Strip explanatory text from nosec comments to silence Bandit warnings

Bandit parses all words after `# nosec BXXX` as test IDs, producing
~35 "not a test name or id" warnings. Trim to just `# nosec BXXX`.

backend/app/core/auth.py

@@ -75,7 +75,7 @@ def _get_jwt_secret() -> str:
         # Note: CodeQL flags this as "clear-text storage of sensitive information" but this is
         # intentional and secure - JWT secrets must be readable by the app, we set 0600 permissions,
         # and this is standard practice for self-hosted applications (same as .env files).
-        secret_file.write_text(new_secret)  # nosec B105 - intentional secure storage
+        secret_file.write_text(new_secret)  # nosec B105
         # Restrict permissions (owner read/write only)
         secret_file.chmod(0o600)
         logger.info("Generated new JWT secret and saved to %s", secret_file)

backend/app/main.py

@@ -76,7 +76,7 @@ def _start_error_server(missing_packages: list):
     print(f"\nStarting error server on http://0.0.0.0:{port}")
     print("Visit this URL in your browser to see the error details.\n")
 
-    server = HTTPServer(("0.0.0.0", port), ErrorHandler)  # nosec B104 - intentional bind-all for container
+    server = HTTPServer(("0.0.0.0", port), ErrorHandler)  # nosec B104
 
     def shutdown(signum, frame):
         print("\nShutting down error server...")

backend/app/services/bambu_ftp.py

@@ -1,5 +1,5 @@
 import asyncio
-import ftplib  # nosec B402 - FTP required by Bambu Lab printer protocol
+import ftplib  # nosec B402
 import logging
 import os
 import socket

backend/app/services/external_camera.py

@@ -59,7 +59,7 @@ def _sanitize_camera_url(url: str, allowed_schemes: tuple[str, ...] = ("http", "
             "localhost",  # Block localhost to prevent internal service access
             "127.0.0.1",
             "::1",
-            "0.0.0.0",  # nosec B104 - SSRF blocklist, not a bind
+            "0.0.0.0",  # nosec B104
         )
         if hostname_lower in blocked_hosts:
             logger.warning("Blocked camera URL targeting restricted host: %s", hostname)

backend/app/services/homeassistant.py

@@ -194,7 +194,7 @@ class HomeAssistantService:
             return None
         if parsed.scheme not in ("http", "https") or not parsed.hostname:
             return None
-        blocked = ("169.254.169.254", "metadata.google.internal", "0.0.0.0")
+        blocked = ("169.254.169.254", "metadata.google.internal", "0.0.0.0")  # nosec B104
         if parsed.hostname.lower() in blocked or (parsed.hostname or "").startswith("169.254."):
             return None
         return f"{parsed.scheme}://{parsed.hostname}" + (f":{parsed.port}" if parsed.port else "") + (parsed.path or "")

backend/app/services/virtual_printer/ftp_server.py

@@ -217,7 +217,7 @@ class FTPSession:
             # Create data server with TLS - use same context for session reuse
             self.data_server = await asyncio.start_server(
                 self._handle_data_connection,
-                "0.0.0.0",  # nosec B104 - virtual printer proxy
+                "0.0.0.0",  # nosec B104
                 self.data_port,
                 ssl=self.ssl_context,
             )
@@ -251,7 +251,7 @@ class FTPSession:
             # Create data server with TLS
             self.data_server = await asyncio.start_server(
                 self._handle_data_connection,
-                "0.0.0.0",  # nosec B104 - virtual printer proxy
+                "0.0.0.0",  # nosec B104
                 self.data_port,
                 ssl=self.ssl_context,
             )
@@ -514,7 +514,7 @@ class VirtualPrinterFTPServer:
             # Create server with SSL - TLS handshake happens before any FTP data
             self._server = await asyncio.start_server(
                 self._handle_client,
-                "0.0.0.0",  # nosec B104 - virtual printer proxy
+                "0.0.0.0",  # nosec B104
                 self.port,
                 ssl=self._ssl_context,  # This makes it implicit FTPS!
             )

backend/app/services/virtual_printer/mqtt_server.py

@@ -250,7 +250,7 @@ class SimpleMQTTServer:
 
             self._server = await asyncio.start_server(
                 connection_handler,
-                "0.0.0.0",  # nosec B104 - virtual printer proxy
+                "0.0.0.0",  # nosec B104
                 self.port,
                 ssl=ssl_context,
             )

backend/app/services/virtual_printer/tcp_proxy.py

@@ -102,7 +102,7 @@ class TLSProxy:
             # Start server with TLS
             self._server = await asyncio.start_server(
                 self._handle_client,
-                "0.0.0.0",  # nosec B104 - virtual printer proxy
+                "0.0.0.0",  # nosec B104
                 self.listen_port,
                 ssl=self._server_ssl_context,
             )