ci: H-1 batch 5 — Ruff S (security/bandit) closes the H-1 ratchet for src/

[rolandpg]

Summary

Adds `S` (flake8-bandit) to the ruff `select` list. Closes the GOV-003 §"Tooling and Automation" rule set for `src/` — only `ANN` remains and it will be ratcheted per-module.

Active `select` list now: `{E, F, I, W, N, T20, B, UP, SIM, RUF, S}`.

Findings + disposition (14 in src/)

Code	Description	Count	Disposition
S110/S112	try-except-pass / -continue	6	per-line `# noqa` with intent (best-effort parsers, defensive fallbacks)
S311	random for non-cryptographic uses	3	per-line `# noqa` (note ID suffix, retry jitter, mock embedding)
S324	hashlib.md5	2	switched to `usedforsecurity=False` (PEP 587, 3.9+)
S608	f-string SQL	1	per-line `# noqa` (column list is module constant; values `?`-bound)

CI lints `src/` only, so the 1095 `assert` statements in `tests/` are not in scope.

Stack

This is the last of 5 H-1 batches:

• ci: H-1 partial — enable Ruff T20 (no print in production) #106 batch 1 (T20)
• ci: H-1 batch 2 — Ruff B (bugbear) + opportunistic SIM/RUF auto-fixes #107 batch 2 (B)
• ci: H-1 batch 3 — Ruff UP (pyupgrade) PEP 585/604 modernization #109 batch 3 (UP)
• ci: H-1 batch 4 — Ruff SIM + RUF #111 batch 4 (SIM + RUF)
• ci: H-1 batch 5 — Ruff S (security/bandit) closes the H-1 ratchet for src/ #113 batch 5 (S) ← this PR

Test plan

• `ruff check src/` clean with full select list
• `ruff format --check src/` clean
• 69/70 critical tests pass (1 pre-existing env-dependent: `test_ingest_relationship`)
• CI green

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Enables Ruff’s S (flake8-bandit) security rules for src/ and triages the newly surfaced findings via targeted # noqa: SXXX annotations and non-crypto-safe hashing/RNG clarifications.

Changes:

• Add S to Ruff’s select list in pyproject.toml.
• Update MD5 usage to pass usedforsecurity=False where MD5 is used non-cryptographically.
• Add targeted # noqa: S110/S112/S311/S608 annotations with intent comments for accepted exceptions.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/zettelforge/vector_memory.py	Marks deterministic mock embedding RNG as non-crypto; MD5 updated with usedforsecurity=False; adds # noqa: S311.
src/zettelforge/synthesis_generator.py	Updates non-crypto query ID hashing to md5(..., usedforsecurity=False).
src/zettelforge/sqlite_backend.py	Adds # noqa: S608 for constant-column SQL string assembly and documents rationale.
src/zettelforge/scripts/compact_lance.py	Adds targeted # noqa: S110/S112 for best-effort serialization fallbacks.
src/zettelforge/retry.py	Adds # noqa: S311 for non-crypto retry jitter RNG.
src/zettelforge/ocsf.py	Adds # noqa: S110 for defensive try/except/pass around version resolution.
src/zettelforge/memory_store.py	Adds # noqa: S311 for note-id suffix RNG and # noqa: S110 for corrupt JSONL line handling.
src/zettelforge/knowledge_graph.py	Adds # noqa: S110/S112 for best-effort timestamp parsing fallbacks.
pyproject.toml	Enables Ruff S rules and updates the ratchet commentary.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

_NOTE_COLUMNS is documented here as a “module-level constant”, but it’s currently a mutable list. Since this line is used to justify # noqa: S608 on the f-string SQL, it would be safer/clearer to make the columns truly immutable (e.g., a tuple and/or typing.Final) or adjust the comment to avoid implying immutability.

[Copilot]

The new comment says “collisions are tolerated”, but write_note() uses this ID as the primary key for the JSONL store and in-memory cache (dict keyed by note.id), so an ID collision can overwrite/hide an existing note (data loss). Either update the implementation to avoid collisions (e.g., uuid4 suffix like SQLiteBackend.write_note does) or soften/correct the comment to reflect the actual risk/behavior.