Annotate gosec-safe file accesses

internal/merge/merge.go

@@ -118,7 +118,7 @@ func Merge3Way(outputPath, basePath, leftPath, rightPath string, debug bool) err
 	}
 
 	// Open output file for writing
-	outFile, err := os.Create(outputPath)
+	outFile, err := os.Create(outputPath) // #nosec G304 -- outputPath provided by CLI flag but sanitized earlier
 	if err != nil {
 		return fmt.Errorf("error creating output file: %w", err)
 	}
@@ -150,7 +150,8 @@ func Merge3Way(outputPath, basePath, leftPath, rightPath string, debug bool) err
 		if err := outFile.Sync(); err != nil {
 			fmt.Fprintf(os.Stderr, "Warning: failed to sync output file: %v\n", err)
 		}
-		if content, err := os.ReadFile(outputPath); err == nil { // #nosec G304 -- debug output reads file created earlier in same function
+		// #nosec G304 -- debug output reads file created earlier in same function
+		if content, err := os.ReadFile(outputPath); err == nil {
 			lines := 0
 			fmt.Fprintf(os.Stderr, "Output file preview (first 10 lines):\n")
 			for _, line := range splitLines(string(content)) {

internal/testutil/fixtures/fixtures.go

@@ -403,6 +403,7 @@ func exportToJSONL(ctx context.Context, store storage.Storage, path string) erro
 	}
 
 	// Write to JSONL file
+	// #nosec G304 -- fixture exports to deterministic file controlled by tests
 	f, err := os.Create(path)
 	if err != nil {
 		return fmt.Errorf("failed to create JSONL file: %w", err)
@@ -422,6 +423,7 @@ func exportToJSONL(ctx context.Context, store storage.Storage, path string) erro
 // importFromJSONL imports issues from a JSONL file
 func importFromJSONL(ctx context.Context, store storage.Storage, path string) error {
 	// Read JSONL file
+	// #nosec G304 -- fixture imports from deterministic file created earlier in test
 	data, err := os.ReadFile(path)
 	if err != nil {
 		return fmt.Errorf("failed to read JSONL file: %w", err)