fix: resolve 8 staticcheck lint errors in test files

SA1029: use typed context key instead of string in main_test.go
S1039: remove unnecessary fmt.Sprintf in validation_test.go
SA4023: fix unreachable nil check on concrete error type
SA4006: fix unused variable assignments in stepca_test.go (4 occurrences)
SA4000: fix duplicate expression in ssh_test.go (BEGIN vs END CERTIFICATE)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cmd/server/main_test.go

@@ -512,7 +512,8 @@ func TestMain_ContentTypeMiddleware(t *testing.T) {
 
 // TestMain_ContextPropagation verifies context is propagated through middleware.
 func TestMain_ContextPropagation(t *testing.T) {
-	testKey := "test-key"
+	type contextKey string
+	testKey := contextKey("test-key")
 	testValue := "test-value"
 
 	baseHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

internal/api/handler/validation_test.go

@@ -7,7 +7,6 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
-	"fmt"
 	"strings"
 	"testing"
 )
@@ -522,7 +521,7 @@ func TestValidationError_ErrorMessage(t *testing.T) {
 			name: "error with field info",
 			err: ValidationError{
 				Field:   "test_field",
-				Message: fmt.Sprintf("test_field must be 10 characters or fewer"),
+				Message: "test_field must be 10 characters or fewer",
 			},
 			wantMsg: "test_field must be 10 characters or fewer",
 		},
@@ -540,16 +539,16 @@ func TestValidationError_ErrorMessage(t *testing.T) {
 
 // TestValidationError_IsError tests that ValidationError satisfies error interface.
 func TestValidationError_IsError(t *testing.T) {
-	var err error = ValidationError{
+	ve := ValidationError{
 		Field:   "test",
 		Message: "test error",
 	}
 
-	if err == nil {
+	// Assign to interface variable to verify it satisfies error
-		t.Error("ValidationError should satisfy error interface")
+	var err error = ve
-	}
+	_ = err
 
-	msg := err.Error()
+	msg := ve.Error()
 	if msg != "test error" {
 		t.Errorf("Expected error message 'test error', got %q", msg)
 	}

internal/connector/issuer/stepca/stepca_test.go

@@ -376,7 +376,7 @@ func TestGenerateProvisionerTokenEphemeralKey(t *testing.T) {
 		ProvisionerName: "test-provisioner",
 		// No ProvisionerKeyPath — forces ephemeral key generation
 	}
-	connector := stepca.New(config, logger)
+	_ = stepca.New(config, logger) // verify constructor doesn't panic
 
 	// This should NOT panic and should return a non-empty token
 	_, csrPEM, _ := generateStepCATestCSR("test.example.com")
@@ -405,7 +405,7 @@ func TestGenerateProvisionerTokenEphemeralKey(t *testing.T) {
 	defer srv.Close()
 
 	config.CAURL = srv.URL
-	connector = stepca.New(config, logger)
+	connector := stepca.New(config, logger)
 
 	result, err := connector.IssueCertificate(ctx, req)
 	if err != nil {
@@ -427,7 +427,7 @@ func TestParseSignResponse_SimpleFormat(t *testing.T) {
 		CAURL:           "https://ca.example.com",
 		ProvisionerName: "test-provisioner",
 	}
-	connector := stepca.New(config, logger)
+	_ = stepca.New(config, logger) // verify constructor doesn't panic
 
 	// Test the simple crt/ca response format
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -447,7 +447,7 @@ func TestParseSignResponse_SimpleFormat(t *testing.T) {
 	defer srv.Close()
 
 	config.CAURL = srv.URL
-	connector = stepca.New(config, logger)
+	connector := stepca.New(config, logger)
 
 	_, csrPEM, _ := generateStepCATestCSR("test.example.com")
 	req := issuer.IssuanceRequest{
@@ -478,7 +478,7 @@ func TestParseSignResponse_StructuredFormat(t *testing.T) {
 		CAURL:           "https://ca.example.com",
 		ProvisionerName: "test-provisioner",
 	}
-	connector := stepca.New(config, logger)
+	_ = stepca.New(config, logger) // verify constructor doesn't panic
 
 	// Test the structured response format
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -501,7 +501,7 @@ func TestParseSignResponse_StructuredFormat(t *testing.T) {
 	defer srv.Close()
 
 	config.CAURL = srv.URL
-	connector = stepca.New(config, logger)
+	connector := stepca.New(config, logger)
 
 	_, csrPEM, _ := generateStepCATestCSR("test.example.com")
 	req := issuer.IssuanceRequest{
@@ -792,7 +792,7 @@ func TestParseSignResponse_CertChainFormat(t *testing.T) {
 		CAURL:           "https://ca.example.com",
 		ProvisionerName: "test-provisioner",
 	}
-	connector := stepca.New(config, logger)
+	_ = stepca.New(config, logger) // verify constructor doesn't panic
 
 	// Test the certChainPEM array response format (multiple certs in array)
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -818,7 +818,7 @@ func TestParseSignResponse_CertChainFormat(t *testing.T) {
 	defer srv.Close()
 
 	config.CAURL = srv.URL
-	connector = stepca.New(config, logger)
+	connector := stepca.New(config, logger)
 
 	_, csrPEM, _ := generateStepCATestCSR("test.example.com")
 	req := issuer.IssuanceRequest{

internal/connector/target/ssh/ssh_test.go

@@ -760,7 +760,7 @@ func TestDeployCertificate_FullChainMode(t *testing.T) {
 	}
 
 	certData := string(certWriteCall.Data)
-	if !containsString(certData, "BEGIN CERTIFICATE") || !containsString(certData, "BEGIN CERTIFICATE") {
+	if !containsString(certData, "BEGIN CERTIFICATE") || !containsString(certData, "END CERTIFICATE") {
 		t.Errorf("cert data should contain combined cert and chain")
 	}