Fix gosec lint warnings in auth package

- G118: make OAuth callback server shutdown synchronous instead of
  launching a goroutine, so context cancel is deferred in the same scope
- G117: suppress false positives on credential marshaling in the
  credential store (intentional serialization for keyring/file storage)

Author: jeremy

internal/auth/auth.go

@@ -278,12 +278,10 @@ func (m *Manager) waitForCallback(ctx context.Context, expectedState, authURL, c
 	shutdownServer := func() {
 		shutdownOnce.Do(func() {
 			shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-			go func() {
-				defer cancel()
-				if shutdownErr := server.Shutdown(shutdownCtx); shutdownErr != nil && !errors.Is(shutdownErr, http.ErrServerClosed) {
-					fmt.Fprintf(os.Stderr, "warning: callback server shutdown failed: %v\n", shutdownErr)
-				}
-			}()
+			defer cancel()
+			if shutdownErr := server.Shutdown(shutdownCtx); shutdownErr != nil && !errors.Is(shutdownErr, http.ErrServerClosed) {
+				fmt.Fprintf(os.Stderr, "warning: callback server shutdown failed: %v\n", shutdownErr)
+			}
 		})
 	}
 

internal/auth/store.go

@@ -102,7 +102,7 @@ func (s *Store) loadFromKeyring(origin string) (*Credentials, error) {
 }
 
 func (s *Store) saveToKeyring(origin string, creds *Credentials) error {
-	data, err := json.Marshal(creds)
+	data, err := json.Marshal(creds) //nolint:gosec // G117: intentional credential marshaling for storage
 	if err != nil {
 		return err
 	}
@@ -134,7 +134,7 @@ func (s *Store) saveAllToFile(all map[string]*Credentials) error {
 		return err
 	}
 
-	data, err := json.MarshalIndent(all, "", "  ")
+	data, err := json.MarshalIndent(all, "", "  ") //nolint:gosec // G117: intentional credential marshaling for storage
 	if err != nil {
 		return err
 	}