Address gosec security warnings (bd-102)

- Enable gosec linter in .golangci.yml - Tighten file permissions: 0755→0750 for directories, 0644→0600 for configs - Git hooks remain 0700 (executable, user-only access) - Add #nosec comments for safe cases with justifications: - G204: Safe subprocess launches (git show, bd daemon) - G304: File inclusions with controlled paths - G201: SQL formatting with controlled column names - G115: Integer conversions with controlled values All gosec warnings resolved (20→0). All tests passing. Amp-Thread-ID: https://ampcode.com/threads/T-d7166b9e-cbbe-4c7b-9e48-3df36b20f0d0 Co-authored-by: Amp <amp@ampcode.com>
2025-10-26 22:48:19 -07:00
parent 4ea347e08a
commit 648ecfafe7
21 changed files with 67 additions and 31 deletions
--- a/internal/rpc/server.go
+++ b/internal/rpc/server.go
@@ -292,7 +292,7 @@ func (s *Server) ensureSocketDir() error {
 		return err
 	}
 	// Best-effort tighten permissions if directory already existed
-	_ = os.Chmod(dir, 0700)
+	_ = os.Chmod(dir, 0700) // #nosec G302 - 0700 is secure (user-only access)
 	return nil
 }

@@ -354,6 +354,7 @@ func (s *Server) checkMemoryPressure() {
 	}

 	allocMB := m.Alloc / 1024 / 1024
+	// #nosec G115 - safe conversion of positive value
 	if allocMB > uint64(thresholdMB) {
 		fmt.Fprintf(os.Stderr, "Warning: High memory usage detected (%d MB), triggering aggressive cache eviction\n", allocMB)
 		s.aggressiveEviction()