fix: add proper nosec comments for bandit security scan

- Add nosec B104 comments for intentional 0.0.0.0 binding in server configs
- Add nosec B105 comment for token type identifier (not password)
- Add nosec B110 comments for intentional pass statements in fallback logic
- Add nosec B608 comments for parameterized SQL queries (safe from injection)
- Place nosec comments on actual code lines, not in comments
- Ensure black formatting compatibility

Bandit now passes completely: 0 issues, 16 issues properly suppressed.

Author: fgogolli

src/cli/main.py

@@ -269,7 +269,7 @@ def parse_args() -> tuple[argparse.Namespace, dict]:
 
     # System serve
     system_serve = system_subparsers.add_parser("serve", help="Start REST API server")
-    system_serve.add_argument("--host", default="0.0.0.0", help="Server host")
+    system_serve.add_argument("--host", default="0.0.0.0", help="Server host")  # nosec B104
     system_serve.add_argument("--port", type=int, default=8000, help="Server port")
     system_serve.add_argument("--workers", type=int, default=1, help="Number of workers")
     system_serve.add_argument("--reload", action="store_true", help="Enable auto-reload")

src/config/schemas/server_schema.py

@@ -56,8 +56,8 @@ class ServerConfig(BaseModel):
     model_config = ConfigDict(extra="forbid")
 
     enabled: bool = Field(False, description="Enable REST API server")
-    # nosec B104: Intentional binding for server deployment
-    host: str = Field("0.0.0.0", description="Server host")
+    # Intentional binding for server deployment
+    host: str = Field("0.0.0.0", description="Server host")  # nosec B104
     port: int = Field(8000, description="Server port")
     workers: int = Field(1, description="Number of worker processes")
     reload: bool = Field(False, description="Enable auto-reload for development")

src/infrastructure/auth/strategy/bearer_token_strategy.py

@@ -130,8 +130,8 @@ async def refresh_token(self, refresh_token: str) -> AuthResult:
             # Check if it's actually a refresh token
             token_type = payload.get("type")
             if (
-                token_type != "refresh"
-            ):  # nosec B105 - This is a token type identifier, not a password
+                token_type != "refresh"  # nosec B105
+            ):  # This is a token type identifier, not a password
                 return AuthResult(status=AuthStatus.INVALID, error_message="Invalid refresh token")
 
             # Create new access token

src/infrastructure/persistence/components/sql_query_builder.py

@@ -131,7 +131,7 @@ def build_insert(self, data: Dict[str, Any]) -> Tuple[str, Dict[str, Any]]:
         # 1. Validating table_name and column names against a whitelist pattern
         # 2. Using parameterized queries for all values with :param syntax
         # nosec B608
-        query = f"INSERT INTO {self.table_name} ({', '.join(columns)}) VALUES ({', '.join(placeholders)})"
+        query = f"INSERT INTO {self.table_name} ({', '.join(columns)}) VALUES ({', '.join(placeholders)})"  # nosec B608"  # nosec B608
 
         self.logger.debug(f"Built INSERT query for {self.table_name}")
         return query, filtered_data
@@ -150,7 +150,7 @@ def build_select_by_id(self, id_column: str) -> Tuple[str, str]:
         self._validate_identifier(id_column)
 
         # nosec B608
-        query = f"SELECT * FROM {self.table_name} WHERE {id_column} = :{id_column}"
+        query = f"SELECT * FROM {self.table_name} WHERE {id_column} = :{id_column}"  # nosec B608
 
         self.logger.debug(f"Built SELECT by ID query for {self.table_name}")
         return query, id_column
@@ -163,7 +163,7 @@ def build_select_all(self) -> str:
             SELECT all SQL statement
         """
         # Table name already validated in constructor
-        query = f"SELECT * FROM {self.table_name}"  # nosec B608
+        query = f"SELECT * FROM {self.table_name}  # nosec B608"  # nosec B608
 
         self.logger.debug(f"Built SELECT all query for {self.table_name}")
         return query
@@ -198,7 +198,7 @@ def build_update(
         set_clauses = [f"{col} = :{col}" for col in filtered_data.keys()]
         # nosec B608
         query = (
-            f"UPDATE {self.table_name} SET {', '.join(set_clauses)} WHERE {id_column} = :entity_id"
+            f"UPDATE {self.table_name} SET {', '.join(set_clauses)} WHERE {id_column} = :entity_id"  # nosec B608
         )
 
         # Add entity_id to parameters
@@ -222,7 +222,7 @@ def build_delete(self, id_column: str) -> Tuple[str, str]:
         self._validate_identifier(id_column)
 
         # nosec B608
-        query = f"DELETE FROM { self.table_name} WHERE {id_column} = :{id_column}"
+        query = f"DELETE FROM { self.table_name} WHERE {id_column} = :{id_column}"  # nosec B608
 
         self.logger.debug(f"Built DELETE query for {self.table_name}")
         return query, id_column
@@ -294,7 +294,7 @@ def build_select_by_criteria(self, criteria: Dict[str, Any]) -> Tuple[str, Dict[
                 parameters[param_name] = value
 
         # nosec B608
-        query = f"SELECT * FROM {self.table_name} WHERE {' AND '.join(where_clauses)}"
+        query = f"SELECT * FROM {self.table_name} WHERE {' AND '.join(where_clauses)}"  # nosec B608
 
         self.logger.debug(f"Built SELECT with criteria query for {self.table_name}")
         return query, parameters
@@ -340,7 +340,7 @@ def build_batch_insert(
 
         placeholders = [f":{col}" for col in filtered_columns]
         # nosec B608
-        query = f"INSERT INTO {self.table_name} ({', '.join(filtered_columns)}) VALUES ({', '.join(placeholders)})"
+        query = f"INSERT INTO {self.table_name} ({', '.join(filtered_columns)}) VALUES ({', '.join(placeholders)})"  # nosec B608
 
         # Filter all data items
         filtered_data_list = []

src/interface/serve_command_handler.py

@@ -21,8 +21,8 @@ async def handle_serve_api(args) -> Dict[str, Any]:
     logger = get_logger(__name__)
 
     # Extract parameters from args
-    # nosec B104: Intentional binding for server deployment
-    host = getattr(args, "host", "0.0.0.0")
+    # Intentional binding for server deployment
+    host = getattr(args, "host", "0.0.0.0")  # nosec B104
     port = getattr(args, "port", 8000)
     workers = getattr(args, "workers", 1)
     reload = getattr(args, "reload", False)

src/providers/aws/domain/template/value_objects.py

@@ -225,7 +225,7 @@ def _missing_(cls, value):
                 return new_member
         except Exception:
             # Fall through to hardcoded fallback
-            pass
+            pass  # nosec B110
 
         # Fallback to hardcoded values for safety
         fallback_values = {
@@ -285,7 +285,7 @@ def _missing_(cls, value):
                 return new_member
         except Exception:
             # Fall through to hardcoded fallback
-            pass
+            pass  # nosec B110
 
         # Fallback to hardcoded values for safety
         fallback_values = {