From d6aa25c5bff82d97007bb8143ff5e4ab461fb60e Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Sun, 22 Feb 2026 21:00:16 +0000
Subject: [PATCH] refactor: apply go fix modernizers for Go 1.26
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Automated fixes: interface{} → any, range-over-int, t.Context(),
wg.Go(), strings.SplitSeq, strings.Builder, slices.Contains,
maps helpers, min/max builtins.

Co-Authored-By: Virgil <virgil@lethean.io>
---
 auth/auth_test.go          | 12 ++++++------
 auth/session_store_test.go | 15 +++++++--------
 crypt/lthn/lthn.go         |  2 +-
 trust/approval_test.go     |  4 ++--
 trust/audit_test.go        |  6 +++---
 trust/bench_test.go        |  4 ++--
 trust/policy.go            | 37 +++++++++++++++++--------------------
 trust/policy_test.go       |  2 +-
 trust/trust_test.go        | 12 ++++++------
 9 files changed, 45 insertions(+), 49 deletions(-)

diff --git a/auth/auth_test.go b/auth/auth_test.go
index c90ee8b..a1f4235 100644
--- a/auth/auth_test.go
+++ b/auth/auth_test.go
@@ -555,7 +555,7 @@ func TestConcurrentSessions_Good(t *testing.T) {
 	sessions := make(chan *Session, n)
 	errs := make(chan error, n)
 
-	for i := 0; i < n; i++ {
+	for range n {
 		go func() {
 			s, err := a.Login(userID, "pass")
 			if err != nil {
@@ -566,7 +566,7 @@ func TestConcurrentSessions_Good(t *testing.T) {
 		}()
 	}
 
-	for i := 0; i < n; i++ {
+	for range n {
 		select {
 		case s := <-sessions:
 			require.NotNil(t, s)
@@ -589,7 +589,7 @@ func TestConcurrentSessionCreation_Good(t *testing.T) {
 	// Register 10 distinct users to avoid contention on a single user record
 	const n = 10
 	userIDs := make([]string, n)
-	for i := 0; i < n; i++ {
+	for i := range n {
 		username := fmt.Sprintf("concurrent-user-%d", i)
 		_, err := a.Register(username, "pass")
 		require.NoError(t, err)
@@ -601,7 +601,7 @@ func TestConcurrentSessionCreation_Good(t *testing.T) {
 	sessions := make([]*Session, n)
 	errs := make([]error, n)
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			s, err := a.Login(userIDs[idx], "pass")
@@ -612,7 +612,7 @@ func TestConcurrentSessionCreation_Good(t *testing.T) {
 
 	wg.Wait()
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		require.NoError(t, errs[i], "goroutine %d failed", i)
 		require.NotNil(t, sessions[i], "goroutine %d returned nil session", i)
 		// Each session token must be valid
@@ -632,7 +632,7 @@ func TestSessionTokenUniqueness_Good(t *testing.T) {
 	const n = 1000
 	tokens := make(map[string]bool, n)
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		session, err := a.Login(userID, "pass")
 		require.NoError(t, err)
 		require.NotNil(t, session)
diff --git a/auth/session_store_test.go b/auth/session_store_test.go
index 1276d6f..bfdedc5 100644
--- a/auth/session_store_test.go
+++ b/auth/session_store_test.go
@@ -64,7 +64,7 @@ func TestMemorySessionStore_DeleteByUser_Good(t *testing.T) {
 	store := NewMemorySessionStore()
 
 	// Create sessions for two users
-	for i := 0; i < 3; i++ {
+	for i := range 3 {
 		err := store.Set(&Session{
 			Token:     fmt.Sprintf("user-a-token-%d", i),
 			UserID:    "user-a",
@@ -85,7 +85,7 @@ func TestMemorySessionStore_DeleteByUser_Good(t *testing.T) {
 	require.NoError(t, err)
 
 	// user-a sessions should be gone
-	for i := 0; i < 3; i++ {
+	for i := range 3 {
 		_, err := store.Get(fmt.Sprintf("user-a-token-%d", i))
 		assert.ErrorIs(t, err, ErrSessionNotFound)
 	}
@@ -143,7 +143,7 @@ func TestMemorySessionStore_Concurrent_Good(t *testing.T) {
 	var wg sync.WaitGroup
 	wg.Add(n)
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			token := fmt.Sprintf("concurrent-token-%d", idx)
@@ -220,7 +220,7 @@ func TestSQLiteSessionStore_DeleteByUser_Good(t *testing.T) {
 	defer store.Close()
 
 	// Create sessions for two users
-	for i := 0; i < 3; i++ {
+	for i := range 3 {
 		err := store.Set(&Session{
 			Token:     fmt.Sprintf("sqlite-user-a-%d", i),
 			UserID:    "user-a",
@@ -241,7 +241,7 @@ func TestSQLiteSessionStore_DeleteByUser_Good(t *testing.T) {
 	require.NoError(t, err)
 
 	// user-a sessions should be gone
-	for i := 0; i < 3; i++ {
+	for i := range 3 {
 		_, err := store.Get(fmt.Sprintf("sqlite-user-a-%d", i))
 		assert.ErrorIs(t, err, ErrSessionNotFound)
 	}
@@ -336,7 +336,7 @@ func TestSQLiteSessionStore_Concurrent_Good(t *testing.T) {
 	var wg sync.WaitGroup
 	wg.Add(n)
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			token := fmt.Sprintf("sqlite-concurrent-%d", idx)
@@ -425,8 +425,7 @@ func TestAuthenticator_StartCleanup_Good(t *testing.T) {
 	time.Sleep(5 * time.Millisecond)
 
 	// Start cleanup with a short interval
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	ctx := t.Context()
 
 	a.StartCleanup(ctx, 10*time.Millisecond)
 
diff --git a/crypt/lthn/lthn.go b/crypt/lthn/lthn.go
index a9c04ef..08fe2ed 100644
--- a/crypt/lthn/lthn.go
+++ b/crypt/lthn/lthn.go
@@ -74,7 +74,7 @@ func createSalt(input string) string {
 	}
 	runes := []rune(input)
 	salt := make([]rune, len(runes))
-	for i := 0; i < len(runes); i++ {
+	for i := range runes {
 		char := runes[len(runes)-1-i]
 		if replacement, ok := keyMap[char]; ok {
 			salt[i] = replacement
diff --git a/trust/approval_test.go b/trust/approval_test.go
index 1208d58..fca9f08 100644
--- a/trust/approval_test.go
+++ b/trust/approval_test.go
@@ -214,7 +214,7 @@ func TestApprovalConcurrent_Good(t *testing.T) {
 	var mu sync.Mutex
 
 	// Submit concurrently
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			id, err := q.Submit(
@@ -234,7 +234,7 @@ func TestApprovalConcurrent_Good(t *testing.T) {
 
 	// Approve/deny concurrently
 	wg.Add(n)
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			mu.Lock()
diff --git a/trust/audit_test.go b/trust/audit_test.go
index f345810..c2ed686 100644
--- a/trust/audit_test.go
+++ b/trust/audit_test.go
@@ -89,7 +89,7 @@ func TestAuditEntries_Good_Empty(t *testing.T) {
 func TestAuditEntries_Good_AppendOnly(t *testing.T) {
 	log := NewAuditLog(nil)
 
-	for i := 0; i < 5; i++ {
+	for i := range 5 {
 		log.Record(EvalResult{
 			Agent:    fmt.Sprintf("agent-%d", i),
 			Cap:      CapPushRepo,
@@ -155,7 +155,7 @@ func TestAuditRecord_Good_MultipleLines(t *testing.T) {
 	var buf bytes.Buffer
 	log := NewAuditLog(&buf)
 
-	for i := 0; i < 3; i++ {
+	for i := range 3 {
 		log.Record(EvalResult{
 			Agent:    fmt.Sprintf("agent-%d", i),
 			Cap:      CapPushRepo,
@@ -240,7 +240,7 @@ func TestAuditConcurrent_Good(t *testing.T) {
 	var wg sync.WaitGroup
 	wg.Add(n)
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			log.Record(EvalResult{
diff --git a/trust/bench_test.go b/trust/bench_test.go
index 78192c7..53655a0 100644
--- a/trust/bench_test.go
+++ b/trust/bench_test.go
@@ -8,7 +8,7 @@ import (
 // BenchmarkPolicyEvaluate measures policy evaluation across 100 registered agents.
 func BenchmarkPolicyEvaluate(b *testing.B) {
 	r := NewRegistry()
-	for i := 0; i < 100; i++ {
+	for i := range 100 {
 		tier := TierUntrusted
 		switch i % 3 {
 		case 0:
@@ -41,7 +41,7 @@ func BenchmarkPolicyEvaluate(b *testing.B) {
 // BenchmarkRegistryGet measures agent lookup performance.
 func BenchmarkRegistryGet(b *testing.B) {
 	r := NewRegistry()
-	for i := 0; i < 100; i++ {
+	for i := range 100 {
 		_ = r.Register(Agent{
 			Name: fmt.Sprintf("agent-%d", i),
 			Tier: TierVerified,
diff --git a/trust/policy.go b/trust/policy.go
index f933487..0b1f1b8 100644
--- a/trust/policy.go
+++ b/trust/policy.go
@@ -2,6 +2,7 @@ package trust
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 )
 
@@ -92,26 +93,22 @@ func (pe *PolicyEngine) Evaluate(agentName string, cap Capability, repo string)
 	}
 
 	// Check explicit denials first.
-	for _, denied := range policy.Denied {
-		if denied == cap {
-			return EvalResult{
-				Decision: Deny,
-				Agent:    agentName,
-				Cap:      cap,
-				Reason:   fmt.Sprintf("capability %s is denied for tier %s", cap, agent.Tier),
-			}
+	if slices.Contains(policy.Denied, cap) {
+		return EvalResult{
+			Decision: Deny,
+			Agent:    agentName,
+			Cap:      cap,
+			Reason:   fmt.Sprintf("capability %s is denied for tier %s", cap, agent.Tier),
 		}
 	}
 
 	// Check if capability requires approval.
-	for _, approval := range policy.RequiresApproval {
-		if approval == cap {
-			return EvalResult{
-				Decision: NeedsApproval,
-				Agent:    agentName,
-				Cap:      cap,
-				Reason:   fmt.Sprintf("capability %s requires approval for tier %s", cap, agent.Tier),
-			}
+	if slices.Contains(policy.RequiresApproval, cap) {
+		return EvalResult{
+			Decision: NeedsApproval,
+			Agent:    agentName,
+			Cap:      cap,
+			Reason:   fmt.Sprintf("capability %s requires approval for tier %s", cap, agent.Tier),
 		}
 	}
 
@@ -182,11 +179,11 @@ func (pe *PolicyEngine) loadDefaults() {
 	pe.policies[TierVerified] = &Policy{
 		Tier: TierVerified,
 		Allowed: []Capability{
-			CapPushRepo,     // scoped to assigned repos
-			CapCreatePR,     // can create, not merge
+			CapPushRepo, // scoped to assigned repos
+			CapCreatePR, // can create, not merge
 			CapCreateIssue,
 			CapCommentIssue,
-			CapReadSecrets,  // scoped to their repos
+			CapReadSecrets, // scoped to their repos
 		},
 		RequiresApproval: []Capability{
 			CapMergePR,
@@ -202,7 +199,7 @@ func (pe *PolicyEngine) loadDefaults() {
 	pe.policies[TierUntrusted] = &Policy{
 		Tier: TierUntrusted,
 		Allowed: []Capability{
-			CapCreatePR,    // fork only, checked at enforcement layer
+			CapCreatePR, // fork only, checked at enforcement layer
 			CapCommentIssue,
 		},
 		Denied: []Capability{
diff --git a/trust/policy_test.go b/trust/policy_test.go
index 546c5c3..2248377 100644
--- a/trust/policy_test.go
+++ b/trust/policy_test.go
@@ -344,7 +344,7 @@ func TestConcurrentEvaluate_Good(t *testing.T) {
 	var wg sync.WaitGroup
 	wg.Add(n)
 
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			agents := []string{"Athena", "Clotho", "BugSETI-001"}
diff --git a/trust/trust_test.go b/trust/trust_test.go
index 4899f4c..3fa1822 100644
--- a/trust/trust_test.go
+++ b/trust/trust_test.go
@@ -177,7 +177,7 @@ func TestConcurrentRegistryOperations_Good(t *testing.T) {
 	wg.Add(n * 3) // register + get + remove goroutines
 
 	// Register goroutines
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			name := fmt.Sprintf("agent-%d", idx)
@@ -187,7 +187,7 @@ func TestConcurrentRegistryOperations_Good(t *testing.T) {
 	}
 
 	// Get goroutines (may return nil if not yet registered)
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			name := fmt.Sprintf("agent-%d", idx)
@@ -196,7 +196,7 @@ func TestConcurrentRegistryOperations_Good(t *testing.T) {
 	}
 
 	// Remove goroutines (may return false if not yet registered or already removed)
-	for i := 0; i < n; i++ {
+	for i := range n {
 		go func(idx int) {
 			defer wg.Done()
 			name := fmt.Sprintf("agent-%d", idx)
@@ -263,7 +263,7 @@ func TestConcurrentListDuringMutations_Good(t *testing.T) {
 	r := NewRegistry()
 
 	// Pre-populate
-	for i := 0; i < 5; i++ {
+	for i := range 5 {
 		require.NoError(t, r.Register(Agent{
 			Name: fmt.Sprintf("base-%d", i),
 			Tier: TierFull,
@@ -274,7 +274,7 @@ func TestConcurrentListDuringMutations_Good(t *testing.T) {
 	wg.Add(20)
 
 	// 10 goroutines listing
-	for i := 0; i < 10; i++ {
+	for range 10 {
 		go func() {
 			defer wg.Done()
 			agents := r.List()
@@ -283,7 +283,7 @@ func TestConcurrentListDuringMutations_Good(t *testing.T) {
 	}
 
 	// 10 goroutines mutating
-	for i := 0; i < 10; i++ {
+	for i := range 10 {
 		go func(idx int) {
 			defer wg.Done()
 			name := fmt.Sprintf("concurrent-%d", idx)