Address gosec security warnings (bd-102)

- Enable gosec linter in .golangci.yml
- Tighten file permissions: 0755→0750 for directories, 0644→0600 for configs
- Git hooks remain 0700 (executable, user-only access)
- Add #nosec comments for safe cases with justifications:
  - G204: Safe subprocess launches (git show, bd daemon)
  - G304: File inclusions with controlled paths
  - G201: SQL formatting with controlled column names
  - G115: Integer conversions with controlled values

All gosec warnings resolved (20→0). All tests passing.

Amp-Thread-ID: https://ampcode.com/threads/T-d7166b9e-cbbe-4c7b-9e48-3df36b20f0d0
Co-authored-by: Amp <amp@ampcode.com>

cmd/bd/autoimport.go

@@ -88,7 +88,7 @@ func checkGitForIssues() (int, string) {
 	for _, relPath := range candidates {
 		// Use ToSlash for git path compatibility on Windows
 		gitPath := filepath.ToSlash(relPath)
-		cmd := exec.Command("git", "show", fmt.Sprintf("HEAD:%s", gitPath))
+		cmd := exec.Command("git", "show", fmt.Sprintf("HEAD:%s", gitPath)) // #nosec G204 - git command with safe args
 		output, err := cmd.Output()
 		if err == nil && len(output) > 0 {
 			lines := bytes.Count(output, []byte("\n"))
@@ -139,7 +139,7 @@ func findGitRoot() string {
 func importFromGit(ctx context.Context, dbFilePath string, store storage.Storage, jsonlPath string) error {
 	// Get content from git (use ToSlash for Windows compatibility)
 	gitPath := filepath.ToSlash(jsonlPath)
-	cmd := exec.Command("git", "show", fmt.Sprintf("HEAD:%s", gitPath))
+	cmd := exec.Command("git", "show", fmt.Sprintf("HEAD:%s", gitPath)) // #nosec G204 - git command with safe args
 	jsonlData, err := cmd.Output()
 	if err != nil {
 		return fmt.Errorf("failed to read from git: %w", err)