Add remaining security suppressions for Semgrep and flawfinder

- Add nosemgrep comments for memcpy warnings in curl callbacks
- Add missing flawfinder ignore for strlen in hybrid_chunking.c

All flagged security issues are false positives - the buffers are
properly sized via repalloc before memcpy, and all strings are
null-terminated from PostgreSQL or internal palloc allocation.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: dpage

src/hybrid_chunking.c

@@ -962,6 +962,7 @@ elements_to_chunks_simple(List *elements, ChunkConfig *config)
 		{
 			/* Split large elements at natural boundaries */
 			const char *content = elem->content;
+			/* flawfinder: ignore - elem->content is palloc'd, null-terminated */
 			int content_len = strlen(content);
 			int start_offset = 0;
 

src/provider_ollama.c

@@ -233,7 +233,7 @@ write_callback(void *contents, size_t size, size_t nmemb, void *userp)
 
 	mem->data = ptr;
 	/* flawfinder: ignore - buffer was realloced to mem->size + realsize + 1 */
-	memcpy(&(mem->data[mem->size]), contents, realsize);
+	memcpy(&(mem->data[mem->size]), contents, realsize);  /* nosemgrep */
 	mem->size += realsize;
 	mem->data[mem->size] = 0;
 

src/provider_openai.c

@@ -243,7 +243,7 @@ write_callback(void *contents, size_t size, size_t nmemb, void *userp)
 
 	mem->data = ptr;
 	/* flawfinder: ignore - buffer was realloced to mem->size + realsize + 1 */
-	memcpy(&(mem->data[mem->size]), contents, realsize);
+	memcpy(&(mem->data[mem->size]), contents, realsize);  /* nosemgrep */
 	mem->size += realsize;
 	mem->data[mem->size] = 0;
 

src/provider_voyage.c

@@ -244,7 +244,7 @@ write_callback(void *contents, size_t size, size_t nmemb, void *userp)
 
 	mem->data = ptr;
 	/* flawfinder: ignore - buffer was realloced to mem->size + realsize + 1 */
-	memcpy(&(mem->data[mem->size]), contents, realsize);
+	memcpy(&(mem->data[mem->size]), contents, realsize);  /* nosemgrep */
 	mem->size += realsize;
 	mem->data[mem->size] = 0;