fix(#365): fix coordinator CI bandit config and pip upgrade

Three fixes for the coordinator pipeline:

1. Use bandit.yaml config file (-c bandit.yaml) so global skips
   and exclude_dirs are respected in CI.
2. Upgrade pip to >=25.3 in the install step so pip-audit doesn't
   fail on the stale pip 24.0 bundled with python:3.11-slim.
3. Clean up nosec inline comments to bare "# nosec BXXX" format,
   moving explanations to a separate comment line above. This
   prevents bandit from misinterpreting trailing text as test IDs.

Fixes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.woodpecker/coordinator.yml

@@ -29,6 +29,7 @@ steps:
       - cd apps/coordinator
       - python -m venv venv
       - . venv/bin/activate
+      - pip install --no-cache-dir --upgrade "pip>=25.3"
       - pip install --no-cache-dir -e ".[dev]"
       - pip install --no-cache-dir bandit pip-audit
 
@@ -52,7 +53,7 @@ steps:
     image: *python_image
     commands:
       - *activate_venv
-      - bandit -r src/ -f screen
+      - bandit -r src/ -c bandit.yaml -f screen
     depends_on:
       - install
 

apps/coordinator/src/config.py

@@ -21,7 +21,8 @@ class Settings(BaseSettings):
     anthropic_api_key: str
 
     # Server Configuration
-    host: str = "0.0.0.0"  # nosec B104 — Container-bound: listen on all interfaces inside Docker
+    # Container-bound: listen on all interfaces inside Docker
+    host: str = "0.0.0.0"  # nosec B104
     port: int = 8000
 
     # Logging

apps/coordinator/src/telemetry.py

@@ -139,7 +139,8 @@ class TelemetryService:
         if self._tracer is None:
             # Initialize if not already done
             self.initialize()
-        assert self._tracer is not None  # nosec B101 — Type narrowing after None guard
+        # Type narrowing after None guard
+        assert self._tracer is not None  # nosec B101
         return self._tracer
 
     def shutdown(self) -> None: