fix(security): resolve all gosec findings across codebase

- Replace http.Get with http.NewRequestWithContext in installer and
  templates to fix G107 (HTTP request with variable URL)
- Add io.LimitReader to zip extraction to prevent decompression bombs (G110)
- Add proper #nosec annotations with rule IDs and justifications for
  intentional patterns: G115, G122, G204, G302, G304, G306, G703, G117
- Remove stale //nolint:gosec comments on lines that don't trigger gosec

Author: pratikbin

cmd/ask/ask.go

@@ -26,7 +26,7 @@ func installAgent() error {
 	}
 
 	agentsDir := filepath.Join(home, ".opencode", "agents")
-	if err := os.MkdirAll(agentsDir, 0750); err != nil { //nolint:gosec // user-owned directory
+	if err := os.MkdirAll(agentsDir, 0750); err != nil {
 		return fmt.Errorf("could not create agents directory: %w", err)
 	}
 
@@ -69,7 +69,7 @@ func NewAskCommand() *cli.Command {
 				args = []string{"--agent", agentName}
 			}
 
-			cmd := exec.CommandContext(context.Background(), opencodeBin, args...) //nolint:gosec
+			cmd := exec.CommandContext(context.Background(), opencodeBin, args...) // #nosec G204 -- opencodeBin is from exec.LookPath, args are hardcoded
 			cmd.Stdin = os.Stdin
 			cmd.Stdout = os.Stdout
 			cmd.Stderr = os.Stderr

cmd/deploy/deploy.go

@@ -351,7 +351,7 @@ func streamRuntimeLogs(client *api.APIClient, projectID, deploymentID string) {
 
 // loadGitignorePatterns reads .gitignore from srcDir and returns usable patterns.
 func loadGitignorePatterns(srcDir string) []string {
-	data, err := os.ReadFile(filepath.Join(srcDir, ".gitignore")) //nolint:gosec
+	data, err := os.ReadFile(filepath.Join(srcDir, ".gitignore")) // #nosec G304 -- srcDir is from filepath.Abs, filename is a constant
 	if err != nil {
 		return nil
 	}
@@ -438,7 +438,7 @@ func createZip(w io.Writer, srcDir string) error {
 			return err
 		}
 
-		f, err := os.Open(path) //nolint:gosec
+		f, err := os.Open(path) // #nosec G304,G122 -- path comes from filepath.Walk on a local directory
 		if err != nil {
 			return err
 		}

cmd/env/helpers.go

@@ -104,7 +104,7 @@ func ensureEnvGitignored() {
 		content = pattern + "\n"
 	}
 
-	f, err := os.OpenFile(gitignore, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) //nolint:gosec
+	f, err := os.OpenFile(gitignore, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) // #nosec G302 -- .gitignore must be world-readable (0644)
 	if err != nil {
 		return
 	}

cmd/env/push.go

@@ -43,7 +43,7 @@ func newEnvPushCommand() *cli.Command {
 				return fmt.Errorf("--file must be a relative path without '..' (got %q)", filePath)
 			}
 
-			data, err := os.ReadFile(filePath) //nolint:gosec
+			data, err := os.ReadFile(filePath) // #nosec G304 -- filePath is validated above (relative, no ..)
 			if err != nil {
 				return fmt.Errorf("could not read %s: %w", filePath, err)
 			}

cmd/templates/use.go

@@ -1,6 +1,7 @@
 package templates
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -103,11 +104,15 @@ func newTemplatesUseCommand() *cli.Command {
 				return err
 			}
 
-			if err := os.MkdirAll(absDir, 0750); err != nil { //nolint:gosec
+			if err := os.MkdirAll(absDir, 0750); err != nil {
 				return fmt.Errorf("could not create directory %s: %w", dir, err)
 			}
 
-			resp, err := http.Get(downloadURL) //nolint:gosec,noctx
+			req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, downloadURL, nil)
+			if err != nil {
+				return fmt.Errorf("could not create download request: %w", err)
+			}
+			resp, err := http.DefaultClient.Do(req)
 			if err != nil {
 				return fmt.Errorf("could not download template: %w", err)
 			}
@@ -130,7 +135,7 @@ func newTemplatesUseCommand() *cli.Command {
 }
 
 func downloadToFile(path string, src io.Reader) error {
-	out, err := os.Create(path) //nolint:gosec
+	out, err := os.Create(path) // #nosec G304 -- path is constructed from filepath.Join(absDir, "template.zip")
 	if err != nil {
 		return fmt.Errorf("could not create file: %w", err)
 	}

cmd/upgrade/upgrade.go

@@ -362,7 +362,7 @@ func fetchChecksum(rawURL string) (string, error) {
 }
 
 func verifyChecksum(path, expected string) error {
-	f, err := os.Open(path) //nolint:gosec // path comes from os.CreateTemp, not user input
+	f, err := os.Open(path) // #nosec G304 -- path comes from os.CreateTemp, not user input
 	if err != nil {
 		return fmt.Errorf("could not open downloaded file: %w", err)
 	}
@@ -381,7 +381,7 @@ func verifyChecksum(path, expected string) error {
 }
 
 func replaceExecutable(dst, src string) error {
-	if err := os.Chmod(src, 0o755); err != nil { //nolint:gosec // executable binary requires 0755
+	if err := os.Chmod(src, 0o755); err != nil { // #nosec G302 -- executable binary requires 0755
 		return err
 	}
 

cmd/vms/ssh.go

@@ -38,7 +38,7 @@ func findPublicKeys() map[string]string {
 	}
 	keys := make(map[string]string, len(matches))
 	for _, path := range matches {
-		data, err := os.ReadFile(path) //nolint:gosec
+		data, err := os.ReadFile(path) // #nosec G304 -- path is from filepath.Glob on ~/.ssh/*.pub
 		if err != nil {
 			continue
 		}
@@ -231,7 +231,7 @@ func newVMSSHCommand() *cli.Command {
 			}
 			sshArgs = append(sshArgs, target)
 
-			cmd := exec.CommandContext(context.Background(), "ssh", sshArgs...) //nolint:gosec
+			cmd := exec.CommandContext(context.Background(), "ssh", sshArgs...) // #nosec G204 -- binary is hardcoded "ssh", args are constructed internally
 			cmd.Stdin = os.Stdin
 			cmd.Stdout = os.Stdout
 			cmd.Stderr = os.Stderr

internal/browser/browser.go

@@ -22,5 +22,5 @@ func Open(rawURL string) error {
 		cmd = "xdg-open"
 		args = []string{rawURL}
 	}
-	return exec.CommandContext(context.Background(), cmd, args...).Start() //nolint:gosec
+	return exec.CommandContext(context.Background(), cmd, args...).Start() // #nosec G204 -- cmd/args are derived from runtime.GOOS, not user input
 }

internal/config/oauth.go

@@ -48,7 +48,7 @@ func SaveOAuthSession(session OAuthSession) error {
 	if err != nil {
 		return err
 	}
-	data, err := json.Marshal(session) //nolint:gosec
+	data, err := json.Marshal(session) // #nosec G117 -- token serialization is the purpose of this function; file is stored with 0600
 	if err != nil {
 		return err
 	}
@@ -61,7 +61,7 @@ func LoadOAuthSession() (*OAuthSession, error) {
 	if err != nil {
 		return nil, err
 	}
-	data, err := os.ReadFile(path) //nolint:gosec
+	data, err := os.ReadFile(path) // #nosec G304 -- path is from oauthPath() under ~/.createos/
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return nil, nil

internal/config/project.go

@@ -22,12 +22,12 @@ func SaveProjectConfig(dir string, cfg ProjectConfig) error {
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(filepath.Join(dir, projectFile), data, 0644) //nolint:gosec
+	return os.WriteFile(filepath.Join(dir, projectFile), data, 0644) // #nosec G306 -- project config needs to be readable by other tools
 }
 
 // LoadProjectConfig reads .createos.json from the given directory.
 func LoadProjectConfig(dir string) (*ProjectConfig, error) {
-	data, err := os.ReadFile(filepath.Join(dir, projectFile)) //nolint:gosec
+	data, err := os.ReadFile(filepath.Join(dir, projectFile)) // #nosec G304 -- dir comes from os.Getwd() walk, projectFile is a constant
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return nil, nil
@@ -66,7 +66,7 @@ func FindProjectConfig() (*ProjectConfig, error) {
 // EnsureGitignore adds .createos.json to .gitignore if not already present.
 func EnsureGitignore(dir string) error {
 	gitignorePath := filepath.Join(dir, ".gitignore")
-	data, err := os.ReadFile(gitignorePath) //nolint:gosec
+	data, err := os.ReadFile(gitignorePath) // #nosec G304 -- gitignorePath is filepath.Join(dir, ".gitignore")
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return err
 	}
@@ -80,7 +80,7 @@ func EnsureGitignore(dir string) error {
 		content += "\n"
 	}
 	content += projectFile + "\n"
-	return os.WriteFile(gitignorePath, []byte(content), 0644) //nolint:gosec
+	return os.WriteFile(gitignorePath, []byte(content), 0644) // #nosec G306,G703 -- .gitignore must be world-readable; path is from filepath.Join
 }
 
 func splitLines(s string) []string {