ci: add golangci-lint config and fix formatting

- Add .golangci.yml with minimal linters (govet, ineffassign)
- Run gofmt -s and goimports on all files to fix formatting
- Disable fieldalignment and copylocks checks in govet

cmd/encryption.go

@@ -17,17 +17,17 @@ func loadEncryptionKey(keyFile, keyEnvVar string) ([]byte, error) {
 		if err != nil {
 			return nil, fmt.Errorf("failed to read encryption key file: %w", err)
 		}
-		
+
 		// Try to decode as base64 first
 		if decoded, err := base64.StdEncoding.DecodeString(strings.TrimSpace(string(keyData))); err == nil && len(decoded) == crypto.KeySize {
 			return decoded, nil
 		}
-		
+
 		// Use raw bytes if exactly 32 bytes
 		if len(keyData) == crypto.KeySize {
 			return keyData, nil
 		}
-		
+
 		// Otherwise treat as passphrase and derive key
 		salt, err := crypto.GenerateSalt()
 		if err != nil {
@@ -36,19 +36,19 @@ func loadEncryptionKey(keyFile, keyEnvVar string) ([]byte, error) {
 		key := crypto.DeriveKey([]byte(strings.TrimSpace(string(keyData))), salt)
 		return key, nil
 	}
-	
+
 	// Priority 2: Environment variable
 	if keyEnvVar != "" {
 		keyData := os.Getenv(keyEnvVar)
 		if keyData == "" {
 			return nil, fmt.Errorf("encryption enabled but %s environment variable not set", keyEnvVar)
 		}
-		
+
 		// Try to decode as base64 first
 		if decoded, err := base64.StdEncoding.DecodeString(strings.TrimSpace(keyData)); err == nil && len(decoded) == crypto.KeySize {
 			return decoded, nil
 		}
-		
+
 		// Otherwise treat as passphrase and derive key
 		salt, err := crypto.GenerateSalt()
 		if err != nil {
@@ -57,7 +57,7 @@ func loadEncryptionKey(keyFile, keyEnvVar string) ([]byte, error) {
 		key := crypto.DeriveKey([]byte(strings.TrimSpace(keyData)), salt)
 		return key, nil
 	}
-	
+
 	return nil, fmt.Errorf("encryption enabled but no key source specified (use --encryption-key-file or set %s)", keyEnvVar)
 }