fix: Docker HTTP/2 compatibility (TLS-only) + strict test failure policy

.github/workflows/ci.yml

@@ -85,11 +85,10 @@
         run: go build ./...
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
-          version: latest
-          install-mode: goinstall
-          args: --timeout=5m --out-format=github-actions --allow-parallel-runners
+          version: v2.6.2
+          args: --timeout=5m
           only-new-issues: false
 
   vulncheck:
@@ -103,7 +102,7 @@
         with:
           go-version-file: go.mod
       - name: Run govulncheck and fail only if fix available
         run: |
           set +e
           TMP_OUT=$(mktemp)
           go run golang.org/x/vuln/cmd/govulncheck@latest ./... | tee "$TMP_OUT"
@@ -117,47 +116,34 @@
           echo "govulncheck: no vulnerabilities with available fixes (or only unfixed advisories)"
           exit 0
 
-  # Integration tests disabled due to upstream go-dockerclient library issue
-  # Issue: https://github.com/fsouza/go-dockerclient/issues/911
-  # Tests pass functionally but panic during cleanup with "send on closed channel"
-  # in event monitoring goroutines when Docker client is closed.
-  #
-  # The panic occurs in: github.com/fsouza/[email protected]/event.go:342
-  # Root cause: Event listeners try to send on closed channels during cleanup
-  #
-  # All 23 integration tests pass before the panic occurs during teardown.
-  # This is NOT a bug in our code but an upstream library issue.
-  #
-  # Integration tests can be run locally with: go test -tags=integration ./core
-  #
-  # integration:
-  #   name: integration tests
-  #   needs: unit
-  #   runs-on: ${{ matrix.platform }}
-  #   strategy:
-  #     fail-fast: false
-  #     matrix:
-  #       go-version: [1.25.x]
-  #       platform: [ubuntu-latest]
-  #   steps:
-  #     - name: Checkout code
-  #       uses: actions/checkout@v4
-  #       with:
-  #         fetch-depth: 0
-  #
-  #     - name: Install Go
-  #       uses: actions/setup-go@v5
-  #       with:
-  #         go-version: ${{ matrix.go-version }}
-  #
-  #     - name: Set up Docker Buildx
-  #       uses: docker/setup-buildx-action@v3
-  #
-  #     - name: Confirm Docker
-  #       run: docker info
-  #
-  #     - name: Integration tests
-  #       run: go test -tags=integration ./...
+  integration:
+    name: integration tests
+    needs: unit
+    runs-on: ${{ matrix.platform }}
+    strategy:
+      fail-fast: false
+      matrix:
+        go-version: [1.25.x]
+        platform: [ubuntu-latest]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Confirm Docker
+        run: docker info
+
+      - name: Integration tests
+        run: go test -tags=integration -timeout=2m ./...
 
   codeql:
     # skip merge queue branches as they disappear before the upload step
@@ -208,7 +194,7 @@
         run: go install github.com/securego/gosec/v2/cmd/gosec@latest
 
       - name: Run gosec
         run: |
           echo "GOPATH=$(go env GOPATH)"
           $(go env GOPATH)/bin/gosec ./...
 
@@ -318,7 +304,7 @@
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set release version
         run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v6

.golangci.yml

@@ -1,102 +1,133 @@
+version: "2"
+run:
+  tests: false
 linters:
-  disable-all: true
+  default: none
   enable:
-    - gofmt
-    - goimports
-    - gofumpt
-    - gci
-    - gocritic
+    - asciicheck
     - bodyclose
+    - containedctx
     - contextcheck
-    - errorlint
-    - errname
-    - tagliatelle
-    - asciicheck
+    - copyloopvar
+    - depguard
+    - dupl
     - durationcheck
-    - containedctx
-    - noctx
+    - errcheck
+    - errname
+    - errorlint
+    - exhaustive
+    - forbidigo
+    - goconst
+    - gocritic
+    - gocyclo
+    - govet
+    - ineffassign
+    - misspell
     - nilerr
     - nilnil
+    - noctx
+    - nolintlint
     - nosprintfhostport
-    - unconvert
     - paralleltest
-    - tparallel
-    - depguard
-    - revive
-    - gocyclo
-    - ineffassign
-    - errcheck
-    - misspell
-    - goconst
-    - dupl
     - prealloc
-    - typecheck
+    - predeclared
+    - revive
     - staticcheck
-    - gosimple
-    - govet
-    - unused
+    - tagliatelle
+    - tparallel
+    - unconvert
     - unparam
-    - nolintlint
-    - predeclared
-    - copyloopvar
-    - exhaustive
-    - forbidigo
+    - unused
     - wrapcheck
-
-run:
-  timeout: 5m
-  tests: false
-
-issues:
-  exclude-rules:
-    - path: _test\.go
-      linters:
-        - gocyclo
-        - revive
-        - wrapcheck
-    - path: core/common\.go
-      text: "nolint:exhaustive"
-      linters:
-        - nolintlint
-    - path: middlewares/slack\.go
-      linters:
-        - tagliatelle
-
-linters-settings:
-  gocyclo:
-    min-complexity: 15
-  revive:
-    rules:
-      - name: blank-imports
-        disabled: true
-      - name: package-comments
-        disabled: true
-      - name: var-naming
-      - name: exported
-      - name: if-return
-      - name: early-return
-      - name: line-length-limit
-        arguments: [ 140 ]
-      - name: import-shadowing
-      - name: time-naming
-      - name: increment-decrement
-  forbidigo:
-    forbid:
-      - '^fmt\.Print.*$'
-  wrapcheck:
-    ignoreSigRegexps:
-      - 'errors\.New\('
-      - '\*github\.com/netresearch/ofelia/core\.Context\)\.Next\('
-  misspell:
-    locale: US
-  gci:
-    sections:
-      - standard
-      - default
-      - prefix(github.com/netresearch/ofelia)
-  depguard:
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: log
+              desc: use core.Logger (logrus via core adapter)
+    forbidigo:
+      forbid:
+        - pattern: ^fmt\.Print.*$
+    gocyclo:
+      min-complexity: 15
+    misspell:
+      locale: US
+    revive:
+      rules:
+        - name: blank-imports
+          disabled: true
+        - name: package-comments
+          disabled: true
+        - name: var-naming
+        - name: exported
+        - name: if-return
+        - name: early-return
+        - name: line-length-limit
+          arguments:
+            - 140
+        - name: import-shadowing
+        - name: time-naming
+        - name: increment-decrement
+    wrapcheck:
+      ignore-sig-regexps:
+        - errors\.New\(
+        - \*github\.com/netresearch/ofelia/core\.Context\)\.Next\(
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
     rules:
-      main:
-        deny:
-          - pkg: log
-            desc: use core.Logger (logrus via core adapter)
+      - linters:
+          - gocyclo
+          - revive
+          - wrapcheck
+        path: _test\.go
+      - linters:
+          - govet
+        path: "_test"
+        text: "buildtag:"
+      - linters:
+          - nolintlint
+        path: core/common\.go
+        text: nolint:exhaustive
+      - linters:
+          - tagliatelle
+        path: middlewares/slack\.go
+      - linters:
+          - staticcheck
+        text: "QF"
+      - linters:
+          - staticcheck
+        text: "ST1005:"
+      - linters:
+          - staticcheck
+        text: "ST1018:"
+      - linters:
+          - noctx
+        path: cli/daemon\.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/netresearch/ofelia)
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

AGENTS.md

@@ -1,28 +1,35 @@
-# Codex Agent Instructions
+<!-- Managed by agent: keep sections and order; edit content, not structure. Last updated: 2025-09-29 -->
 
-This repository is written in Go. Follow these rules when contributing:
+# AGENTS.md (root)
 
-## Formatting
-
-- Format all modified Go files with `gofmt -w`. Unformatted code must not be committed.
-
-## Vetting and Testing
-
-- Run `go vet ./...` and `go test ./...` after changes. All commands should pass before committing.
-
-## Documentation
+This file explains repo‑wide conventions and where to find scoped rules.  
+**Precedence:** the **closest `AGENTS.md`** to the files you're changing wins. Root holds global defaults only.
 
+## Global rules
+- Keep diffs small; add tests for new code paths.
+- Use semantic commit messages following Conventional Commits style (e.g., `feat:`, `fix:`, `docs:`).
+- Write comprehensive commit message bodies that thoroughly describe every change introduced.
+- Ask first before: adding heavy deps, running full e2e suites, or repo‑wide rewrites.
 - Update `README.md` or files in `docs/` when you change user-facing behavior.
 
-## Commits
-
-- Use semantic commit messages following the Conventional Commits style (e.g.,
-  `feat:`, `fix:`, `docs:`) for all commits.
-- Write a comprehensive commit message body that thoroughly describes every
-  change introduced.
-
-## Repository Hygiene
-
+## Minimal pre‑commit checks
+- Format Go code: `gofmt -w $(git ls-files '*.go')`
+- Vet code: `go vet ./...`
+- Run tests: `go test ./...`  
+- Full lint check: `make lint`
+- Security check: `make security-check`
+
+## Index of scoped AGENTS.md
+- `./cli/AGENTS.md` — command-line interface and configuration
+- `./core/AGENTS.md` — core business logic and scheduling
+- `./web/AGENTS.md` — web interface and HTTP handlers
+- `./middlewares/AGENTS.md` — notification and middleware logic
+- `./test/AGENTS.md` — testing utilities and integration tests
+
+## Repository hygiene
 - Manage dependencies exclusively with Go modules.
 - Do **not** vendor or commit downloaded modules. Avoid running `go mod vendor`.
 - Ensure the `vendor/` directory is ignored via `.gitignore`.
+
+## When instructions conflict
+- The nearest `AGENTS.md` wins. Explicit user prompts override files.

CHANGELOG.md

@@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Fixed
+
+- **Docker Socket HTTP/2 Compatibility**
+  - Fixed Docker client connection failures on non-TLS connections introduced in v0.11.0
+  - OptimizedDockerClient now only enables HTTP/2 for HTTPS (TLS) connections
+  - HTTP/2 is disabled for Unix sockets, tcp://, and http:// (Docker daemon only supports HTTP/2 over TLS with ALPN)
+  - Resolves "protocol error" issues when connecting to `/var/run/docker.sock` or `tcp://localhost:2375`
+  - HTTP/2 enabled only for `https://` connections where Docker daemon supports ALPN negotiation
+  - Added comprehensive unit tests covering all connection types (9 scenarios)
+  - Technical details: Docker daemon does not implement h2c (HTTP/2 cleartext) - HTTP/2 requires TLS
+
 ## [0.11.0] - 2025-11-21
 
 ### Critical Fixes