fix: annotate security false positives with nosec

[samtuckerdavis]

Summary

• Addresses 5 bandit security issues (B310 x4, B311, B404) identified by desloppify scan
• All are intentional patterns annotated with # nosec and justification comments, not code changes:
  • B310 (4x in transition_messages.py): urlopen calls target http://127.0.0.1 (localhost only) — scheme is hardcoded, never user-controlled
  • B311 (dev.py line 204): random.choice() selects a test model for switching — not cryptographic use
  • B404 (codex_batch.py line 7): subprocess import is required for CLI runner operation
• The T2 insecure_random false positive in languages/cxx/detectors/security.py (a dict key string in a remediation message map) is suppressed via desloppify state

Test plan

• Run python3.11 -m desloppify scan --skip-slow --profile ci post-merge and confirm security dimension improves
• Confirm objective score stays ≥98

[coderabbitai]

Warning

Rate limit exceeded

@stuckvgn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 24 minutes and 33 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 24 minutes and 33 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: cdd1dc44-f529-408a-9a6b-e8c36519d333

📥 Commits

Reviewing files that changed from the base of the PR and between 87a4d39 and 8d2f0b4.

📒 Files selected for processing (7)

• desloppify/app/commands/dev.py
• desloppify/app/commands/helpers/transition_messages.py
• desloppify/app/commands/review/coordinator.py
• desloppify/app/commands/review/runner_parallel/progress.py
• desloppify/app/commands/review/runner_process_impl/attempts.py
• desloppify/app/commands/review/runner_process_impl/io.py
• desloppify/app/commands/runner/codex_batch.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/security-issues

• 🛠️ fix NAV violations: Commit on current branch
• 🛠️ fix NAV violations: Create PR

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[samtuckerdavis]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[samtuckerdavis]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[samtuckerdavis]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.