ci: unblock SAST (Bandit) and Kuiper64 regressions

- .bandit-baseline.json: regenerated to pick up the two new Low
  severity findings introduced by ``adidt/cli/gen_dts.py`` (B404
  subprocess import, B603 subprocess.run call).  Both are a safe
  ``dtc`` invocation with a hard-coded argv list and no shell=True.

- .github/workflows/test-kuiper.yml: install ``python3-dev`` inside
  the Kuiper64 arm64 container before ``pip install .[test]``.
  ``aandrisa/kuiper_basic_64:latest`` was refreshed ~24h before
  this PR such that docplex's sdist install path now triggers a
  numpy-1.26.4 source build; without Python.h that build fails.
  The regression affects every PR opened after the image refresh,
  not only this branch.

Author: tfcollins