From 71ed1a67970c1f247939d2e597521819889a5b62 Mon Sep 17 00:00:00 2001
From: Scott Lougheed <scott.lougheed@agilebits.com>
Date: Wed, 13 May 2026 10:46:01 -0700
Subject: [PATCH 1/8] enabling depguard and fixing depgaurd errors

---
 .golangci.yml                     |  2 +-
 sdk/plugintest/example_secrets.go | 15 ++++++++-------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index 6d0a4c173..0940a7914 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -9,10 +9,10 @@ linters:
     # Extra:
     - asciicheck
     - bidichk
+    - depguard
   disable:
     # Scott L: currently these produce errors that need to be fixed in a seprate PR
     - errcheck
-    - depguard
     - staticcheck
 
   settings:
diff --git a/sdk/plugintest/example_secrets.go b/sdk/plugintest/example_secrets.go
index 315648767..7b2f3256a 100644
--- a/sdk/plugintest/example_secrets.go
+++ b/sdk/plugintest/example_secrets.go
@@ -1,11 +1,11 @@
 package plugintest
 
 import (
+	"crypto/rand"
 	"fmt"
 	"log"
-	"math/rand"
+	"math/big"
 	"strings"
-	"time"
 
 	"github.com/1Password/shell-plugins/sdk/schema"
 )
@@ -18,9 +18,6 @@ const (
 	secretExampleSuffix = "EXAMPLE"
 )
 
-var seededRand = rand.New(
-	rand.NewSource(time.Now().UnixNano()))
-
 func ExampleSecretFromComposition(v schema.ValueComposition) string {
 	prefix := getPrefix(v)
 	suffix := getSuffix(v)
@@ -65,10 +62,14 @@ func stringFromCharset(length int, charset string) (string, error) {
 	if charset == "" {
 		return "", fmt.Errorf("invalid charset provided")
 	}
-
+	max := big.NewInt(int64(len(charset)))
 	b := make([]byte, length)
 	for i := range b {
-		b[i] = charset[seededRand.Intn(len(charset))]
+		n, err := rand.Int(rand.Reader, max)
+		if err != nil {
+			return "", fmt.Errorf("reading random: %w", err)
+		}
+		b[i] = charset[n.Int64()]
 	}
 	return string(b), nil
 }

From 669b16140fd4c654b8f2505a82eb6f011ec19ea3 Mon Sep 17 00:00:00 2001
From: Scott Lougheed <scott.lougheed@agilebits.com>
Date: Wed, 13 May 2026 11:01:09 -0700
Subject: [PATCH 2/8] fixing errcheck errors

---
 sdk/plugintest/validation_report.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/sdk/plugintest/validation_report.go b/sdk/plugintest/validation_report.go
index ccb870b8c..74890e0a5 100644
--- a/sdk/plugintest/validation_report.go
+++ b/sdk/plugintest/validation_report.go
@@ -108,19 +108,19 @@ func (p *ValidationReportPrinter) printChecks(checks []schema.ValidationCheck) {
 }
 
 func (p *ValidationReportPrinter) printHeading(heading string) {
-	p.Format.Heading.Printf("# %s\n\n", heading)
+	_, _ = p.Format.Heading.Printf("# %s\n\n", heading)
 }
 
 func (p *ValidationReportPrinter) printCheck(check schema.ValidationCheck) {
 	if check.Assertion {
-		p.Format.Success.Printf("✔ %s\n", check.Description)
+		_, _ = p.Format.Success.Printf("✔ %s\n", check.Description)
 		return
 	}
 
 	if check.Severity == schema.ValidationSeverityWarning {
-		p.Format.Warning.Printf("⚠ %s\n", check.Description)
+		_, _ = p.Format.Warning.Printf("⚠ %s\n", check.Description)
 		return
 	}
 
-	p.Format.Error.Printf("✘ %s\n", check.Description)
+	_, _ = p.Format.Error.Printf("✘ %s\n", check.Description)
 }

From f680b1f02231b901156fcea89041c670d83afe44 Mon Sep 17 00:00:00 2001
From: Scott Lougheed <scott.lougheed@agilebits.com>
Date: Wed, 13 May 2026 11:01:52 -0700
Subject: [PATCH 3/8] re-enabling errcheck linter

---
 .golangci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.golangci.yml b/.golangci.yml
index 0940a7914..fbffc2b15 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -6,6 +6,7 @@ linters:
     - govet
     - ineffassign
     - unused
+    - errcheck
     # Extra:
     - asciicheck
     - bidichk

From c6efa9499b3a2848ee82ce212d00da873d651c79 Mon Sep 17 00:00:00 2001
From: Scott Lougheed <scott.lougheed@agilebits.com>
Date: Wed, 13 May 2026 12:59:30 -0700
Subject: [PATCH 4/8] adding linting exclusions

---
 plugins/aws/sts_provisioner.go      | 4 ++--
 sdk/plugintest/validation_report.go | 2 +-
 sdk/rpc/server/server.go            | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/plugins/aws/sts_provisioner.go b/plugins/aws/sts_provisioner.go
index b2181ed1a..a3786520d 100644
--- a/plugins/aws/sts_provisioner.go
+++ b/plugins/aws/sts_provisioner.go
@@ -271,7 +271,7 @@ func (p assumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, erro
 		return aws.Credentials{}, err
 	}
 
-	err = p.stsCacheWriter.Put(credentials)
+	err = p.stsCacheWriter.Put(credentials) //lint:ignore QF1008 explicit reads more clearly here
 	if err != nil {
 		return aws.Credentials{}, err
 	}
@@ -308,7 +308,7 @@ func (p mfaSessionTokenProvider) Retrieve(ctx context.Context) (aws.Credentials,
 		return aws.Credentials{}, err
 	}
 
-	err = p.stsCacheWriter.Put(credentials)
+	err = p.stsCacheWriter.Put(credentials) //lint:ignore QF1008 explicit reads more clearly here
 	if err != nil {
 		return aws.Credentials{}, err
 	}
diff --git a/sdk/plugintest/validation_report.go b/sdk/plugintest/validation_report.go
index 74890e0a5..5ede36c6d 100644
--- a/sdk/plugintest/validation_report.go
+++ b/sdk/plugintest/validation_report.go
@@ -59,7 +59,7 @@ type ValidationReportPrinter struct {
 }
 
 func (p *ValidationReportPrinter) Print() {
-	if p.Reports == nil || len(p.Reports) == 0 {
+	if len(p.Reports) == 0 {
 		color.Cyan("No reports to print")
 		return
 	}
diff --git a/sdk/rpc/server/server.go b/sdk/rpc/server/server.go
index e2794bec1..fc38bc143 100644
--- a/sdk/rpc/server/server.go
+++ b/sdk/rpc/server/server.go
@@ -107,7 +107,7 @@ func (t *RPCServer) ExecutableNeedsAuth(req proto.ExecutableNeedsAuthRequest, re
 	needsAuth, ok := t.needsAuth[req.ExecutableID]
 	if !ok || needsAuth == nil {
 		return &errFunctionFieldNotSet{
-			objName:  req.ExecutableID.String(),
+			objName:  req.ExecutableID.String(), //lint:ignore QF1008 explicit reads more clearly here
 			funcName: "NeedsAuth",
 		}
 	}
@@ -134,7 +134,7 @@ func (t *RPCServer) CredentialImport(req proto.ImportCredentialRequest, resp *sd
 	importer, ok := t.importers[req.CredentialID]
 	if !ok || importer == nil {
 		return &errFunctionFieldNotSet{
-			objName:  req.CredentialID.String(),
+			objName:  req.CredentialID.String(), //lint:ignore QF1008 explicit reads more clearly here
 			funcName: "Importer",
 		}
 	}

From d8588f858a7d31f97b3202d283ea10f4713506ce Mon Sep 17 00:00:00 2001
From: Scott Lougheed <scott.lougheed@agilebits.com>
Date: Wed, 13 May 2026 15:44:13 -0700
Subject: [PATCH 5/8] fixing final linting errors. Enabling all linters

---
 .golangci.yml             | 5 +----
 plugins/readme/api_key.go | 2 +-
 sdk/schema/executable.go  | 2 +-
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index fbffc2b15..a1b6dd411 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -3,17 +3,14 @@ linters:
   default: none
   enable:
     # Defaults:
+    - errcheck
     - govet
     - ineffassign
     - unused
-    - errcheck
     # Extra:
     - asciicheck
     - bidichk
     - depguard
-  disable:
-    # Scott L: currently these produce errors that need to be fixed in a seprate PR
-    - errcheck
     - staticcheck
 
   settings:
diff --git a/plugins/readme/api_key.go b/plugins/readme/api_key.go
index 868e28d10..99df653b2 100644
--- a/plugins/readme/api_key.go
+++ b/plugins/readme/api_key.go
@@ -66,7 +66,7 @@ func TryReadMeConfigFile() sdk.Importer {
 			return
 		}
 
-		var website string = "https://dash.readme.com/go/" + config.Subdomain
+		var website = "https://dash.readme.com/go/" + config.Subdomain
 
 		out.AddCandidate(sdk.ImportCandidate{
 			NameHint: config.Subdomain,
diff --git a/sdk/schema/executable.go b/sdk/schema/executable.go
index eaf0964ab..2f3858289 100644
--- a/sdk/schema/executable.go
+++ b/sdk/schema/executable.go
@@ -130,7 +130,7 @@ func (c CredentialUsage) Validate() (bool, ValidationReport) {
 
 	report.AddCheck(ValidationCheck{
 		Description: "Credential usage has either a credential reference or selection defined, but not both",
-		Assertion:   (c.SelectFrom != nil || c.Name != "") && !(c.SelectFrom != nil && c.Name != ""),
+		Assertion:   (c.SelectFrom != nil || c.Name != "") && (c.SelectFrom == nil || c.Name == ""),
 		Severity:    ValidationSeverityError,
 	})
 	return report.IsValid(), report

From b4bc0281481b53ce3eb8b6a1c34d4d84f134666c Mon Sep 17 00:00:00 2001
From: Scott Lougheed <scott.lougheed@agilebits.com>
Date: Wed, 13 May 2026 15:46:06 -0700
Subject: [PATCH 6/8] relocating linter exception line

---
 sdk/rpc/server/server.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sdk/rpc/server/server.go b/sdk/rpc/server/server.go
index fc38bc143..806182351 100644
--- a/sdk/rpc/server/server.go
+++ b/sdk/rpc/server/server.go
@@ -134,7 +134,8 @@ func (t *RPCServer) CredentialImport(req proto.ImportCredentialRequest, resp *sd
 	importer, ok := t.importers[req.CredentialID]
 	if !ok || importer == nil {
 		return &errFunctionFieldNotSet{
-			objName:  req.CredentialID.String(), //lint:ignore QF1008 explicit reads more clearly here
+			//lint:ignore QF1008 explicit reads more clearly here
+			objName:  req.CredentialID.String(),
 			funcName: "Importer",
 		}
 	}

From 188036cb6851fd215db4490efe52a1e88c75c09d Mon Sep 17 00:00:00 2001
From: Scott Lougheed <scott.lougheed@agilebits.com>
Date: Wed, 13 May 2026 15:53:44 -0700
Subject: [PATCH 7/8] fixing linter exclusion syntax

---
 plugins/aws/sts_provisioner.go | 4 ++--
 sdk/rpc/server/server.go       | 5 ++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/plugins/aws/sts_provisioner.go b/plugins/aws/sts_provisioner.go
index a3786520d..087b22cae 100644
--- a/plugins/aws/sts_provisioner.go
+++ b/plugins/aws/sts_provisioner.go
@@ -271,7 +271,7 @@ func (p assumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, erro
 		return aws.Credentials{}, err
 	}
 
-	err = p.stsCacheWriter.Put(credentials) //lint:ignore QF1008 explicit reads more clearly here
+	err = p.stsCacheWriter.Put(credentials) //nolint:staticcheck // QF1008 explicit reads more clearly here
 	if err != nil {
 		return aws.Credentials{}, err
 	}
@@ -308,7 +308,7 @@ func (p mfaSessionTokenProvider) Retrieve(ctx context.Context) (aws.Credentials,
 		return aws.Credentials{}, err
 	}
 
-	err = p.stsCacheWriter.Put(credentials) //lint:ignore QF1008 explicit reads more clearly here
+	err = p.stsCacheWriter.Put(credentials) //nolint:staticcheck //QF1008 explicit reads more clearly here
 	if err != nil {
 		return aws.Credentials{}, err
 	}
diff --git a/sdk/rpc/server/server.go b/sdk/rpc/server/server.go
index 806182351..c1fd4cc5c 100644
--- a/sdk/rpc/server/server.go
+++ b/sdk/rpc/server/server.go
@@ -107,7 +107,7 @@ func (t *RPCServer) ExecutableNeedsAuth(req proto.ExecutableNeedsAuthRequest, re
 	needsAuth, ok := t.needsAuth[req.ExecutableID]
 	if !ok || needsAuth == nil {
 		return &errFunctionFieldNotSet{
-			objName:  req.ExecutableID.String(), //lint:ignore QF1008 explicit reads more clearly here
+			objName:  req.ExecutableID.String(), //nolint:staticcheck //QF1008 explicit reads more clearly here
 			funcName: "NeedsAuth",
 		}
 	}
@@ -134,8 +134,7 @@ func (t *RPCServer) CredentialImport(req proto.ImportCredentialRequest, resp *sd
 	importer, ok := t.importers[req.CredentialID]
 	if !ok || importer == nil {
 		return &errFunctionFieldNotSet{
-			//lint:ignore QF1008 explicit reads more clearly here
-			objName:  req.CredentialID.String(),
+			objName:  req.CredentialID.String(), //nolint:staticcheck //QF1008 explicit reads more clearly here
 			funcName: "Importer",
 		}
 	}

From 1391bd9e9680112d273e8d0a726121d1f778f278 Mon Sep 17 00:00:00 2001
From: Scott Lougheed <scott.lougheed@agilebits.com>
Date: Thu, 14 May 2026 15:42:24 -0700
Subject: [PATCH 8/8] removing lint exceptions and correcting embedded field
 violation

---
 plugins/aws/sts_provisioner.go | 4 ++--
 sdk/rpc/server/server.go       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/plugins/aws/sts_provisioner.go b/plugins/aws/sts_provisioner.go
index 087b22cae..12f9da0a9 100644
--- a/plugins/aws/sts_provisioner.go
+++ b/plugins/aws/sts_provisioner.go
@@ -271,7 +271,7 @@ func (p assumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, erro
 		return aws.Credentials{}, err
 	}
 
-	err = p.stsCacheWriter.Put(credentials) //nolint:staticcheck // QF1008 explicit reads more clearly here
+	err = p.Put(credentials)
 	if err != nil {
 		return aws.Credentials{}, err
 	}
@@ -308,7 +308,7 @@ func (p mfaSessionTokenProvider) Retrieve(ctx context.Context) (aws.Credentials,
 		return aws.Credentials{}, err
 	}
 
-	err = p.stsCacheWriter.Put(credentials) //nolint:staticcheck //QF1008 explicit reads more clearly here
+	err = p.Put(credentials)
 	if err != nil {
 		return aws.Credentials{}, err
 	}
diff --git a/sdk/rpc/server/server.go b/sdk/rpc/server/server.go
index c1fd4cc5c..de24ac027 100644
--- a/sdk/rpc/server/server.go
+++ b/sdk/rpc/server/server.go
@@ -107,7 +107,7 @@ func (t *RPCServer) ExecutableNeedsAuth(req proto.ExecutableNeedsAuthRequest, re
 	needsAuth, ok := t.needsAuth[req.ExecutableID]
 	if !ok || needsAuth == nil {
 		return &errFunctionFieldNotSet{
-			objName:  req.ExecutableID.String(), //nolint:staticcheck //QF1008 explicit reads more clearly here
+			objName:  req.String(),
 			funcName: "NeedsAuth",
 		}
 	}
@@ -134,7 +134,7 @@ func (t *RPCServer) CredentialImport(req proto.ImportCredentialRequest, resp *sd
 	importer, ok := t.importers[req.CredentialID]
 	if !ok || importer == nil {
 		return &errFunctionFieldNotSet{
-			objName:  req.CredentialID.String(), //nolint:staticcheck //QF1008 explicit reads more clearly here
+			objName:  req.String(),
 			funcName: "Importer",
 		}
 	}