diff --git a/sonar-project.properties b/sonar-project.properties
index bad3c5e..e6976d4 100644
--- a/sonar-project.properties
+++ b/sonar-project.properties
@@ -24,11 +24,25 @@ sonar.exclusions=\
     **/.codeiq/**,\
     internal/serve/dist/**,\
     ui/coverage/**,\
+    ui/e2e/**,\
     ui/playwright-report/**,\
     ui/test-results/**,\
     coverage.out,\
     docs/**
 
+# ── Issue suppressions ─────────────────────────────────────────────────
+# go:S4036 — "Make sure the PATH variable only contains fixed,
+# unwriteable directories." ctm is a CLI orchestrator that intentionally
+# resolves user-installed tools (git, tmux, claude, gh) via $PATH on
+# whatever box it's running on. Hardcoded absolute paths aren't viable
+# across macOS / Linux / Homebrew / system installs. The risk model is
+# the user's own shell, not a service account on a server, so the rule
+# fires by design rather than flagging real issues. Suppressed
+# project-wide.
+sonar.issue.ignore.multicriteria=path
+sonar.issue.ignore.multicriteria.path.ruleKey=go:S4036
+sonar.issue.ignore.multicriteria.path.resourceKey=**/*.go
+
 # ── Tests ──────────────────────────────────────────────────────────────
 # Sonar separates "test code" from "production code" so coverage and
 # duplication metrics target the right files. Playwright e2e specs