fix: Add nolint comments for gosec/errcheck/unparam warnings

Fixes CI lint failures by adding appropriate nolint directives for:
- G204 (subprocess with variable) - git commands with trusted inputs
- G304 (file inclusion via variable) - paths from internal helpers
- G302/G306 (file permissions) - .gitignore needs 0644
- errcheck (unchecked return values) - fmt.Fprint* to stdout/stderr
- unparam (unused parameters) - reserved for future use

cmd/bd/compact_tombstone.go

@@ -284,7 +284,7 @@ func purgeTombstonesByDependency(dryRun bool) (*PurgeTombstonesResult, error) {
 	}
 
 	// Read all issues
-	file, err := os.Open(issuesPath)
+	file, err := os.Open(issuesPath) //nolint:gosec // G304: issuesPath from beads.FindBeadsDir()
 	if err != nil {
 		return nil, fmt.Errorf("failed to open issues.jsonl: %w", err)
 	}

cmd/bd/doctor_pollution.go

@@ -11,6 +11,8 @@ import (
 
 // runPollutionCheck runs detailed test pollution detection
 // This integrates the detect-pollution command functionality into doctor.
+//
+//nolint:unparam // path reserved for future use
 func runPollutionCheck(_ string, clean bool, yes bool) {
 	// Ensure we have a store initialized (uses direct mode, no daemon support yet)
 	if err := ensureDirectMode("pollution check requires direct mode"); err != nil {

cmd/bd/edit.go

@@ -131,8 +131,7 @@ Examples:
 		_ = tmpFile.Close()
 
 		// Open the editor
-		// #nosec G204 -- editor comes from trusted $EDITOR/$VISUAL env or known defaults
+		editorCmd := exec.Command(editor, tmpPath) //nolint:gosec // G204: editor from trusted $EDITOR/$VISUAL env or known defaults
-		editorCmd := exec.Command(editor, tmpPath)
 		editorCmd.Stdin = os.Stdin
 		editorCmd.Stdout = os.Stdout
 		editorCmd.Stderr = os.Stderr

cmd/bd/setup/factory.go

@@ -132,14 +132,14 @@ func InstallFactory() {
 }
 
 func installFactory(env factoryEnv) error {
-	fmt.Fprintln(env.stdout, "Installing Factory.ai (Droid) integration...")
+	_, _ = fmt.Fprintln(env.stdout, "Installing Factory.ai (Droid) integration...")
 
 	var currentContent string
 	data, err := os.ReadFile(env.agentsPath)
 	if err == nil {
 		currentContent = string(data)
 	} else if !os.IsNotExist(err) {
-		fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
+		_, _ = fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
 		return err
 	}
 
@@ -147,31 +147,31 @@ func installFactory(env factoryEnv) error {
 		if strings.Contains(currentContent, factoryBeginMarker) {
 			newContent := updateBeadsSection(currentContent)
 			if err := atomicWriteFile(env.agentsPath, []byte(newContent)); err != nil {
-				fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
+				_, _ = fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
 				return err
 			}
-			fmt.Fprintln(env.stdout, "✓ Updated existing beads section in AGENTS.md")
+			_, _ = fmt.Fprintln(env.stdout, "✓ Updated existing beads section in AGENTS.md")
 		} else {
 			newContent := currentContent + "\n\n" + factoryBeadsSection
 			if err := atomicWriteFile(env.agentsPath, []byte(newContent)); err != nil {
-				fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
+				_, _ = fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
 				return err
 			}
-			fmt.Fprintln(env.stdout, "✓ Added beads section to existing AGENTS.md")
+			_, _ = fmt.Fprintln(env.stdout, "✓ Added beads section to existing AGENTS.md")
 		}
 	} else {
 		newContent := createNewAgentsFile()
 		if err := atomicWriteFile(env.agentsPath, []byte(newContent)); err != nil {
-			fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
+			_, _ = fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
 			return err
 		}
-		fmt.Fprintln(env.stdout, "✓ Created new AGENTS.md with beads integration")
+		_, _ = fmt.Fprintln(env.stdout, "✓ Created new AGENTS.md with beads integration")
 	}
 
-	fmt.Fprintln(env.stdout, "\n✓ Factory.ai (Droid) integration installed")
+	_, _ = fmt.Fprintln(env.stdout, "\n✓ Factory.ai (Droid) integration installed")
-	fmt.Fprintf(env.stdout, "  File: %s\n", env.agentsPath)
+	_, _ = fmt.Fprintf(env.stdout, "  File: %s\n", env.agentsPath)
-	fmt.Fprintln(env.stdout, "\nFactory Droid will automatically read AGENTS.md on session start.")
+	_, _ = fmt.Fprintln(env.stdout, "\nFactory Droid will automatically read AGENTS.md on session start.")
-	fmt.Fprintln(env.stdout, "No additional configuration needed!")
+	_, _ = fmt.Fprintln(env.stdout, "No additional configuration needed!")
 	return nil
 }
 
@@ -186,23 +186,23 @@ func CheckFactory() {
 func checkFactory(env factoryEnv) error {
 	data, err := os.ReadFile(env.agentsPath)
 	if os.IsNotExist(err) {
-		fmt.Fprintln(env.stdout, "✗ AGENTS.md not found")
+		_, _ = fmt.Fprintln(env.stdout, "✗ AGENTS.md not found")
-		fmt.Fprintln(env.stdout, "  Run: bd setup factory")
+		_, _ = fmt.Fprintln(env.stdout, "  Run: bd setup factory")
 		return errAgentsFileMissing
 	} else if err != nil {
-		fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
+		_, _ = fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
 		return err
 	}
 
 	content := string(data)
 	if strings.Contains(content, factoryBeginMarker) {
-		fmt.Fprintf(env.stdout, "✓ Factory.ai integration installed: %s\n", env.agentsPath)
+		_, _ = fmt.Fprintf(env.stdout, "✓ Factory.ai integration installed: %s\n", env.agentsPath)
-		fmt.Fprintln(env.stdout, "  Beads section found in AGENTS.md")
+		_, _ = fmt.Fprintln(env.stdout, "  Beads section found in AGENTS.md")
 		return nil
 	}
 
-	fmt.Fprintln(env.stdout, "⚠ AGENTS.md exists but no beads section found")
+	_, _ = fmt.Fprintln(env.stdout, "⚠ AGENTS.md exists but no beads section found")
-	fmt.Fprintln(env.stdout, "  Run: bd setup factory (to add beads section)")
+	_, _ = fmt.Fprintln(env.stdout, "  Run: bd setup factory (to add beads section)")
 	return errBeadsSectionMissing
 }
 
@@ -215,19 +215,19 @@ func RemoveFactory() {
 }
 
 func removeFactory(env factoryEnv) error {
-	fmt.Fprintln(env.stdout, "Removing Factory.ai (Droid) integration...")
+	_, _ = fmt.Fprintln(env.stdout, "Removing Factory.ai (Droid) integration...")
 	data, err := os.ReadFile(env.agentsPath)
 	if os.IsNotExist(err) {
-		fmt.Fprintln(env.stdout, "No AGENTS.md file found")
+		_, _ = fmt.Fprintln(env.stdout, "No AGENTS.md file found")
 		return nil
 	} else if err != nil {
-		fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
+		_, _ = fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
 		return err
 	}
 
 	content := string(data)
 	if !strings.Contains(content, factoryBeginMarker) {
-		fmt.Fprintln(env.stdout, "No beads section found in AGENTS.md")
+		_, _ = fmt.Fprintln(env.stdout, "No beads section found in AGENTS.md")
 		return nil
 	}
 
@@ -235,18 +235,18 @@ func removeFactory(env factoryEnv) error {
 	trimmed := strings.TrimSpace(newContent)
 	if trimmed == "" {
 		if err := os.Remove(env.agentsPath); err != nil {
-			fmt.Fprintf(env.stderr, "Error: failed to remove %s: %v\n", env.agentsPath, err)
+			_, _ = fmt.Fprintf(env.stderr, "Error: failed to remove %s: %v\n", env.agentsPath, err)
 			return err
 		}
-		fmt.Fprintf(env.stdout, "✓ Removed %s (file was empty after removing beads section)\n", env.agentsPath)
+		_, _ = fmt.Fprintf(env.stdout, "✓ Removed %s (file was empty after removing beads section)\n", env.agentsPath)
 		return nil
 	}
 
 	if err := atomicWriteFile(env.agentsPath, []byte(newContent)); err != nil {
-		fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
+		_, _ = fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
 		return err
 	}
-	fmt.Fprintln(env.stdout, "✓ Removed beads section from AGENTS.md")
+	_, _ = fmt.Fprintln(env.stdout, "✓ Removed beads section from AGENTS.md")
 	return nil
 }
 

cmd/bd/swarm.go

@@ -315,7 +315,9 @@ func analyzeEpicForSwarm(ctx context.Context, s SwarmStorage, epic *types.Issue)
 }
 
 // detectStructuralIssues looks for common problems in the dependency graph.
-func detectStructuralIssues(analysis *SwarmAnalysis, issues []*types.Issue) {
+//
+//nolint:unparam // issues reserved for future use
+func detectStructuralIssues(analysis *SwarmAnalysis, _ []*types.Issue) {
 	// 1. Find roots (issues with no dependencies within the epic)
 	//    These are the starting points. Having multiple roots is normal.
 	var roots []string

cmd/bd/sync_git.go

@@ -58,10 +58,8 @@ func gitHasUpstream() bool {
 	branch := strings.TrimSpace(string(branchOutput))
 
 	// Check if remote and merge refs are configured
-	// #nosec G204 -- branch name comes from git symbolic-ref output
+	remoteCmd := exec.Command("git", "config", "--get", fmt.Sprintf("branch.%s.remote", branch)) //nolint:gosec // G204: branch from git symbolic-ref
-	remoteCmd := exec.Command("git", "config", "--get", fmt.Sprintf("branch.%s.remote", branch))
+	mergeCmd := exec.Command("git", "config", "--get", fmt.Sprintf("branch.%s.merge", branch))   //nolint:gosec // G204: branch from git symbolic-ref
-	// #nosec G204 -- branch name comes from git symbolic-ref output
-	mergeCmd := exec.Command("git", "config", "--get", fmt.Sprintf("branch.%s.merge", branch))
 
 	remoteErr := remoteCmd.Run()
 	mergeErr := mergeCmd.Run()
@@ -108,8 +106,7 @@ func gitHasBeadsChanges(ctx context.Context) (bool, error) {
 	relPath, err := filepath.Rel(repoRoot, beadsDir)
 	if err != nil {
 		// Fall back to absolute path if relative path fails
-		// #nosec G204 -- beadsDir comes from beads.FindBeadsDir()
+		statusCmd := exec.CommandContext(ctx, "git", "status", "--porcelain", beadsDir) //nolint:gosec // G204: beadsDir from beads.FindBeadsDir()
-		statusCmd := exec.CommandContext(ctx, "git", "status", "--porcelain", beadsDir)
 		statusOutput, err := statusCmd.Output()
 		if err != nil {
 			return false, fmt.Errorf("git status failed: %w", err)
@@ -118,8 +115,7 @@ func gitHasBeadsChanges(ctx context.Context) (bool, error) {
 	}
 
 	// Run git status with relative path from repo root
-	// #nosec G204 -- repoRoot and relPath come from internal git helpers
+	statusCmd := exec.CommandContext(ctx, "git", "-C", repoRoot, "status", "--porcelain", relPath) //nolint:gosec // G204: paths from internal git helpers
-	statusCmd := exec.CommandContext(ctx, "git", "-C", repoRoot, "status", "--porcelain", relPath)
 	statusOutput, err := statusCmd.Output()
 	if err != nil {
 		return false, fmt.Errorf("git status failed: %w", err)
@@ -166,7 +162,7 @@ func gitCommit(ctx context.Context, filePath string, message string) error {
 	}
 
 	// Stage the file from repo root context
-	addCmd := exec.CommandContext(ctx, "git", "-C", repoRoot, "add", relPath)
+	addCmd := exec.CommandContext(ctx, "git", "-C", repoRoot, "add", relPath) //nolint:gosec // G204: paths from internal git helpers
 	if err := addCmd.Run(); err != nil {
 		return fmt.Errorf("git add failed: %w", err)
 	}
@@ -180,7 +176,7 @@ func gitCommit(ctx context.Context, filePath string, message string) error {
 	// Use pathspec to commit ONLY this file
 	// This prevents accidentally committing other staged files
 	commitArgs := buildGitCommitArgs(repoRoot, message, "--", relPath)
-	commitCmd := exec.CommandContext(ctx, "git", commitArgs...)
+	commitCmd := exec.CommandContext(ctx, "git", commitArgs...) //nolint:gosec // G204: args from buildGitCommitArgs
 	output, err := commitCmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("git commit failed: %w\n%s", err, output)
@@ -235,7 +231,7 @@ func gitCommitBeadsDir(ctx context.Context, message string) error {
 
 	// Stage only the sync files from repo root context (worktree-aware)
 	args := append([]string{"-C", repoRoot, "add"}, filesToAdd...)
-	addCmd := exec.CommandContext(ctx, "git", args...)
+	addCmd := exec.CommandContext(ctx, "git", args...) //nolint:gosec // G204: paths from internal git helpers
 	if err := addCmd.Run(); err != nil {
 		return fmt.Errorf("git add failed: %w", err)
 	}
@@ -256,7 +252,7 @@ func gitCommitBeadsDir(ctx context.Context, message string) error {
 
 	// Use config-based author and signing options with pathspec
 	commitArgs := buildGitCommitArgs(repoRoot, message, "--", relBeadsDir)
-	commitCmd := exec.CommandContext(ctx, "git", commitArgs...)
+	commitCmd := exec.CommandContext(ctx, "git", commitArgs...) //nolint:gosec // G204: args from buildGitCommitArgs
 	output, err := commitCmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("git commit failed: %w\n%s", err, output)
@@ -382,8 +378,7 @@ func gitPull(ctx context.Context) error {
 	branch := strings.TrimSpace(string(branchOutput))
 
 	// Get remote name for current branch (usually "origin")
-	// #nosec G204 -- branch name comes from git symbolic-ref output
+	remoteCmd := exec.CommandContext(ctx, "git", "config", "--get", fmt.Sprintf("branch.%s.remote", branch)) //nolint:gosec // G204: branch from git symbolic-ref
-	remoteCmd := exec.CommandContext(ctx, "git", "config", "--get", fmt.Sprintf("branch.%s.remote", branch))
 	remoteOutput, err := remoteCmd.Output()
 	if err != nil {
 		// If no remote configured, default to "origin"
@@ -445,7 +440,7 @@ func getDefaultBranch(ctx context.Context) string {
 // Checks remote HEAD first, then falls back to checking if main/master exist
 func getDefaultBranchForRemote(ctx context.Context, remote string) string {
 	// Try to get default branch from remote
-	cmd := exec.CommandContext(ctx, "git", "symbolic-ref", fmt.Sprintf("refs/remotes/%s/HEAD", remote))
+	cmd := exec.CommandContext(ctx, "git", "symbolic-ref", fmt.Sprintf("refs/remotes/%s/HEAD", remote)) //nolint:gosec // G204: remote from git config
 	output, err := cmd.Output()
 	if err == nil {
 		ref := strings.TrimSpace(string(output))
@@ -457,12 +452,12 @@ func getDefaultBranchForRemote(ctx context.Context, remote string) string {
 	}
 
 	// Fallback: check if <remote>/main exists
-	if exec.CommandContext(ctx, "git", "rev-parse", "--verify", fmt.Sprintf("%s/main", remote)).Run() == nil {
+	if exec.CommandContext(ctx, "git", "rev-parse", "--verify", fmt.Sprintf("%s/main", remote)).Run() == nil { //nolint:gosec // G204: remote from git config
 		return "main"
 	}
 
 	// Fallback: check if <remote>/master exists
-	if exec.CommandContext(ctx, "git", "rev-parse", "--verify", fmt.Sprintf("%s/master", remote)).Run() == nil {
+	if exec.CommandContext(ctx, "git", "rev-parse", "--verify", fmt.Sprintf("%s/master", remote)).Run() == nil { //nolint:gosec // G204: remote from git config
 		return "master"
 	}
 

cmd/bd/worktree_cmd.go

@@ -565,8 +565,7 @@ func addToGitignore(repoRoot, entry string) error {
 	gitignorePath := filepath.Join(repoRoot, ".gitignore")
 
 	// Read existing content
-	// #nosec G304 -- gitignorePath is constructed from known repoRoot
+	content, err := os.ReadFile(gitignorePath) //nolint:gosec // G304: gitignorePath from known repoRoot
-	content, err := os.ReadFile(gitignorePath)
 	if err != nil && !os.IsNotExist(err) {
 		return err
 	}
@@ -580,8 +579,7 @@ func addToGitignore(repoRoot, entry string) error {
 	}
 
 	// Append entry
-	// #nosec G304 -- gitignorePath is constructed from known repoRoot
+	f, err := os.OpenFile(gitignorePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) //nolint:gosec // G302: .gitignore should be world-readable
-	f, err := os.OpenFile(gitignorePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
 	if err != nil {
 		return err
 	}
@@ -605,8 +603,7 @@ func addToGitignore(repoRoot, entry string) error {
 func removeFromGitignore(repoRoot, entry string) error {
 	gitignorePath := filepath.Join(repoRoot, ".gitignore")
 
-	// #nosec G304 -- gitignorePath is constructed from known repoRoot
+	content, err := os.ReadFile(gitignorePath) //nolint:gosec // G304: gitignorePath from known repoRoot
-	content, err := os.ReadFile(gitignorePath)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil
@@ -632,8 +629,7 @@ func removeFromGitignore(repoRoot, entry string) error {
 		newLines = append(newLines, line)
 	}
 
-	// #nosec G306 -- .gitignore should be world-readable
+	return os.WriteFile(gitignorePath, []byte(strings.Join(newLines, "\n")), 0644) //nolint:gosec // G306: .gitignore should be world-readable
-	return os.WriteFile(gitignorePath, []byte(strings.Join(newLines, "\n")), 0644)
 }
 
 func truncate(s string, maxLen int) string {