Split out of #76 (self-upgrade retroactive spec) as a separate, independent item.
Context
The agent-init upgrade work in PR #73 introduced a net/http code path, which surfaced a pre-existing stdlib advisory flagged by check.sh: GO-2026-5037 / GO-2026-5039, fixed by moving the Go toolchain to 1.26.4. The advisory is not introduced by #73 — it was always present in the stdlib — but the new HTTP path makes the analyzer report it.
Task
- Bump the Go toolchain to 1.26.4 (
go.mod toolchain directive and any pinned version in CI / devcontainer).
- Confirm
check.sh runs clean afterward (advisory cleared).
Notes
Split out of #76 (self-upgrade retroactive spec) as a separate, independent item.
Context
The
agent-init upgradework in PR #73 introduced anet/httpcode path, which surfaced a pre-existing stdlib advisory flagged bycheck.sh: GO-2026-5037 / GO-2026-5039, fixed by moving the Go toolchain to 1.26.4. The advisory is not introduced by #73 — it was always present in the stdlib — but the new HTTP path makes the analyzer report it.Task
go.modtoolchaindirective and any pinned version in CI / devcontainer).check.shruns clean afterward (advisory cleared).Notes