# Bandit security linting configuration for mosaic-coordinator
#
# Suppressions documented below. All are intentional and reviewed.
#
# B104 (bind to 0.0.0.0): Inline nosec in src/config.py.
#       Container-bound service — must listen on all interfaces inside Docker.
#
# B101 (assert usage): Inline nosec in src/telemetry.py.
#       Assert used for type narrowing after None guard (satisfies mypy).
#
# B404, B607, B603 (subprocess usage): Skipped globally.
#       Only triggered in src/gates/ quality gate tooling, which intentionally
#       invokes external tools (pytest, ruff, mypy) via subprocess as its
#       core functionality. No other source files use subprocess.

skips:
  - B404 # import subprocess — only in gates/ (intentional)
  - B607 # start process with partial path — only in gates/ (intentional)
  - B603 # subprocess call without shell=True — only in gates/ (intentional)

exclude_dirs:
  - tests
  - venv