chore: fix ruff lint errors, bandit suppressions, and pin pip>=26.0

Remove unused imports (ruff F401), suppress B324 false positives on
spec-mandated MD5 in HASSH/JA3/JA3S fingerprinting, drop unused
record_version assignment in JARM parser, and pin pip>=26.0 in dev
deps to address CVE-2025-8869 and CVE-2026-1703.

decnet/prober/hassh.py

@@ -208,7 +208,7 @@ def _compute_hassh(kex: str, enc: str, mac: str, comp: str) -> str:
     Returns 32-character lowercase hex digest.
     """
     raw = f"{kex};{enc};{mac};{comp}"
-    return hashlib.md5(raw.encode("utf-8")).hexdigest()
+    return hashlib.md5(raw.encode("utf-8")).hexdigest()  # nosec B324
 
 
 # ─── Public API ─────────────────────────────────────────────────────────────

decnet/prober/jarm.py

@@ -297,7 +297,7 @@ def _parse_server_hello(data: bytes) -> str:
         if data[0] != _CONTENT_HANDSHAKE:
             return "|||"
 
-        record_version = struct.unpack_from("!H", data, 1)[0]
+        struct.unpack_from("!H", data, 1)[0]  # record_version (unused)
         record_len = struct.unpack_from("!H", data, 3)[0]
         hs = data[5: 5 + record_len]
 

decnet/sniffer/fingerprint.py

@@ -12,7 +12,6 @@ from __future__ import annotations
 import hashlib
 import struct
 import time
-from pathlib import Path
 from typing import Any, Callable
 
 from decnet.sniffer.syslog import SEVERITY_INFO, SEVERITY_WARNING, syslog_line
@@ -519,7 +518,7 @@ def _ja3(ch: dict[str, Any]) -> tuple[str, str]:
         "-".join(str(p) for p in ch["ec_point_formats"]),
     ]
     ja3_str = ",".join(parts)
-    return ja3_str, hashlib.md5(ja3_str.encode()).hexdigest()
+    return ja3_str, hashlib.md5(ja3_str.encode()).hexdigest()  # nosec B324
 
 
 def _ja3s(sh: dict[str, Any]) -> tuple[str, str]:
@@ -529,7 +528,7 @@ def _ja3s(sh: dict[str, Any]) -> tuple[str, str]:
         "-".join(str(e) for e in sh["extensions"]),
     ]
     ja3s_str = ",".join(parts)
-    return ja3s_str, hashlib.md5(ja3s_str.encode()).hexdigest()
+    return ja3s_str, hashlib.md5(ja3s_str.encode()).hexdigest()  # nosec B324
 
 
 # ─── JA4 / JA4S ─────────────────────────────────────────────────────────────

decnet/sniffer/worker.py

@@ -14,9 +14,7 @@ import asyncio
 import os
 import subprocess
 import threading
-import time
 from pathlib import Path
-from typing import Any
 
 from decnet.logging import get_logger
 from decnet.network import HOST_MACVLAN_IFACE

pyproject.toml

@@ -28,6 +28,7 @@ dev = [
     "pytest>=9.0.3",
     "ruff>=0.15.10",
     "bandit>=1.9.4",
+    "pip>=26.0",
     "pip-audit>=2.10.0",
     "httpx>=0.28.1",
     "hypothesis>=6.151.14",