fix(lint): resolve gosec G118/G703/G122 and yamllint indentation

- validators/context.go: suppress G118 false positive (cancel returned to caller)
- pkg/bundler/checksum: clean path before os.Open for G703
- pkg/bundler/handler.go: clean path before os.Open for G122
- tests/uat/aws/config.yaml: fix indentation (10 not 12)

Author: mchmarny

pkg/bundler/checksum/checksum.go

@@ -169,7 +169,7 @@ func CountEntries(bundleDir string) int {
 // SHA256Raw computes a file's SHA256 digest using streaming I/O and returns
 // the raw bytes. Does not load the entire file into memory.
 func SHA256Raw(path string) ([]byte, error) {
-	f, err := os.Open(path)
+	f, err := os.Open(filepath.Clean(path)) //nolint:gosec // G703: path from internal callers only
 	if err != nil {
 		return nil, errors.Wrap(errors.ErrCodeInternal,
 			fmt.Sprintf("failed to open file for digest: %s", path), err)

pkg/bundler/handler.go

@@ -235,7 +235,7 @@ func streamZipResponse(w http.ResponseWriter, dir string, output *result.Output)
 		}
 
 		// Open and copy file content
-		file, err := os.Open(path)
+		file, err := os.Open(filepath.Clean(path)) //nolint:gosec // G122: path from internal os.MkdirTemp, not user input
 		if err != nil {
 			return aicrerrors.Wrap(aicrerrors.ErrCodeInternal, "failed to open file", err)
 		}

validators/context.go

@@ -116,8 +116,9 @@ func LoadContext() (*Context, error) {
 }
 
 // Timeout returns a child context with the specified timeout.
+// The caller is responsible for calling the returned CancelFunc.
 func (c *Context) Timeout(d time.Duration) (context.Context, context.CancelFunc) {
-	return context.WithTimeout(c.Ctx, d)
+	return context.WithTimeout(c.Ctx, d) //nolint:gosec // G118: cancel is returned to caller
 }
 
 func resolveNamespace() string {