From 74af8733f19b3e193f2d35424de56d66fe739236 Mon Sep 17 00:00:00 2001
From: Steve Yegge <steve.yegge@gmail.com>
Date: Sat, 20 Dec 2025 17:03:02 -0800
Subject: [PATCH] fix(lint): add nosec and nolint annotations to hooks.go

---
 cmd/bd/hooks.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cmd/bd/hooks.go b/cmd/bd/hooks.go
index 4cb2c9e6..1f23c15f 100644
--- a/cmd/bd/hooks.go
+++ b/cmd/bd/hooks.go
@@ -407,6 +407,8 @@ func uninstallHooks() error {
 
 // runPreCommitHook flushes pending changes to JSONL before commit.
 // Returns 0 on success (or if not applicable), non-zero on error.
+//
+//nolint:unparam // Always returns 0 by design - warnings don't block commits
 func runPreCommitHook() int {
 	// Check if we're in a bd workspace
 	if _, err := os.Stat(".beads"); os.IsNotExist(err) {
@@ -430,6 +432,7 @@ func runPreCommitHook() int {
 	// Stage all tracked JSONL files
 	for _, f := range []string{".beads/beads.jsonl", ".beads/issues.jsonl", ".beads/deletions.jsonl", ".beads/interactions.jsonl"} {
 		if _, err := os.Stat(f); err == nil {
+			// #nosec G204 - f is from hardcoded list above, not user input
 			gitAdd := exec.Command("git", "add", f)
 			_ = gitAdd.Run() // Ignore errors - file may not exist
 		}
@@ -440,6 +443,8 @@ func runPreCommitHook() int {
 
 // runPostMergeHook imports JSONL after pull/merge.
 // Returns 0 on success (or if not applicable), non-zero on error.
+//
+//nolint:unparam // Always returns 0 by design - warnings don't block merges
 func runPostMergeHook() int {
 	// Skip during rebase
 	if isRebaseInProgress() {
@@ -504,6 +509,7 @@ func runPrePushHook() int {
 			files = append(files, f)
 		} else {
 			// Check if tracked by git
+			// #nosec G204 - f is from hardcoded list above, not user input
 			checkCmd := exec.Command("git", "ls-files", "--error-unmatch", f)
 			if checkCmd.Run() == nil {
 				files = append(files, f)
@@ -517,6 +523,7 @@ func runPrePushHook() int {
 
 	// Check for uncommitted changes using git status
 	args := append([]string{"status", "--porcelain", "--"}, files...)
+	// #nosec G204 - args built from hardcoded list and git subcommands
 	statusCmd := exec.Command("git", args...)
 	output, _ := statusCmd.Output()
 	if len(output) > 0 {
@@ -539,6 +546,8 @@ func runPrePushHook() int {
 // runPostCheckoutHook imports JSONL after branch checkout.
 // args: [previous-HEAD, new-HEAD, flag] where flag=1 for branch checkout
 // Returns 0 on success (or if not applicable), non-zero on error.
+//
+//nolint:unparam // Always returns 0 by design - warnings don't block checkouts
 func runPostCheckoutHook(args []string) int {
 	// Only run on branch checkouts (flag=1)
 	if len(args) >= 3 && args[2] != "1" {