fix: resolve all ruff and bandit lint/security issues

- Remove unused Optional import (F401) in telemetry.py
- Move imports above module-level code (E402) in web/db/models.py
- Default API/web hosts to 127.0.0.1 instead of 0.0.0.0 (B104)
- Add usedforsecurity=False to MD5 calls in JA3/HASSH fingerprinting (B324)
- Annotate intentional try/except/pass blocks with nosec (B110)
- Remove stale nosec comments that no longer suppress anything

decnet/profiler/behavioral.py

@@ -344,7 +344,7 @@ def detect_tools_from_headers(events: list[LogEvent]) -> list[str]:
                         headers = _parsed
                     else:
                         continue
-                except Exception:
+                except Exception:  # nosec B112 — skip unparseable header values
                     continue
         elif isinstance(raw_headers, dict):
             headers = raw_headers