Bump Go to 1.26.1, fix govulncheck vulnerabilities

[jeremy]

Summary

• Bump Go from 1.26.0 to 1.26.1 (.mise.toml + go.mod) to resolve three stdlib vulnerabilities flagged by govulncheck:
  • GO-2026-4601 — incorrect parsing of IPv6 host literals in net/url
  • GO-2026-4600 — panic in name constraint checking in crypto/x509
  • GO-2026-4599 — incorrect enforcement of email constraints in crypto/x509
• Fix gosec lint warnings surfaced by the upgraded golangci-lint (G118 context cancel scope, G117 false positives on credential marshaling)

Test plan

• govulncheck ./... — no vulnerabilities found
• go vet ./... — clean
• go test ./internal/... — all pass
• make check — 0 lint issues

---

Summary by cubic

Upgrade Go to 1.26.1 to patch three stdlib vulnerabilities flagged by govulncheck and clean up gosec warnings in the auth package.

• Dependencies

  • Bump Go to 1.26.1 (.mise.toml, go.mod).
  • Fixes GO-2026-4601 (net/url IPv6 parsing), GO-2026-4600 (crypto/x509 name constraint panic), GO-2026-4599 (crypto/x509 email constraint).

• Bug Fixes

  • Suppress G118 false positive in OAuth callback shutdown; keep async shutdown with cancel deferred inside the goroutine to avoid handler self-deadlock.
  • Suppress G117 false positives for intentional credential marshaling (nolint:gosec) in the credential store.

^{Written for commit 11e98dc. Summary will update on new commits.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: edcb97dfca

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

Updates the repository’s Go toolchain version to address govulncheck-reported stdlib CVEs and resolves newly surfaced gosec warnings from linting after the upgrade.

Changes:

• Bump Go version to 1.26.1 in both go.mod and .mise.toml.
• Add targeted //nolint:gosec suppressions for intentional credential JSON marshaling in the auth store.
• Adjust OAuth callback server shutdown logic in internal/auth/auth.go.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
internal/auth/store.go	Adds gosec suppressions for intentional JSON marshaling of credentials before storage.
internal/auth/auth.go	Modifies callback server shutdown flow (currently introduces a shutdown deadlock risk).
go.mod	Updates the Go version directive to 1.26.1.
.mise.toml	Pins local Go tool version to 1.26.1 for mise-managed environments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="internal/auth/auth.go">

<violation number="1" location="internal/auth/auth.go:281">
P1: Calling `server.Shutdown` synchronously from inside its own HTTP handler deadlocks — `Shutdown` waits for active handlers to finish, but this handler is blocked on `Shutdown`. The 5-second context timeout breaks the deadlock, so every OAuth login will stall for 5 seconds and emit a spurious shutdown-failure warning.

The original goroutine was intentional: it let the handler return (freeing the connection) before `Shutdown` ran. To satisfy the G118 lint (context cancel scope), keep the goroutine but restructure the cancel call:</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}