fix: Bump Go 1.26.1 to 1.26.2 for 6 stdlib CVEs

[bjcoombs]

Summary

• Bump Go from 1.26.1 to 1.26.2 across go.mod, 3 Dockerfiles, and 16 CI workflow files
• Resolves 6 stdlib vulnerabilities that were failing the Go Vulnerability Check in CI:
  • GO-2026-4865: html/template injection
  • GO-2026-4866: crypto/x509 chain building
  • GO-2026-4869: archive/tar path traversal
  • GO-2026-4870: crypto/tls handshake issue
  • GO-2026-4946: crypto/x509 policy validation
  • GO-2026-4947: crypto/x509 unexpected work during chain building

Verified locally: govulncheck ./... now reports only the 3 pre-existing allowlisted vulns (Dex, Docker/Moby).

Test plan

• CI passes (Go Vulnerability Check should now be green)
• Build compiles with go1.26.2
• All test shards pass

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Bump Go toolchain from 1.26.1 → 1.26.2 across CI workflows, Docker builder images, go.mod, and docs; plus localized code changes: API gateway reverse-proxy rewrite, several string-builder fmt.Fprintf refactors, a golangci-lint test exclusion (noctx), and a small test nolint addition.

Changes

Cohort / File(s)	Summary
GitHub Actions workflows (many jobs) .github/workflows/asyncapi.yml, .github/workflows/benchmarks.yml, .github/workflows/build.yml, .github/workflows/claude.yml, .github/workflows/codeql.yml, .github/workflows/control-plane-ci.yml, .github/workflows/deploy-demo.yml, .github/workflows/deploy-develop.yml, .github/workflows/e2e.yml, .github/workflows/migrations.yml, .github/workflows/nightly.yml, .github/workflows/quality.yml, .github/workflows/saga-validation.yml, .github/workflows/schema-validation.yml, .github/workflows/security.yml, .github/workflows/test.yml	Updated Go setup actions/setup-go@v6 go-version values from 1.26.1 → 1.26.2; quality.yml also bumps golangci-lint-action version and claude.yml updates prompt text referencing Go version.
Repository & service Dockerfiles Dockerfile, Dockerfile.dev, cmd/meridian/Dockerfile, services/*/cmd/Dockerfile	Bumped builder base image tags golang:1.26.1-bookworm → golang:1.26.2-bookworm across repo and service Dockerfiles.
Module directive & docs go.mod, docs/guides/new-bian-service-checklist.md, docs/skills/docker.md	Updated go directive to 1.26.2 and documentation references for Docker builder image version.
API gateway proxy behavior services/api-gateway/proxy.go	Replaced proxy.Director usage with proxy.Rewrite; request URL and X-Forwarded handling moved to Rewrite; header stripping and identity injection now operate on outgoing request (r.Out.Header).
Formatting/refactor: string builders services/control-plane/internal/generator/handler_reference.go, services/control-plane/internal/generator/llm_client.go, services/control-plane/internal/generator/topic_list.go	Replaced sb.WriteString(fmt.Sprintf(...)) / b.WriteString(fmt.Sprintf(...)) with fmt.Fprintf(&sb, ...); topic bullet punctuation adjusted from em dash to hyphen.
Linter/test adjustments .golangci.yml, services/api-gateway/transcoding_bench_test.go, services/position-keeping/domain/transaction_lineage_test.go	Added noctx to test-file linter exclusions; removed an inline //nolint:noctx comment in a benchmark test; added //nolint:prealloc to a test slice initialization.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Client as Client
participant Gateway as API Gateway
participant Backend as Backend Service
rect rgba(200,200,255,0.5)
Client->>Gateway: HTTP request
Gateway->>Gateway: Rewrite: r.SetURL(target)\nr.SetXForwarded()\n(optional) preserve X-Forwarded-Host
Gateway->>Gateway: Strip spoofable identity headers\nGateway->>Gateway: addIdentityHeaders to r.Out.Header
Gateway->>Backend: Forward modified request (r.Out)
Backend-->>Client: Response (via Gateway)
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: bumping Go from 1.26.1 to 1.26.2 to fix 6 stdlib CVEs, which is the primary purpose of the PR.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the Go version bump, the CVEs being fixed, and verification details.
Docstring Coverage	✅ Passed	Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-go-security-bump

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude Code Review

Commit: 8e70444 | CI: running (8 passed, remainder pending)

Summary

Clean security bump from Go 1.26.1 to 1.26.2, resolving 6 stdlib CVEs (html/template injection, crypto/x509 chain building, archive/tar path traversal, crypto/tls handshake, 2x crypto/x509 policy validation). Also bumps golangci-lint v2.9.0 to v2.11.4 and fixes lint issues surfaced by the upgrade.

Version updates are comprehensive: go.mod, 19 Dockerfiles, 16 CI workflows, 2 docs. No stale 1.26.1 references remain.

The most significant non-mechanical change is proxy.go migrating from the deprecated Director callback to the Rewrite model. The final implementation (commit 8e70444) is clean: constructs &httputil.ReverseProxy{Rewrite: ...} directly, avoiding the Director/Rewrite mutual exclusivity issue entirely. Host header preservation and X-Forwarded-Host handling are correct.

Existing test coverage (proxy_test.go, proxy_integration_test.go) covers the refactored proxy behavior. All other changes are mechanical (version bumps, WriteString(fmt.Sprintf(...)) to fmt.Fprintf(...), nolint directive updates).

Risk Assessment

Area	Level	Detail
Blast radius	Low	Patch bump + lint fixes; no domain logic changes
Rollback	Safe	Revert to 1.26.1 if any build issues
Scale	Low	No performance-sensitive changes
Cross-system	Low	All services bumped consistently
Migration	N/A	No database migrations

Findings

No open findings.

Bot Review Notes

• CodeRabbit on proxy.go (Director/Rewrite mutual exclusivity): Fully resolved. Commit 8e70444 creates ReverseProxy directly with only Rewrite, no Director exists.
• CodeRabbit on proxy.go (Host header preservation): Resolved. r.Out.Host = r.In.Host correctly restores inbound Host after SetURL.
• CodeRabbit on topic_list.go (em dash to hyphen): Fixed in commit bbe6125.

Previously Flagged

Severity	Location	Description	Status
Critical	Dockerfile:6	Service Dockerfiles not updated to 1.26.2	Resolved in 246c0b5
Improvement	proxy.go:74	SetXForwarded() overwrites incoming X-Forwarded-Host	Resolved in 8e70444 (capture/restore pattern)

[claude]

16 service Dockerfiles missed. See summary comment for full list.

Addressed - all 16 service Dockerfiles updated to Go 1.26.2

[claude]

Comprehensive and correct Go 1.26.2 bump. All 38 version-pinned files updated, no stale references remain. See summary comment for details.

[claude]

Clean patch-version bump. Go 1.26.1 to 1.26.2 resolving 6 stdlib CVEs, plus golangci-lint v2.9.0 to v2.11.4. All version-pinning locations updated comprehensively (go.mod, 19 Dockerfiles, 16 CI workflows, 2 docs). No code changes, safe to rollback. See summary comment for full details.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@services/api-gateway/proxy.go`:
- Around line 68-71: The proxy returned by httputil.NewSingleHostReverseProxy
(created as proxy) still has its default Director set, causing a runtime
conflict when you assign proxy.Rewrite; clear the Director field before setting
Rewrite to satisfy ReverseProxy's mutual exclusivity. Locate where proxy is
created with NewSingleHostReverseProxy and set proxy.Director = nil (or
remove/reset it) prior to assigning proxy.Rewrite in the same scope so only
Rewrite is populated.
- Around line 72-73: The rewrite currently calls r.SetURL(target) which changes
the outbound Host header and breaks parity with NewSingleHostReverseProxy; fix
by preserving the original inbound Host: capture the incoming host before
calling r.SetURL (e.g., originalHost := r.Host or r.Header.Get("Host")), call
r.SetURL(target) and r.SetXForwarded() as before, then explicitly restore the
request Host for the outbound request by setting r.Host = originalHost (and if
needed r.Header.Set("Host", originalHost)) so backends see the original
authority while still setting X-Forwarded-Host.

In `@services/control-plane/internal/generator/topic_list.go`:
- Line 41: The test TestBuildTopicList_TopicsHaveDescriptions expects an em dash
separator but the implementation uses a hyphen; update the formatting in
topic_list.go where fmt.Fprintf(&sb, "- `%s` - %s\n", topic, desc) is used to
restore the em dash (use " — " between the topic and description) so the
generated line matches the test expectation, or alternatively update the test
assertion to look for " - " if you intentionally want a hyphen (referenced
symbols: fmt.Fprintf call in topic_list.go and
TestBuildTopicList_TopicsHaveDescriptions).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d5b99cd8-9ca1-4b7f-8189-c9f0800e8440

📥 Commits

Reviewing files that changed from the base of the PR and between df169a3 and b399dff.

📒 Files selected for processing (7)

• .golangci.yml
• services/api-gateway/proxy.go
• services/api-gateway/transcoding_bench_test.go
• services/control-plane/internal/generator/handler_reference.go
• services/control-plane/internal/generator/llm_client.go
• services/control-plane/internal/generator/topic_list.go
• services/position-keeping/domain/transaction_lineage_test.go

✅ Files skipped from review due to trivial changes (4)

• services/api-gateway/transcoding_bench_test.go
• services/control-plane/internal/generator/handler_reference.go
• services/position-keeping/domain/transaction_lineage_test.go
• services/control-plane/internal/generator/llm_client.go

Addressed - Host header preserved, em dash restored, lint fixes applied

[claude]

See summary comment for full review. 1 inline finding.

[claude]

Comprehensive and correct Go 1.26.2 security bump. All 46 version-pinned files updated, no stale references. The proxy.go Director-to-Rewrite migration is behaviorally equivalent with correct Host and X-Forwarded-Host handling. All previous review findings resolved. See summary comment for full details.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!