172,4 +172,3 @@ func (s *Store) PurgeExpiredEnrollmentTokens(ctx context.Context) (int64, error)
 	n, _ := res.RowsAffected()
 	return n, nil
 }
-

internal/store/fleet.go

@@ -57,7 +57,7 @@ func (s *Store) FleetSummary(ctx context.Context) (FleetSummary, error) {
 	if err != nil {
 		return FleetSummary{}, fmt.Errorf("store: fleet summary jobs: %w", err)
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()
 	for rows.Next() {
 		var status string
 		var n int
@@ -70,7 +70,7 @@ func (s *Store) FleetSummary(ctx context.Context) (FleetSummary, error) {
 			fs.JobsLast24hSucceeded = n
 		case "failed":
 			fs.JobsLast24hFailed = n
-		case "cancelled":
+		case "cancelled": //nolint:misspell // matches the DB CHECK constraint and api.JobCancelled wire value
 			fs.JobsLast24hCancelled = n
 		}
 	}

internal/store/hosts.go

@@ -121,7 +121,7 @@ func (s *Store) ListHosts(ctx context.Context) ([]Host, error) {
 	if err != nil {
 		return nil, fmt.Errorf("store: list hosts: %w", err)
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()
 	var out []Host
 	for rows.Next() {
 		h, err := scanHostRow(rows)
@@ -150,11 +150,11 @@ func scanHost(row *sql.Row) (*Host, error) {
 func scanHostRow(s hostScanner) (*Host, error) {
 	var h Host
 	var (
-		lastSeen, lastBackupAt        sql.NullString
-		repoID, currentJob, lastBkSt  sql.NullString
-		enrolled                      string
-		tags                          string
-		bwUp, bwDown                  sql.NullInt64
+		lastSeen, lastBackupAt       sql.NullString
+		repoID, currentJob, lastBkSt sql.NullString
+		enrolled                     string
+		tags                         string
+		bwUp, bwDown                 sql.NullInt64
 	)
 	err := s.Scan(&h.ID, &h.Name, &h.OS, &h.Arch,
 		&h.AgentVersion, &h.ResticVersion, &h.ProtocolVersion,

internal/store/jobs.go

@@ -118,7 +118,7 @@ func (s *Store) ListJobLogs(ctx context.Context, jobID string, afterSeq int64, l
 	if err != nil {
 		return nil, fmt.Errorf("store: list job logs: %w", err)
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()
 	var out []JobLogLine
 	for rows.Next() {
 		var l JobLogLine
@@ -143,15 +143,15 @@ func (s *Store) GetJob(ctx context.Context, id string) (*Job, error) {
 		        started_at, finished_at, exit_code, stats, error, created_at
 		 FROM jobs WHERE id = ?`, id)
 	var (
-		j           Job
-		schedID     sql.NullString
-		actorID     sql.NullString
-		startedAt   sql.NullString
-		finishedAt  sql.NullString
-		exitCode    sql.NullInt64
-		stats       sql.NullString
-		errMsg      sql.NullString
-		createdAt   string
+		j          Job
+		schedID    sql.NullString
+		actorID    sql.NullString
+		startedAt  sql.NullString
+		finishedAt sql.NullString
+		exitCode   sql.NullInt64
+		stats      sql.NullString
+		errMsg     sql.NullString
+		createdAt  string
 	)
 	if err := row.Scan(&j.ID, &j.HostID, &j.Kind, &j.Status, &schedID,
 		&j.ActorKind, &actorID, &startedAt, &finishedAt,

internal/store/maintenance.go

@@ -31,7 +31,7 @@ func (st *Store) GetRepoMaintenance(ctx context.Context, hostID string) (*HostRe
 			check_cron, check_enabled, check_subset_pct
 		 FROM host_repo_maintenance WHERE host_id = ?`, hostID)
 	var (
-		m                                       HostRepoMaintenance
+		m                                         HostRepoMaintenance
 		forgetEnabled, pruneEnabled, checkEnabled int
 	)
 	err := row.Scan(&m.HostID,

internal/store/migrate.go

@@ -15,9 +15,9 @@ var migrationsFS embed.FS
 
 // migration is one ordered SQL file from migrations/.
 type migration struct {
-	version  int    // parsed from filename prefix (0001, 0002, …)
-	name     string // full filename, for error messages
-	sql      string
+	version int    // parsed from filename prefix (0001, 0002, …)
+	name    string // full filename, for error messages
+	sql     string
 }
 
 // loadMigrations reads every migrations/*.sql file in lexical order

internal/store/pending.go

@@ -52,7 +52,7 @@ func (st *Store) DuePendingRuns(ctx context.Context, now time.Time, limit int) (
 	if err != nil {
 		return nil, fmt.Errorf("store: due pending runs: %w", err)
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()
 	out := []PendingRun{}
 	for rows.Next() {
 		var p PendingRun

internal/store/schedules.go

@@ -144,7 +144,7 @@ func (st *Store) ListSchedulesByHost(ctx context.Context, hostID string) ([]Sche
 	if err != nil {
 		return nil, fmt.Errorf("store: list schedules: %w", err)
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()
 	out := []Schedule{}
 	for rows.Next() {
 		s, err := scanScheduleRow(rows)
@@ -247,7 +247,7 @@ func (st *Store) scheduleGroupIDs(ctx context.Context, scheduleID string) ([]str
 	if err != nil {
 		return nil, fmt.Errorf("store: read schedule junction: %w", err)
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()
 	out := []string{}
 	for rows.Next() {
 		var id string
@@ -269,7 +269,7 @@ func (st *Store) SchedulesUsingGroup(ctx context.Context, groupID string) ([]str
 	if err != nil {
 		return nil, fmt.Errorf("store: schedules using group: %w", err)
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()
 	out := []string{}
 	for rows.Next() {
 		var id string

internal/store/snapshots.go

@@ -51,7 +51,7 @@ func (s *Store) ReplaceHostSnapshots(ctx context.Context, hostID string, snaps [
 		if err != nil {
 			return fmt.Errorf("store: prepare snapshot insert: %w", err)
 		}
-		defer stmt.Close()
+		defer func() { _ = stmt.Close() }()
 
 		refreshed := when.UTC().Format(time.RFC3339Nano)
 		for _, snap := range snaps {
@@ -92,7 +92,7 @@ func (s *Store) ListSnapshotsByHost(ctx context.Context, hostID string) ([]Snaps
 	if err != nil {
 		return nil, fmt.Errorf("store: list snapshots: %w", err)
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()
 
 	var out []Snapshot
 	for rows.Next() {

internal/store/snapshots_test.go

@@ -30,20 +30,20 @@ func TestReplaceHostSnapshotsRoundTrip(t *testing.T) {
 	now := time.Now().UTC().Truncate(time.Second)
 	in := []Snapshot{
 		{
-			ID: "deadbeef" + "00000000000000000000000000000000000000000000000000000000",
-			ShortID: "deadbeef",
-			Time: now.Add(-2 * time.Hour),
-			Hostname: "snap-host",
-			Paths: []string{"/etc", "/home"},
-			Tags: []string{"daily"},
+			ID:        "deadbeef" + "00000000000000000000000000000000000000000000000000000000",
+			ShortID:   "deadbeef",
+			Time:      now.Add(-2 * time.Hour),
+			Hostname:  "snap-host",
+			Paths:     []string{"/etc", "/home"},
+			Tags:      []string{"daily"},
 			SizeBytes: 4096, FileCount: 12,
 		},
 		{
-			ID: "cafef00d" + "00000000000000000000000000000000000000000000000000000000",
-			ShortID: "cafef00d",
-			Time: now.Add(-1 * time.Hour),
-			Hostname: "snap-host",
-			Paths: []string{"/etc"},
+			ID:        "cafef00d" + "00000000000000000000000000000000000000000000000000000000",
+			ShortID:   "cafef00d",
+			Time:      now.Add(-1 * time.Hour),
+			Hostname:  "snap-host",
+			Paths:     []string{"/etc"},
 			SizeBytes: 8192, FileCount: 24,
 		},
 	}
@@ -129,9 +129,11 @@ func TestReplaceHostSnapshotsEmpty(t *testing.T) {
 
 	// First a non-empty replace.
 	if err := s.ReplaceHostSnapshots(ctx, hostID, []Snapshot{
-		{ID: "1111111111111111111111111111111111111111111111111111111111111111",
+		{
+			ID:      "1111111111111111111111111111111111111111111111111111111111111111",
 			ShortID: "11111111", Time: time.Now().UTC(), Hostname: "snap-host",
-			Paths: []string{"/x"}},
+			Paths: []string{"/x"},
+		},
 	}, time.Now().UTC()); err != nil {
 		t.Fatalf("replace 1: %v", err)
 	}

internal/store/sources.go

@@ -183,7 +183,7 @@ func (st *Store) ListSourceGroupsByHost(ctx context.Context, hostID string) ([]S
 	if err != nil {
 		return nil, fmt.Errorf("store: list source groups: %w", err)
 	}
-	defer rows.Close()
+	defer func() { _ = rows.Close() }()
 	out := []SourceGroup{}
 	for rows.Next() {
 		g, err := scanSourceGroupRow(rows)
@@ -220,10 +220,10 @@ type sourceGroupScanner interface {
 
 func scanSourceGroupRow(s sourceGroupScanner) (*SourceGroup, error) {
 	var (
-		out                                          SourceGroup
-		includes, excludes, retention                string
-		conflict                                     sql.NullString
-		createdAt, updatedAt                         string
+		out                           SourceGroup
+		includes, excludes, retention string
+		conflict                      sql.NullString
+		createdAt, updatedAt          string
 	)
 	err := s.Scan(&out.ID, &out.HostID, &out.Name,
 		&includes, &excludes, &retention,

internal/store/sources_test.go

@@ -177,7 +177,7 @@ func TestPendingRunQueue(t *testing.T) {
 
 	now := time.Now().UTC()
 	if err := s.EnqueuePendingRun(ctx, &PendingRun{
-		ID: "01HPEND00000000000000001",
+		ID:         "01HPEND00000000000000001",
 		ScheduleID: schedID, SourceGroupID: gid, HostID: hostID,
 		NextAttemptAt: now.Add(-time.Second), // already due
 		ScheduledAt:   now.Add(-time.Minute),

internal/store/store_test.go

@@ -34,10 +34,12 @@ func TestOpenAppliesMigrations(t *testing.T) {
 	}
 
 	// Spot-check a few tables exist with expected columns.
-	tables := []string{"users", "sessions", "hosts", "repos",
+	tables := []string{
+		"users", "sessions", "hosts", "repos",
 		"credentials", "schedules", "jobs", "job_logs",
 		"snapshots", "alerts", "audit_log",
-		"enrollment_tokens", "host_schedule_version"}
+		"enrollment_tokens", "host_schedule_version",
+	}
 	for _, tbl := range tables {
 		row := s.DB().QueryRow(
 			`SELECT name FROM sqlite_master WHERE type='table' AND name = ?`, tbl)

internal/store/types.go

@@ -20,6 +20,7 @@ type User struct {
 // Role enumerates the access tiers from spec.md §7.2.
 type Role string
 
+// Defined Role values, in descending order of privilege.
 const (
 	RoleAdmin    Role = "admin"
 	RoleOperator Role = "operator"
@@ -73,12 +74,12 @@ type Host struct {
 // only. forget/prune/check are repo-level cadences on
 // HostRepoMaintenance, not schedule kinds.
 type Schedule struct {
-	ID         string
-	HostID     string
-	CronExpr   string
-	Enabled    bool
-	CreatedAt  time.Time
-	UpdatedAt  time.Time
+	ID        string
+	HostID    string
+	CronExpr  string
+	Enabled   bool
+	CreatedAt time.Time
+	UpdatedAt time.Time
 	// SourceGroupIDs is populated by ListSchedulesByHost (joins
 	// schedule_source_groups) and accepted on Create / Update so the
 	// caller passes the desired junction state in one shape.
@@ -160,14 +161,14 @@ type HostRepoMaintenance struct {
 // PendingRun queues a missed cron tick (agent was offline) for the
 // server-side retry ticker to dispatch later.
 type PendingRun struct {
-	ID              string
-	ScheduleID      string
-	SourceGroupID   string
-	HostID          string
-	Attempt         int
-	NextAttemptAt   time.Time
-	ScheduledAt     time.Time // original cron tick — forensic / audit
-	LastError       string
+	ID            string
+	ScheduleID    string
+	SourceGroupID string
+	HostID        string
+	Attempt       int
+	NextAttemptAt time.Time
+	ScheduledAt   time.Time // original cron tick — forensic / audit
+	LastError     string
 }
 
 // EnrollmentToken is the issuer's view of a one-time token.

tasks.md

@@ -273,4 +273,3 @@ Sizes: **S** = under a day, **M** = 1–3 days, **L** = 3–7 days.
 - [ ] **X-03** Periodic dependency updates (`dependabot` or `renovate`)
 - [ ] **X-04** Threat-model review at end of each phase
 - [ ] **X-05** Proper first-run onboarding UI: admin shouldn't need to `curl` `/api/bootstrap` by hand. Render the bootstrap form on the same login page (extra "setup token" field shown only while no admin user exists, hidden after); on submit POST to `/api/bootstrap`, then drop straight into a session. Surface the one-time token from the server log somewhere copy-able (or print a clickable URL with the token in the query string at first-run). Also: relax the 12-char password floor for the first-run path or document it in the form so `admin` doesn't silently fail validation.
-- [ ] **X-06** Lint-baseline cleanup pass. `.golangci.yml` is now on the v2 schema; CI is gated with `only-new-issues: true` because the repo carries ~90 pre-existing findings (gofumpt drift × 31, misspell × 25, missing godoc on exported consts × 10, bodyclose × 6, errcheck × 12, errorlint/nilerr/unused × handful) accumulated before lint was actually wired into CI. Drive the count to zero in a dedicated PR (mostly mechanical: `gofumpt -w .`, fix typos, add comments, audit nilerr cases since those *might* be real bugs), then drop `only-new-issues: true` so future regressions are caught at the source.

web/embed.go

@@ -7,5 +7,9 @@ package web
 
 import "embed"
 
+// FS is the embedded view of every template + static asset under
+// this package. Consumed by internal/server/ui (templates) and
+// internal/server/http (static handler).
+//
 //go:embed templates/* static/*
 var FS embed.FS