diff --git a/.golangci.yml b/.golangci.yml
index 18b2ff6..830ac11 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -7,8 +7,8 @@ run:
   timeout: 5m
 
 linters:
-  # Mandatory org bar. gocritic is non-negotiable; gosec covers code-level
-  # security alongside the nox scan. gocyclo/dupl are intentionally NOT here
+  # Mandatory org bar. gocritic is non-negotiable; code-level security is
+  # owned by nox, not gosec. gocyclo/dupl are intentionally NOT here
   # — they are noisy and repo-specific; opt in per repo if a codebase wants
   # them, but they are not part of the shared gate.
   default: standard
@@ -22,13 +22,6 @@ linters:
     - unconvert
     - unparam
     - gocritic     # org engineering bar — do not drop
-    - gosec
-  exclusions:
-    rules:
-      # Tests legitimately use math/rand (deterministic fixtures, fuzz
-      # seeds). G404 weak-RNG does not apply to test code.
-      - path: _test\.go
-        linters: [gosec]
 
 formatters:
   enable:
diff --git a/viz/html/renderer.go b/viz/html/renderer.go
index 04bdfb5..828b932 100644
--- a/viz/html/renderer.go
+++ b/viz/html/renderer.go
@@ -30,7 +30,6 @@ func (r *Renderer) Render(machine *viz.VizMachine) (string, error) {
 	}{
 		// json.Marshal escapes HTML characters by default, so casting to template.JS is safe here.
 		// We need raw JSON for the script tag.
-		// #nosec G203
 		MachineJSON: template.JS(jsonData),
 	}