meridianhub · bjcoombs · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/.github/workflows/asyncapi.yml b/.github/workflows/asyncapi.yml
@@ -40,7 +40,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up Node.js

diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -53,7 +53,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -50,8 +50,8 @@ jobs:
             IMPORTANT: Today's date is ${{ steps.date.outputs.current_date }}.
 
             Key project facts:
-            - This project uses Go 1.26.1 (latest stable release)
-            - Go 1.26.1 is a valid version - do not question or flag it
+            - This project uses Go 1.26.2 (latest stable release)
+            - Go 1.26.2 is a valid version - do not question or flag it
             - Architecture: BIAN-compliant microservices
             - Stack: Go, Protocol Buffers, gRPC, Kubernetes
             - Security: All security scans must remain BLOCKING (never suggest making them non-blocking)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -68,7 +68,7 @@ jobs:
       if: matrix.language == 'go'
       uses: actions/setup-go@v6
       with:
-        go-version: '1.26.1'
+        go-version: '1.26.2'
         cache: true
 
     # Set up buf for protobuf generation (pinned version for reproducibility)

diff --git a/.github/workflows/control-plane-ci.yml b/.github/workflows/control-plane-ci.yml
@@ -43,7 +43,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf
@@ -80,7 +80,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf
@@ -117,7 +117,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf
@@ -163,7 +163,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf
@@ -207,7 +207,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf

diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml
@@ -42,7 +42,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf

diff --git a/.github/workflows/deploy-develop.yml b/.github/workflows/deploy-develop.yml
@@ -42,7 +42,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -38,7 +38,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf

diff --git a/.github/workflows/migrations.yml b/.github/workflows/migrations.yml
@@ -36,7 +36,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Install Atlas CLI
@@ -82,7 +82,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Install Atlas CLI

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -29,7 +29,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf
@@ -101,7 +101,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v6
       with:
-        go-version: '1.26.1'
+        go-version: '1.26.2'
         cache: true
 
     - name: Set up buf

diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -68,7 +68,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf
@@ -83,7 +83,7 @@ jobs:
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.9.0
+          version: v2.11.4
           args: --timeout=5m --config=.golangci.yml
 
   proto-freshness:
@@ -98,7 +98,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf

diff --git a/.github/workflows/saga-validation.yml b/.github/workflows/saga-validation.yml
@@ -44,7 +44,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf

diff --git a/.github/workflows/schema-validation.yml b/.github/workflows/schema-validation.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Install protoc

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -30,7 +30,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v6
       with:
-        go-version: '1.26.1'
+        go-version: '1.26.2'
         cache: true
 
     - name: Set up buf
@@ -85,7 +85,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v6
       with:
-        go-version: '1.26.1'
+        go-version: '1.26.2'
         cache: true
 
     - name: Set up buf

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -51,7 +51,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf
@@ -131,7 +131,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.26.1'
+          go-version: '1.26.2'
           cache: true
 
       - name: Set up buf

diff --git a/.golangci.yml b/.golangci.yml
@@ -88,6 +88,7 @@ linters:
           - err113           # Tests need dynamic errors to test error pattern matching
           - funlen           # Tests can be verbose with setup/assertions
           - cyclop           # Tests can have complex control flow
+          - noctx            # httptest.NewRequest creates a valid context; requiring WithContext in tests is noise
 
       # Allow context-as-argument after *testing.T in test helper functions
       - path: _test\.go

diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@
 # Uses distroless base image (~2MB) enabled by pure-Go franz-go Kafka client
 
 # Build stage
-FROM golang:1.26.1-bookworm AS builder
+FROM golang:1.26.2-bookworm AS builder
 
 # Install build dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \

diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -1,7 +1,7 @@
 # audit-worker - Development Dockerfile for Tilt Live Update
 # Uses Debian bookworm for CGO support (required by confluent-kafka-go/librdkafka)
 
-FROM golang:1.26.1-bookworm AS builder
+FROM golang:1.26.2-bookworm AS builder
 
 # Install build dependencies for CGO (librdkafka)
 RUN apt-get update && apt-get install -y --no-install-recommends \

diff --git a/cmd/meridian/Dockerfile b/cmd/meridian/Dockerfile
@@ -3,7 +3,7 @@
 # Uses distroless base image (~2MB) enabled by CGO_ENABLED=0 static binary
 
 # Build stage
-FROM golang:1.26.1-bookworm AS builder
+FROM golang:1.26.2-bookworm AS builder
 
 # Install build dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \

diff --git a/docs/guides/new-bian-service-checklist.md b/docs/guides/new-bian-service-checklist.md
@@ -604,7 +604,7 @@ Create a multi-stage Docker build.
 
 ```dockerfile
 # Stage 1: Build
-FROM golang:1.26.0-bookworm AS builder
+FROM golang:1.26.2-bookworm AS builder
 
 ARG VERSION=dev
 ARG COMMIT=unknown

diff --git a/docs/skills/docker.md b/docs/skills/docker.md
@@ -21,7 +21,7 @@ This document describes the Docker setup for Meridian, optimized for production
 
 Meridian uses a multi-stage Docker build to create minimal, secure production images:
 
-- **Build stage**: golang:1.26.0-bookworm for compiling static binaries
+- **Build stage**: golang:1.26.2-bookworm for compiling static binaries
 - **Runtime stage**: gcr.io/distroless/static:nonroot for minimal attack surface
 - **Image size**: ~3-5MB (binary: 1.4MB + distroless base: ~2MB)
 - **Security**: Non-root user, no shell, minimal dependencies
@@ -64,7 +64,7 @@ docker build \
 ### Multi-Stage Build
 
 1. **Builder Stage**
-   - Base: `golang:1.26.0-bookworm`
+   - Base: `golang:1.26.2-bookworm`
    - Installs: git, ca-certificates, tzdata
    - Compiles: Static binary with CGO disabled
    - Optimizations: `-ldflags="-w -s"` for stripped, reduced size

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/meridianhub/meridian
 
-go 1.26.1
+go 1.26.2
 
 require (
 	ariga.io/atlas-provider-gorm v0.6.0

diff --git a/services/api-gateway/cmd/Dockerfile b/services/api-gateway/cmd/Dockerfile
@@ -3,7 +3,7 @@
 # Uses distroless base image (~2MB) enabled by pure-Go franz-go Kafka client
 
 # Build stage
-FROM golang:1.26.1-bookworm AS builder
+FROM golang:1.26.2-bookworm AS builder
 
 # Install build dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \

diff --git a/services/api-gateway/proxy.go b/services/api-gateway/proxy.go
@@ -65,29 +65,29 @@ func NewProxyHandler(backends []BackendRoute) *ProxyHandler {
 		// Consider adding configurable timeout settings for production resilience:
 		// ResponseHeaderTimeout, IdleConnTimeout, MaxIdleConnsPerHost
 
-		// Configure the proxy director to add X-Forwarded-Host and identity headers.
+		// Configure the proxy rewrite to add X-Forwarded-Host and identity headers.
 		// Connect protocol headers (Content-Type, Connect-Protocol-Version, Connect-Timeout-Ms)
 		// are standard headers (not hop-by-hop) and are preserved by httputil.ReverseProxy.
-		originalDirector := proxy.Director
-		proxy.Director = func(req *http.Request) {
-			originalDirector(req)
-			// Set X-Forwarded-Host so backends know the original Host header
-			if req.Header.Get("X-Forwarded-Host") == "" {
-				req.Header.Set("X-Forwarded-Host", req.Host)
+		proxy.Rewrite = func(r *httputil.ProxyRequest) {
+			r.SetURL(target)
+			r.SetXForwarded()
+			// Preserve the original Host header for X-Forwarded-Host
+			if r.Out.Header.Get("X-Forwarded-Host") == "" {
+				r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
 			}
 
 			// SECURITY: Strip any incoming identity headers to prevent spoofing.
 			// These headers are set only by the gateway after successful authentication.
-			req.Header.Del(HeaderUserID)
-			req.Header.Del(HeaderTenantID)
-			req.Header.Del(HeaderAuthMethod)
-			req.Header.Del(HeaderAuthRoles)
+			r.Out.Header.Del(HeaderUserID)
+			r.Out.Header.Del(HeaderTenantID)
+			r.Out.Header.Del(HeaderAuthMethod)
+			r.Out.Header.Del(HeaderAuthRoles)
 
 			// SECURITY: Strip X-API-Key header to prevent credential leakage to backends.
-			req.Header.Del(auth.APIKeyHeader)
+			r.Out.Header.Del(auth.APIKeyHeader)
 
 			// Add identity headers if the request was authenticated
-			addIdentityHeaders(req)
+			addIdentityHeaders(r.Out)
 		}
 
 		routes = append(routes, proxyRoute{

diff --git a/services/api-gateway/transcoding_bench_test.go b/services/api-gateway/transcoding_bench_test.go
@@ -117,7 +117,7 @@ func startBenchEnv(b *testing.B, backends []ServiceBackend) *benchEnv {
 		AtMost(5 * time.Second).
 		PollInterval(20 * time.Millisecond).
 		Until(func() bool {
-			resp, e := http.Get(baseURL + "/health") //nolint:noctx // Health check in benchmark setup does not need request context
+			resp, e := http.Get(baseURL + "/health")
 			if e != nil {
 				return false
 			}

diff --git a/services/control-plane/cmd/Dockerfile b/services/control-plane/cmd/Dockerfile
@@ -3,7 +3,7 @@
 # Uses distroless base image (~2MB) enabled by pure-Go dependencies
 
 # Build stage
-FROM golang:1.26.1-bookworm AS builder
+FROM golang:1.26.2-bookworm AS builder
 
 # Install build dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \

diff --git a/services/control-plane/internal/generator/handler_reference.go b/services/control-plane/internal/generator/handler_reference.go
@@ -48,7 +48,7 @@ func BuildHandlerReferenceCard(registry *schema.Registry) string {
 			return handlers[i].fullName < handlers[j].fullName
 		})
 
-		sb.WriteString(fmt.Sprintf("### %s\n\n", svc))
+		fmt.Fprintf(&sb, "### %s\n\n", svc)
 
 		for _, h := range handlers {
 			writeHandlerEntry(&sb, h.fullName, h.def)