fix: add nosec annotations for gosec lint warnings

cmd/bd/doctor.go

@@ -1909,7 +1909,7 @@ func checkDeletionsManifest(path string) doctorCheck {
 
 	// Check if JSONL has any git history
 	relPath, _ := filepath.Rel(path, jsonlPath)
-	cmd := exec.Command("git", "log", "--oneline", "-1", "--", relPath)
+	cmd := exec.Command("git", "log", "--oneline", "-1", "--", relPath) // #nosec G204 - args are controlled
 	cmd.Dir = path
 	if output, err := cmd.Output(); err != nil || len(output) == 0 {
 		// No git history for JSONL

cmd/bd/doctor/fix/deletions.go

@@ -192,7 +192,7 @@ func getHistoricalIDsViaDiff(repoPath, relPath string) (map[string]bool, error)
 		}
 
 		// Get file content at this commit
-		showCmd := exec.Command("git", "show", commit+":"+relPath)
+		showCmd := exec.Command("git", "show", commit+":"+relPath) // #nosec G204 - args are from git log output
 		showCmd.Dir = repoPath
 
 		content, err := showCmd.Output()

cmd/bd/init.go

@@ -1238,6 +1238,7 @@ func setupGlobalGitAttributes(homeDir string, verbose bool) error {
 
 	// Read existing attributes file if it exists
 	var existingContent string
+	// #nosec G304 - user config path
 	if content, err := os.ReadFile(attributesPath); err == nil {
 		existingContent = string(content)
 	}
@@ -1260,6 +1261,7 @@ func setupGlobalGitAttributes(homeDir string, verbose bool) error {
 	newContent += beadsPattern + "\n"
 
 	// Write the updated attributes file
+	// #nosec G306 - config file needs 0644
 	if err := os.WriteFile(attributesPath, []byte(newContent), 0644); err != nil {
 		return fmt.Errorf("failed to write global gitattributes: %w", err)
 	}
@@ -1329,6 +1331,7 @@ func setupGlobalGitIgnore(homeDir string, verbose bool) error {
 
 	// Read existing ignore file if it exists
 	var existingContent string
+	// #nosec G304 - user config path
 	if content, err := os.ReadFile(ignorePath); err == nil {
 		existingContent = string(content)
 	}
@@ -1365,6 +1368,7 @@ func setupGlobalGitIgnore(homeDir string, verbose bool) error {
 	}
 
 	// Write the updated ignore file
+	// #nosec G306 - config file needs 0644
 	if err := os.WriteFile(ignorePath, []byte(newContent), 0644); err != nil {
 		return fmt.Errorf("failed to write global gitignore: %w", err)
 	}
@@ -1388,6 +1392,7 @@ func setupClaudeSettings(verbose bool) error {
 
 	// Check if settings.local.json already exists
 	var existingSettings map[string]interface{}
+	// #nosec G304 - user config path
 	if content, err := os.ReadFile(settingsPath); err == nil {
 		if err := json.Unmarshal(content, &existingSettings); err != nil {
 			existingSettings = make(map[string]interface{})
@@ -1425,6 +1430,7 @@ func setupClaudeSettings(verbose bool) error {
 		return fmt.Errorf("failed to marshal settings JSON: %w", err)
 	}
 
+	// #nosec G306 - config file needs 0644
 	if err := os.WriteFile(settingsPath, updatedContent, 0644); err != nil {
 		return fmt.Errorf("failed to write claude settings: %w", err)
 	}

internal/deletions/deletions.go

@@ -104,7 +104,7 @@ func AppendDeletion(path string, record DeletionRecord) error {
 	}
 
 	// Open file for appending (create if not exists)
-	f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) // #nosec G304 - controlled path
+	f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) // #nosec G302,G304 - controlled path, 0644 needed for git
 	if err != nil {
 		return fmt.Errorf("failed to open deletions file for append: %w", err)
 	}