From 00d0eb01929846500ab27996847a16723ce91818 Mon Sep 17 00:00:00 2001
From: beads/crew/dave <steve.yegge@gmail.com>
Date: Thu, 1 Jan 2026 10:49:33 -0800
Subject: [PATCH] fix: add gosec annotations to doctor/gitignore.go (GH#832)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds #nosec G204 annotations to exec.Command calls that use
hardcoded paths. Fixes pre-existing lint failure exposed by PR #832.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Executed-By: beads/crew/dave
Rig: beads
Role: crew
---
 cmd/bd/doctor/gitignore.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/cmd/bd/doctor/gitignore.go b/cmd/bd/doctor/gitignore.go
index 1abbdd37..dc5cff2b 100644
--- a/cmd/bd/doctor/gitignore.go
+++ b/cmd/bd/doctor/gitignore.go
@@ -146,13 +146,13 @@ func CheckIssuesTracking() DoctorCheck {
 
 	// Check if git considers this file ignored
 	// git check-ignore exits 0 if ignored, 1 if not ignored, 128 if error
-	cmd := exec.Command("git", "check-ignore", "-q", issuesPath)
+	cmd := exec.Command("git", "check-ignore", "-q", issuesPath) // #nosec G204 - args are hardcoded paths
 	err := cmd.Run()
 
 	if err == nil {
 		// Exit code 0 means the file IS ignored - this is bad
 		// Get details about what's ignoring it
-		detailCmd := exec.Command("git", "check-ignore", "-v", issuesPath)
+		detailCmd := exec.Command("git", "check-ignore", "-v", issuesPath) // #nosec G204 - args are hardcoded paths
 		output, _ := detailCmd.Output()
 		detail := strings.TrimSpace(string(output))
 
@@ -191,7 +191,7 @@ func CheckRedirectNotTracked() DoctorCheck {
 
 	// Check if git considers this file tracked
 	// git ls-files exits 0 and outputs the filename if tracked, empty if untracked
-	cmd := exec.Command("git", "ls-files", redirectPath)
+	cmd := exec.Command("git", "ls-files", redirectPath) // #nosec G204 - args are hardcoded paths
 	output, err := cmd.Output()
 	if err != nil {
 		// Not in a git repo or git error - skip check
@@ -227,7 +227,7 @@ func FixRedirectTracking() error {
 	redirectPath := filepath.Join(".beads", "redirect")
 
 	// Check if file is actually tracked first
-	cmd := exec.Command("git", "ls-files", redirectPath)
+	cmd := exec.Command("git", "ls-files", redirectPath) // #nosec G204 - args are hardcoded paths
 	output, err := cmd.Output()
 	if err != nil {
 		return nil // Not a git repo, nothing to do
@@ -239,7 +239,7 @@ func FixRedirectTracking() error {
 	}
 
 	// Untrack the file (keeps the local copy)
-	cmd = exec.Command("git", "rm", "--cached", redirectPath)
+	cmd = exec.Command("git", "rm", "--cached", redirectPath) // #nosec G204 - args are hardcoded paths
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("failed to untrack redirect file: %w", err)
 	}