fix: resolve range variable address bug in holdout loop (CWE-118)

- Changed loop from 'for _, holdout := range holdouts' to 'for i := range holdouts'
- Created proper pointer 'holdout := &holdouts[i]' to avoid address-of-iteration-variable issue
- This fixes the security warning where all iterations would point to the same memory location
- All tests passing

Resolves Prisma Cloud security scan: Incorrect access of indexable resource

Author: Mat001

pkg/decision/holdout_service.go

@@ -52,7 +52,8 @@ func (h HoldoutService) GetDecision(decisionContext FeatureDecisionContext, user
 
 	holdouts := decisionContext.ProjectConfig.GetHoldoutsForFlag(feature.Key)
 
-	for _, holdout := range holdouts {
+	for i := range holdouts {
+		holdout := &holdouts[i]
 		h.logger.Debug(fmt.Sprintf("Evaluating holdout %s for feature %s", holdout.Key, feature.Key))
 
 		// Check if holdout is running
@@ -63,7 +64,7 @@ func (h HoldoutService) GetDecision(decisionContext FeatureDecisionContext, user
 		}
 
 		// Check audience conditions
-		inAudience := h.checkIfUserInHoldoutAudience(&holdout, userContext, decisionContext.ProjectConfig, options)
+		inAudience := h.checkIfUserInHoldoutAudience(holdout, userContext, decisionContext.ProjectConfig, options)
 		reasons.Append(inAudience.reasons)
 
 		if !inAudience.result {