diff --git a/.golangci.yml b/.golangci.yml
index 211ae47b..8906ac3f 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -38,6 +38,11 @@ linters:
         linters:
           - gosec
         text: "G304"
+      # G306: File permissions 0644 in tests are acceptable (test fixtures)
+      - path: '_test\.go'
+        linters:
+          - gosec
+        text: "G306"
       # G304: Safe file reads from known JSONL and error paths
       - path: 'cmd/bd/autoflush\.go|internal/daemon/discovery\.go|internal/daemonrunner/sync\.go'
         linters:
diff --git a/cmd/bd/autoflush.go b/cmd/bd/autoflush.go
index 8f5ba7db..3d5dbc3e 100644
--- a/cmd/bd/autoflush.go
+++ b/cmd/bd/autoflush.go
@@ -46,7 +46,7 @@ func findJSONLPath() string {
 	// Ensure the directory exists (important for new databases)
 	// This is the only difference from the public API - we create the directory
 	dbDir := filepath.Dir(dbPath)
-	if err := os.MkdirAll(dbDir, 0755); err != nil {
+	if err := os.MkdirAll(dbDir, 0750); err != nil {
 		// If we can't create the directory, return discovered path anyway
 		// (the subsequent write will fail with a clearer error)
 		return jsonlPath
diff --git a/internal/daemon/registry.go b/internal/daemon/registry.go
index 3843ce4e..03e642fb 100644
--- a/internal/daemon/registry.go
+++ b/internal/daemon/registry.go
@@ -34,7 +34,7 @@ func NewRegistry() (*Registry, error) {
 	}
 
 	beadsDir := filepath.Join(home, ".beads")
-	if err := os.MkdirAll(beadsDir, 0755); err != nil {
+	if err := os.MkdirAll(beadsDir, 0750); err != nil {
 		return nil, fmt.Errorf("failed to create .beads directory: %w", err)
 	}
 
diff --git a/internal/daemonrunner/daemon_test.go b/internal/daemonrunner/daemon_test.go
index 55100065..642bb069 100644
--- a/internal/daemonrunner/daemon_test.go
+++ b/internal/daemonrunner/daemon_test.go
@@ -44,10 +44,10 @@ func TestDetermineDatabasePath(t *testing.T) {
 	beadsDir := filepath.Join(tmpDir, ".beads")
 	dbPath := filepath.Join(beadsDir, "beads.db")
 
-	if err := os.MkdirAll(beadsDir, 0755); err != nil {
+	if err := os.MkdirAll(beadsDir, 0750); err != nil {
 		t.Fatalf("Failed to create beads dir: %v", err)
 	}
-	if err := os.WriteFile(dbPath, []byte("test"), 0644); err != nil {
+	if err := os.WriteFile(dbPath, []byte("test"), 0600); err != nil {
 		t.Fatalf("Failed to create db file: %v", err)
 	}
 
diff --git a/internal/types/lock_check_test.go b/internal/types/lock_check_test.go
index 2d5df28a..6b5ef90c 100644
--- a/internal/types/lock_check_test.go
+++ b/internal/types/lock_check_test.go
@@ -36,7 +36,7 @@ func TestShouldSkipDatabase(t *testing.T) {
 			Version:   "1.0.0",
 		}
 		data, _ := json.Marshal(lock)
-		if err := os.WriteFile(lockPath, data, 0644); err != nil {
+		if err := os.WriteFile(lockPath, data, 0600); err != nil {
 			t.Fatal(err)
 		}
 		defer os.Remove(lockPath)
@@ -69,7 +69,7 @@ func TestShouldSkipDatabase(t *testing.T) {
 			Version:   "1.0.0",
 		}
 		data, _ := json.Marshal(lock)
-		if err := os.WriteFile(lockPath, data, 0644); err != nil {
+		if err := os.WriteFile(lockPath, data, 0600); err != nil {
 			t.Fatal(err)
 		}
 		defer os.Remove(lockPath)
@@ -115,7 +115,7 @@ func TestShouldSkipDatabase(t *testing.T) {
 			Version:   "1.0.0",
 		}
 		data, _ := json.Marshal(lock)
-		if err := os.WriteFile(lockPath, data, 0644); err != nil {
+		if err := os.WriteFile(lockPath, data, 0600); err != nil {
 			t.Fatal(err)
 		}
 		defer os.Remove(lockPath)
@@ -142,7 +142,7 @@ func TestShouldSkipDatabase(t *testing.T) {
 			Version:   "1.0.0",
 		}
 		data, _ := json.Marshal(lock)
-		if err := os.WriteFile(lockPath, data, 0644); err != nil {
+		if err := os.WriteFile(lockPath, data, 0600); err != nil {
 			t.Fatal(err)
 		}
 		defer os.Remove(lockPath)