Five golangci-lint v2 findings surfaced when running the v2.1.0 release
gate (auth-bundle-2 → master pre-flight). Each is mechanical:
1. govet/printf-style misuse — internal/auth/oidc/service_test.go used
integer literal 501 in http.Error; switched to http.StatusNotImplemented.
2. staticcheck SA1019 — internal/auth/breakglass/reflect_helper_test.go
referenced reflect.Ptr; the canonical name since Go 1.18 is
reflect.Pointer.
3. staticcheck ST1020 — internal/repository/postgres/auth.go
ActorRoleRepository.Revoke had a doc comment that did not begin with
the method name. Prepended 'Revoke drops actor_roles rows.' to the
comment so it now starts with the method name.
4. staticcheck ST1022 — internal/api/handler/auth_session_oidc.go
DefaultBCLVerifierMaxAge docstring was attached to the DefaultBCLVerifier
type docstring. Moved the const docstring directly above the const
declaration, separated by a blank line.
5. unused — internal/auth/session/bench_test.go declared
benchSessionMinSamples and never referenced it; the bench loop relies
on Go's default b.N scaling. Replaced the const block with a comment
describing the rationale.
Lint clean (golangci-lint v2.12.2 with the .golangci.yml config) on the
five edited packages.
shankar0123
8aeeec93c0