Add `ruff check --select S` (security rules) to lint CI job

[aallan]

Ruff's S rule set is equivalent to Bandit security checks. CodeRabbit already runs ruff, but CI proper doesn't include the security rules.

Add to the lint job:

- name: Security lint
  run: ruff check --select S vera/

Review findings and add # noqa: S... for legitimate exceptions (e.g., subprocess usage in tests). This catches common Python security anti-patterns like hardcoded credentials, use of eval, and insecure temp file creation.

[aallan]

Fixed in PR #415 (branch docs/history-tooling-split).

Added ruff>=0.9 to the [project.optional-dependencies] dev list in pyproject.toml and a new step to the lint CI job:

- name: Security lint (ruff S rules)
  run: ruff check --select S vera/

All 32 findings from the initial audit were reviewed and suppressed with targeted # noqa annotations where appropriate:

• S310 (8 findings) — urllib.request.urlopen / Request calls: all use HTTPS to known API endpoints; intentional.
• S101 (20 findings) — assert statements: all are compiler-internal invariant checks in wasmtime host callbacks and monomorphizer; safe to assert.
• S105 (2 findings) — hardcoded password false positives on parse-token string comparisons in errors.py ("REQUIRES", "__ANON_9").

The step runs on every push and PR, gated behind pip install -e ".[dev]" which now provides the ruff binary.

[aallan]

Reopening so PR #415 closes this automatically on merge to main. The fix is implemented on branch docs/history-tooling-split — see above comments for details.

[aallan]

Implemented in PR #415 (branch docs/history-tooling-split, shipping as v0.0.103).

What was done:

• Added ruff>=0.9 to [project.optional-dependencies] dev in pyproject.toml
• Added ruff check --select S vera/ step to the lint CI job
• Audited all 32 S-rule findings and added # noqa suppressions where appropriate:
  • S310 — intentional https:// calls in Http effect host functions (urllib.request.urlopen with validated URLs)
  • S101 — assert statements used as compiler invariant checks (not test assertions)
  • S105 — string literals that look like hardcoded passwords but are Vera token names in the parser

All remaining S-rule findings in vera/ now pass cleanly.