From 4f984cd9c6db5cb62066372bad74e2bae6508a4f Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@git.eeqj.de>
Date: Thu, 19 Feb 2026 23:41:43 -0800
Subject: [PATCH] fix: suppress gosec G204 for validated GPG key ID inputs

---
 internal/secret/pgpunlocker.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/internal/secret/pgpunlocker.go b/internal/secret/pgpunlocker.go
index 1fedb17..bca1546 100644
--- a/internal/secret/pgpunlocker.go
+++ b/internal/secret/pgpunlocker.go
@@ -320,7 +320,9 @@ func ResolveGPGKeyFingerprint(keyID string) (string, error) {
 	}
 
 	// Use GPG to get the full fingerprint for the key
-	cmd := exec.Command("gpg", "--list-keys", "--with-colons", "--fingerprint", keyID)
+	cmd := exec.Command( // #nosec G204 -- keyID validated
+		"gpg", "--list-keys", "--with-colons", "--fingerprint", keyID,
+	)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
@@ -359,7 +361,9 @@ func gpgEncryptDefault(data *memguard.LockedBuffer, keyID string) ([]byte, error
 		return nil, fmt.Errorf("invalid GPG key ID: %w", err)
 	}
 
-	cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
+	cmd := exec.Command( // #nosec G204 -- keyID validated
+		"gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID,
+	)
 	cmd.Stdin = strings.NewReader(data.String())
 
 	output, err := cmd.Output()