diff --git a/desloppify/app/commands/dev.py b/desloppify/app/commands/dev.py
index 96940a860..9b520cb74 100644
--- a/desloppify/app/commands/dev.py
+++ b/desloppify/app/commands/dev.py
@@ -201,7 +201,7 @@ def _cmd_test_hermes() -> None:
         ("openrouter", "meta-llama/llama-4-scout"),
         ("openrouter", "mistralai/mistral-medium-3"),
     ]
-    test_provider, test_model = random.choice(test_models)
+    test_provider, test_model = random.choice(test_models)  # nosec B311 — non-security use
 
     # Switch to test model
     print(f"  Switching to: {test_provider}:{test_model}")
diff --git a/desloppify/app/commands/helpers/transition_messages.py b/desloppify/app/commands/helpers/transition_messages.py
index 573ca9061..83344d1e9 100644
--- a/desloppify/app/commands/helpers/transition_messages.py
+++ b/desloppify/app/commands/helpers/transition_messages.py
@@ -43,11 +43,11 @@ def _hermes_port() -> int:
 
 def _hermes_get(path: str) -> dict:
     """GET a Hermes control API endpoint. Stdlib-only, no deps."""
-    url = f"http://127.0.0.1:{_hermes_port()}{path}"
+    url = f"http://127.0.0.1:{_hermes_port()}{path}"  # nosec B310 — localhost only
     req = _urlreq.Request(url, method="GET",
                           headers={"X-Hermes-Control": "1"})
     try:
-        with _urlreq.urlopen(req, timeout=5) as resp:
+        with _urlreq.urlopen(req, timeout=5) as resp:  # nosec B310 — localhost only
             return _json.loads(resp.read())
     except _urlerr.HTTPError as e:
         return _json.loads(e.read())
@@ -57,13 +57,13 @@ def _hermes_get(path: str) -> dict:
 
 def _hermes_send_message(text: str, mode: str = "queue") -> dict:
     """Send a message/command to the running Hermes agent. Stdlib-only, no deps."""
-    url = f"http://127.0.0.1:{_hermes_port()}/sessions/_any/message"
+    url = f"http://127.0.0.1:{_hermes_port()}/sessions/_any/message"  # nosec B310 — localhost only
     data = _json.dumps({"text": text, "mode": mode}).encode()
     req = _urlreq.Request(url, data=data, method="POST",
                           headers={"Content-Type": "application/json",
                                    "X-Hermes-Control": "1"})
     try:
-        with _urlreq.urlopen(req, timeout=5) as resp:
+        with _urlreq.urlopen(req, timeout=5) as resp:  # nosec B310 — localhost only
             return _json.loads(resp.read())
     except _urlerr.HTTPError as e:
         return _json.loads(e.read())
diff --git a/desloppify/app/commands/review/coordinator.py b/desloppify/app/commands/review/coordinator.py
index f7c4bed28..d6c142807 100644
--- a/desloppify/app/commands/review/coordinator.py
+++ b/desloppify/app/commands/review/coordinator.py
@@ -3,7 +3,7 @@
 from __future__ import annotations
 
 import json
-import subprocess  # nosec
+import subprocess  # nosec B404 — subprocess required for CLI runner
 from collections.abc import Mapping
 from hashlib import sha256
 from pathlib import Path
diff --git a/desloppify/app/commands/review/runner_parallel/progress.py b/desloppify/app/commands/review/runner_parallel/progress.py
index 6a3d60714..cf7f2dd81 100644
--- a/desloppify/app/commands/review/runner_parallel/progress.py
+++ b/desloppify/app/commands/review/runner_parallel/progress.py
@@ -3,7 +3,7 @@
 from __future__ import annotations
 
 import logging
-import subprocess  # nosec
+import subprocess  # nosec B404 — subprocess required for CLI runner
 import time
 from typing import Any
 
diff --git a/desloppify/app/commands/review/runner_process_impl/attempts.py b/desloppify/app/commands/review/runner_process_impl/attempts.py
index 27ee175e7..d7265144c 100644
--- a/desloppify/app/commands/review/runner_process_impl/attempts.py
+++ b/desloppify/app/commands/review/runner_process_impl/attempts.py
@@ -2,7 +2,7 @@
 
 from __future__ import annotations
 
-import subprocess  # nosec
+import subprocess  # nosec B404 — subprocess required for CLI runner
 import threading
 import time
 from contextlib import contextmanager
diff --git a/desloppify/app/commands/review/runner_process_impl/io.py b/desloppify/app/commands/review/runner_process_impl/io.py
index 9a4b03f97..659bebec7 100644
--- a/desloppify/app/commands/review/runner_process_impl/io.py
+++ b/desloppify/app/commands/review/runner_process_impl/io.py
@@ -4,7 +4,7 @@
 
 import json
 import logging
-import subprocess  # nosec
+import subprocess  # nosec B404 — subprocess required for CLI runner
 import threading
 import time
 from datetime import UTC, datetime
diff --git a/desloppify/app/commands/runner/codex_batch.py b/desloppify/app/commands/runner/codex_batch.py
index bcf3bc63c..4d5bd251c 100644
--- a/desloppify/app/commands/runner/codex_batch.py
+++ b/desloppify/app/commands/runner/codex_batch.py
@@ -4,7 +4,7 @@
 
 import os
 import shutil
-import subprocess
+import subprocess  # nosec B404 — subprocess required for CLI runner
 import sys
 from pathlib import Path