fix(lint): resolve 64 pre-existing golangci-lint violations in workspace-server

Fixes all ineffassign (7), staticcheck (31), and unused (26) violations
reported by golangci-lint in workspace-server/ so the linter gate is clean.

Key changes by linter:
- ineffassign: remove 7 variables assigned then immediately overwritten
- QF1001 (De Morgan): rewrite 4 negated compound conditions
- QF1006 (loop lift): 2 for{if break} → for !cond{}
- QF1008 (embedded field): drop .Resources. from hostCfg/hc selectors (provisioner + tests)
- QF1012 (Fprintf): 3 sb.WriteString(fmt.Sprintf) → fmt.Fprintf
- S1009 (nil+len): remove redundant nil check before len()
- S1016 (type conv): 2 struct-literal copies → direct type conversion
- S1017 (TrimPrefix): 2 if+HasPrefix/slice → strings.TrimPrefix
- S1023 (redundant return): remove 2 trailing returns in middleware
- SA1012 (nil context): nil → context.TODO() in resolver_test
- SA1019 (deprecated): ImageInspectWithRaw → ImageInspect; RetryAfter direct field
- SA5011 (nil deref): t.Error → t.Fatal before dereference in client_test
- ST1005 (error string): lowercase 3 error strings starting with proper nouns
- ST1013 (HTTP constant): 405 literal → http.StatusMethodNotAllowed
- unused: delete 26 unused consts/types/funcs/fields across 12 files

All three checks pass after this commit:
  go build ./...   → success
  go vet ./...     → success
  golangci-lint run --timeout 3m ./... → 0 issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

workspace-server/internal/handlers/org_persona_env_test.go

@@ -152,6 +152,7 @@ func TestIsSafeRoleName_Acceptance(t *testing.T) {
 			t.Errorf("isSafeRoleName(%q) = false; want true", s)
 		}
 	}
+	// trailing-hyphen IS allowed; only include actually-bad names:
 	bad := []string{
 		"", ".", "..", "with/slash", "/abs", "dot.in.middle",
 		"with space", "back\\slash", "with$dollar", "with?question",

workspace-server/internal/handlers/templates.go

@@ -275,7 +275,7 @@ func (h *TemplatesHandler) ListFiles(c *gin.Context) {
 			return
 		}
 		// Translate to the handler's wire shape (the field names match
-		// 1:1, but Go can't implicit-convert named struct types).
+		// 1:1, so we can use a direct type conversion).
 		out := make([]fileEntry, 0, len(entries))
 		for _, e := range entries {
 			out = append(out, fileEntry(e))

workspace-server/internal/handlers/workspace_crud.go

@@ -145,9 +145,7 @@ func (h *WorkspaceHandler) Update(c *gin.Context) {
 
 	// Auth is fully enforced at the router layer (WorkspaceAuth middleware, #680).
 	// WorkspaceAuth validates that the caller holds a valid bearer token for this
-	// specific workspace — no additional auth gate is needed here. The
-	// sensitiveUpdateFields map above documents the risk classification for
-	// auditors but is no longer used as a runtime gate.
+	// specific workspace — no additional auth gate is needed here.
 
 	// #120: guard — return 404 for nonexistent workspace IDs instead of
 	// silently applying zero-row UPDATEs and returning 200.

workspace-server/internal/memory/client/client_test.go

@@ -793,8 +793,7 @@ func TestDoJSON_204OnEndpointExpectingBody(t *testing.T) {
 		t.Fatalf("Search: %v", err)
 	}
 	if got == nil {
-		t.Error("got nil SearchResponse, want zero value")
-		return
+		t.Fatal("got nil SearchResponse, want zero value")
 	}
 	if len(got.Memories) != 0 {
 		t.Errorf("memories = %v, want empty", got.Memories)