docs(go): add Go standards page and update language matrix

Add content/docs/standards/go.md covering golangci-lint, gofumpt,
govulncheck, and go test. Update _index.md with Go column in matrix,
target mapping, and per-language list.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: matthew-on-git

content/docs/standards/_index.md

@@ -2,7 +2,7 @@
 title: "Standards"
 linkTitle: "Standards"
 weight: 20
-description: "Per-language tooling standards for Python, Bash, Terraform, Ansible, Ruby, and universal security tools."
+description: "Per-language tooling standards for Python, Bash, Terraform, Ansible, Ruby, Go, and universal security tools."
 ---
 
 DevRail defines opinionated tooling standards for each supported language ecosystem. Every tool is pre-installed in the dev-toolchain container and invoked through consistent Makefile targets.
@@ -11,15 +11,15 @@ DevRail defines opinionated tooling standards for each supported language ecosys
 
 The following table shows the default tool for each concern per language. These tools are pre-installed in the `dev-toolchain` container.
 
-| Concern | Python | Bash | Terraform | Ansible | Ruby |
-|---|---|---|---|---|---|
-| Linter | ruff | shellcheck | tflint | ansible-lint | rubocop, reek |
-| Formatter | ruff format | shfmt | terraform fmt | -- | rubocop |
-| Security | bandit, semgrep | -- | tfsec, checkov | -- | brakeman, bundler-audit |
-| Tests | pytest | bats | terratest | molecule | rspec |
-| Type Check | mypy | -- | -- | -- | sorbet |
-| Docs | -- | -- | terraform-docs | -- | -- |
-| Universal | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks |
+| Concern | Python | Bash | Terraform | Ansible | Ruby | Go |
+|---|---|---|---|---|---|---|
+| Linter | ruff | shellcheck | tflint | ansible-lint | rubocop, reek | golangci-lint |
+| Formatter | ruff format | shfmt | terraform fmt | -- | rubocop | gofumpt |
+| Security | bandit, semgrep | -- | tfsec, checkov | -- | brakeman, bundler-audit | govulncheck |
+| Tests | pytest | bats | terratest | molecule | rspec | go test |
+| Type Check | mypy | -- | -- | -- | sorbet | -- |
+| Docs | -- | -- | terraform-docs | -- | -- | -- |
+| Universal | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks |
 
 A `--` entry means the concern does not apply to that language. Universal tools run for all projects regardless of declared languages.
 
@@ -29,10 +29,10 @@ Each Makefile target runs the relevant tools for all languages declared in `.dev
 
 | Target | What It Runs |
 |---|---|
-| `make lint` | ruff check, shellcheck, tflint, ansible-lint, mypy, rubocop, reek |
-| `make format` | ruff format, shfmt, terraform fmt, rubocop |
-| `make test` | pytest, bats, terratest, molecule, rspec |
-| `make security` | bandit, semgrep, tfsec, checkov, brakeman, bundler-audit |
+| `make lint` | ruff check, shellcheck, tflint, ansible-lint, mypy, rubocop, reek, golangci-lint |
+| `make format` | ruff format, shfmt, terraform fmt, rubocop, gofumpt |
+| `make test` | pytest, bats, terratest, molecule, rspec, go test |
+| `make security` | bandit, semgrep, tfsec, checkov, brakeman, bundler-audit, govulncheck |
 | `make scan` | trivy, gitleaks (universal -- all projects) |
 | `make docs` | terraform-docs |
 | `make check` | All of the above in sequence |
@@ -44,6 +44,7 @@ Each Makefile target runs the relevant tools for all languages declared in `.dev
 - [Terraform Standards](/docs/standards/terraform/) -- tflint, terraform fmt, tfsec, checkov, terratest, terraform-docs
 - [Ansible Standards](/docs/standards/ansible/) -- ansible-lint, molecule
 - [Ruby Standards](/docs/standards/ruby/) -- rubocop, brakeman, bundler-audit, rspec, reek, sorbet
+- [Go Standards](/docs/standards/go/) -- golangci-lint, gofumpt, govulncheck, go test
 - [Universal Security](/docs/standards/universal/) -- trivy, gitleaks
 
 ## Consistent Page Structure

content/docs/standards/go.md

@@ -0,0 +1,96 @@
+---
+title: "Go"
+linkTitle: "Go"
+weight: 30
+description: "Go tooling standards: golangci-lint, gofumpt, govulncheck, and go test."
+---
+
+Go projects use golangci-lint for linting, gofumpt for formatting, govulncheck for security scanning, and go test for testing.
+
+## Tools
+
+| Category | Tool | Purpose |
+|---|---|---|
+| Linter | golangci-lint v2 | Meta-linter (bundles go vet, staticcheck, gosec, errcheck, etc.) |
+| Formatter | gofumpt | Strict superset of gofmt |
+| Security | govulncheck | Scans module dependencies for known vulnerabilities |
+| Tests | go test | Built-in Go test runner |
+
+All tools are pre-installed in the dev-toolchain container. Do not install them on the host.
+
+## Configuration
+
+### golangci-lint
+
+Config file: `.golangci.yml` at repository root.
+
+```yaml
+# .golangci.yml -- DevRail Go lint configuration
+version: "2"
+
+linters:
+  enable:
+    - errcheck
+    - govet
+    - staticcheck
+    - gosec
+    - ineffassign
+    - unused
+    - gocritic
+    - gofumpt
+    - misspell
+    - revive
+
+issues:
+  exclude-dirs:
+    - vendor
+    - node_modules
+```
+
+golangci-lint v2 uses a `version: "2"` key in the config file. It is a meta-linter that bundles dozens of linters. Do not install standalone versions of go vet, staticcheck, gosec, or errcheck.
+
+### gofumpt
+
+No config file required. gofumpt is a strict superset of `gofmt`. It enforces additional formatting rules (grouped imports, consistent spacing). Run with `gofumpt -w .` to apply fixes or `gofumpt -d .` to check.
+
+### govulncheck
+
+No config file required. Scans `go.sum` for known vulnerabilities in module dependencies. Requires the Go SDK at runtime because it uses `go/packages` internally.
+
+## Makefile Targets
+
+| Target | Command | Description |
+|---|---|---|
+| `make lint` | `golangci-lint run ./...` | Lint all Go files |
+| `make format` | `gofumpt -d .` | Check formatting (diff mode) |
+| `make security` | `govulncheck ./...` | Dependency vulnerability scanning (if `go.sum` exists) |
+| `make test` | `go test ./...` | Run test suite (if `*_test.go` files exist) |
+
+## Pre-Commit Hooks
+
+### Local Hooks (run on every commit, under 30 seconds)
+
+golangci-lint runs on every commit to catch lint and formatting issues:
+
+```yaml
+# .pre-commit-config.yaml -- Go hooks
+repos:
+  - repo: https://github.com/golangci/golangci-lint
+    rev: v2.1.6
+    hooks:
+      - id: golangci-lint-full
+```
+
+### CI-Only (too slow for local hooks)
+
+- `govulncheck ./...` -- dependency vulnerability scanning
+- `go test ./...` -- full test suite
+
+## Notes
+
+- **golangci-lint v2 is the single linting tool.** It bundles go vet, staticcheck, gosec, errcheck, and dozens more. Do not install standalone versions of these linters.
+- **gofumpt is a strict superset of gofmt.** All gofmt-valid code is gofumpt-valid, but gofumpt enforces additional style rules. Use gofumpt exclusively.
+- **govulncheck requires the Go SDK at runtime.** Unlike other tools that are standalone binaries, govulncheck uses `go/packages` to analyze module dependencies. The Go SDK is included in the dev-toolchain container for this reason.
+- **Go tools use `./...` patterns.** The `./...` pattern matches all packages in the module. This is the standard Go convention for recursive operations.
+- **`go.sum` presence gates security scanning.** If no `go.sum` file exists, govulncheck is skipped because there are no module dependencies to scan.
+- **All tools are pre-installed in the dev-toolchain container.** Do not install them on the host.