Fix gosec lint warnings in auth package

- G118: suppress false positive on async shutdown goroutine — cancel is
  deferred inside the goroutine; the goroutine is required to avoid
  handler self-deadlock (Shutdown waits for active handlers to return)
- G117: suppress false positives on credential marshaling in the
  credential store (intentional serialization for keyring/file storage)

Author: jeremy

internal/auth/auth.go

@@ -277,7 +277,7 @@ func (m *Manager) waitForCallback(ctx context.Context, expectedState, authURL, c
 
 	shutdownServer := func() {
 		shutdownOnce.Do(func() {
-			shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second) //nolint:gosec // G118: cancel deferred in goroutine; async shutdown required to avoid handler self-deadlock
 			go func() {
 				defer cancel()
 				if shutdownErr := server.Shutdown(shutdownCtx); shutdownErr != nil && !errors.Is(shutdownErr, http.ErrServerClosed) {

internal/auth/store.go

@@ -102,7 +102,7 @@ func (s *Store) loadFromKeyring(origin string) (*Credentials, error) {
 }
 
 func (s *Store) saveToKeyring(origin string, creds *Credentials) error {
-	data, err := json.Marshal(creds)
+	data, err := json.Marshal(creds) //nolint:gosec // G117: intentional credential marshaling for storage
 	if err != nil {
 		return err
 	}
@@ -134,7 +134,7 @@ func (s *Store) saveAllToFile(all map[string]*Credentials) error {
 		return err
 	}
 
-	data, err := json.MarshalIndent(all, "", "  ")
+	data, err := json.MarshalIndent(all, "", "  ") //nolint:gosec // G117: intentional credential marshaling for storage
 	if err != nil {
 		return err
 	}