Security bandit fixes

Author: aponcedeleonch

src/mcp_optimizer/db/tool_response_ops.py

@@ -61,7 +61,7 @@ async def create_tool_response(
              created_at, expires_at, metadata)
             VALUES (:id, :session_key, :tool_name, :original_content, :content_type,
                     :created_at, :expires_at, :metadata)
-        """
+        """  # nosec B608 - TABLE_NAME is a code-controlled constant, not user input
 
         params = {
             "id": response_id,
@@ -119,7 +119,7 @@ async def get_tool_response(
                    created_at, expires_at, metadata
             FROM {self.TABLE_NAME}
             WHERE id = :id
-        """
+        """  # nosec B608 - TABLE_NAME is a code-controlled constant, not user input
 
         results = await self.db.execute_query(query, {"id": response_id}, conn=conn)
 
@@ -168,7 +168,7 @@ async def get_responses_by_session(
             FROM {self.TABLE_NAME}
             WHERE session_key = :session_key AND expires_at > :now
             ORDER BY created_at DESC
-        """
+        """  # nosec B608 - TABLE_NAME is a code-controlled constant, not user input
 
         results = await self.db.execute_query(
             query, {"session_key": session_key, "now": now}, conn=conn
@@ -206,14 +206,14 @@ async def cleanup_expired(
         # First count how many will be deleted
         count_query = f"""
             SELECT COUNT(*) FROM {self.TABLE_NAME} WHERE expires_at <= :now
-        """
+        """  # nosec B608 - TABLE_NAME is a code-controlled constant, not user input
         result = await self.db.execute_query(count_query, {"now": now}, conn=conn)
         count = result[0][0] if result else 0
 
         # Then delete
         delete_query = f"""
             DELETE FROM {self.TABLE_NAME} WHERE expires_at <= :now
-        """
+        """  # nosec B608 - TABLE_NAME is a code-controlled constant, not user input
         await self.db.execute_non_query(delete_query, {"now": now}, conn=conn)
 
         if count > 0:
@@ -227,5 +227,5 @@ async def _delete_response(
         conn: AsyncConnection | None = None,
     ) -> None:
         """Delete a single response by ID."""
-        query = f"DELETE FROM {self.TABLE_NAME} WHERE id = :id"
+        query = f"DELETE FROM {self.TABLE_NAME} WHERE id = :id"  # nosec B608
         await self.db.execute_non_query(query, {"id": response_id}, conn=conn)

src/mcp_optimizer/response_optimizer/query_executor.py

@@ -2,7 +2,7 @@
 
 import re
 import shutil
-import subprocess
+import subprocess  # nosec B404 - subprocess used for trusted jq tool only
 
 from mcp_optimizer.response_optimizer.models import ContentType
 
@@ -37,7 +37,7 @@ def execute_jq_query(content: str, query: str) -> str:
         )
 
     try:
-        result = subprocess.run(  # noqa: S603 - jq is a trusted tool
+        result = subprocess.run(  # noqa: S603 # nosec B603 - jq is a trusted tool, path validated
             [jq_path, query],
             input=content,
             capture_output=True,

src/mcp_optimizer/response_optimizer/summarizers/llmlingua.py

@@ -83,10 +83,10 @@ def _load_model(self) -> bool:
             # Try to load from local path first, fall back to HuggingFace
             tokenizer_path = self.model_path
             if (tokenizer_path / "tokenizer_config.json").exists():
-                self._tokenizer = AutoTokenizer.from_pretrained(str(tokenizer_path))
+                self._tokenizer = AutoTokenizer.from_pretrained(str(tokenizer_path))  # nosec B615
             else:
                 # Fall back to HuggingFace
-                self._tokenizer = AutoTokenizer.from_pretrained(
+                self._tokenizer = AutoTokenizer.from_pretrained(  # nosec B615
                     "microsoft/llmlingua-2-bert-base-multilingual-cased-meetingbank"
                 )