fix: resolve all ruff and bandit lint/security issues

- Remove unused Optional import (F401) in telemetry.py
- Move imports above module-level code (E402) in web/db/models.py
- Default API/web hosts to 127.0.0.1 instead of 0.0.0.0 (B104)
- Add usedforsecurity=False to MD5 calls in JA3/HASSH fingerprinting (B324)
- Annotate intentional try/except/pass blocks with nosec (B110)
- Remove stale nosec comments that no longer suppress anything

decnet/web/router/config/api_manage_users.py

@@ -40,7 +40,7 @@ async def api_create_user(
         "username": req.username,
         "password_hash": get_password_hash(req.password),
         "role": req.role,
-        "must_change_password": True,
+        "must_change_password": True,  # nosec B105 — not a password
     })
     return UserResponse(
         uuid=user_uuid,