fix: resolve all ruff and bandit lint/security issues

- Remove unused Optional import (F401) in telemetry.py
- Move imports above module-level code (E402) in web/db/models.py
- Default API/web hosts to 127.0.0.1 instead of 0.0.0.0 (B104)
- Add usedforsecurity=False to MD5 calls in JA3/HASSH fingerprinting (B324)
- Annotate intentional try/except/pass blocks with nosec (B110)
- Remove stale nosec comments that no longer suppress anything

decnet/telemetry.py

@@ -12,7 +12,7 @@ from __future__ import annotations
 import asyncio
 import functools
 import inspect
-from typing import Any, Callable, Optional, TypeVar, overload
+from typing import Any, Callable, TypeVar, overload
 
 from decnet.env import DECNET_DEVELOPER_TRACING, DECNET_OTEL_ENDPOINT
 from decnet.logging import get_logger
@@ -76,7 +76,7 @@ def shutdown_tracing() -> None:
     if _tracer_provider is not None:
         try:
             _tracer_provider.shutdown()
-        except Exception:
+        except Exception:  # nosec B110 — best-effort tracer shutdown
             pass
 
 
@@ -272,7 +272,7 @@ def inject_context(record: dict[str, Any]) -> None:
         inject(carrier)
         if carrier:
             record["_trace"] = carrier
-    except Exception:
+    except Exception:  # nosec B110 — trace injection is optional
         pass