feat(go): build out the full Go language bundle

The Go bundle was coverage-slice-only. Because it shipped no rule files, sync-language-bundle.sh (which fingerprints a project's bundle by spotting one of its rule files in .claude/rules/) couldn't detect it, so the coverage slice it did ship never stayed in sync. Adding the rules is what makes the bundle sync-maintainable, which was the point.

Brought Go to the full tier, matching elisp:
- claude/rules/go.md and go-testing.md, the style and testing rules (table-driven tests, go test -race, errors.Is over message matching, how the coverage slice fits). These two are also the sync fingerprint.
- claude/hooks/validate-go.sh, a PostToolUse hook that runs gofmt and go vet on each edited .go file. go vet type-checks, so compile and syntax errors surface at edit time. It deliberately doesn't auto-run tests, since a package's tests can be slow or integration-tagged and shouldn't fire on every keystroke.
- claude/settings.json, Go permissions plus the hook wiring.
- githooks/pre-commit, a secret scan and a gofmt check on staged .go.
- CLAUDE.md, the seed.

validate-go.sh is TDD'd by scripts/tests/validate-go.bats: a clean file passes, gofmt and vet failures both block with the JSON payload, and non-go, missing, or empty paths are ignored. I updated install-lang.bats test 7, which asserted Go installs no CLAUDE.md, to check the full bundle instead. Verified with a real install into a throwaway project and a green make test.

1 files changed, 51 insertions, 0 deletions

diff --git a/languages/go/githooks/pre-commit b/languages/go/githooks/pre-commit
new file mode 100755
index 0000000..a3d6f3f
--- /dev/null
+++ b/languages/go/githooks/pre-commit
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+# Pre-commit hook: secret scan + gofmt check on staged .go files.
+# Use `git commit --no-verify` to bypass for confirmed false positives.
+
+set -u
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+cd "$REPO_ROOT"
+
+# --- 1. Secret scan ---
+# Patterns for common credentials. Scans only added lines in the staged diff.
+SECRET_PATTERNS='(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9_-]{20,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP)( PRIVATE)?( KEY| KEY BLOCK)?-----|(api[_-]?key|api[_-]?secret|auth[_-]?token|secret[_-]?key|bearer[_-]?token|access[_-]?token|password)[[:space:]]*[:=][[:space:]]*["'"'"'][^"'"'"']{16,}["'"'"'])'
+
+secret_hits="$(git diff --cached -U0 --diff-filter=AM \
+  | grep '^+' | grep -v '^+++' \
+  | grep -iEn "$SECRET_PATTERNS" || true)"
+
+if [ -n "$secret_hits" ]; then
+  echo "pre-commit: potential secret in staged changes:" >&2
+  echo "$secret_hits" >&2
+  echo "" >&2
+  echo "Review the lines above. If this is a false positive (test fixture, documentation)," >&2
+  echo "bypass with: git commit --no-verify" >&2
+  exit 1
+fi
+
+# --- 2. gofmt check on staged .go files ---
+# gofmt -l lists files that aren't gofmt-clean. Skip generated and vendored
+# files the same way the rest of the toolchain does.
+staged_go="$(git diff --cached --name-only --diff-filter=AM \
+  | grep '\.go$' \
+  | grep -vE '(^|/)vendor/' || true)"
+
+if [ -n "$staged_go" ] && command -v gofmt >/dev/null 2>&1; then
+  unformatted=""
+  while IFS= read -r f; do
+    [ -z "$f" ] && continue
+    [ -f "$f" ] || continue
+    if [ -n "$(gofmt -l "$f" 2>/dev/null)" ]; then
+      unformatted="${unformatted}${f}"$'\n'
+    fi
+  done <<< "$staged_go"
+
+  if [ -n "$unformatted" ]; then
+    printf 'pre-commit: gofmt check failed — these files need `gofmt -w`:\n\n%s\n' "$unformatted" >&2
+    echo "Run: gofmt -w <file> (or your editor's format-on-save), then re-stage." >&2
+    exit 1
+  fi
+fi
+
+exit 0