Tighten Sonar/Codacy markers and clear remaining PR #182 findings

JE-Chen · JE-Chen · commit 38d238d805d1 · 2026-04-28T00:43:48.000+08:00
The previous sweep used ``# NOSONAR python:S1234`` style rationales —
Sonar's S7632 rule classifies that as malformed because the colon
form isn't part of its accepted suppression syntax. Reformat all
markers as plain ``# NOSONAR — &lt;reason&gt;`` placed on the violating
line, which is the form Sonar actually honours.

Also fix a few residuals the first sweep missed:

Real fixes (not suppressions):
- swagger.html: replace the verbose &lt;!-- … --&gt; rationale block (which
  AvoidCommentedOutCodeCheck mistook for commented-out code) with
  proper ``integrity="sha512-…"`` SRI hashes fetched from
  cdnjs.api/libraries/swagger-ui/5.17.14, closing the three S5725
  hotspots properly instead of suppressing them.
- mic-worklet.js: collapse process() to a single ``return true`` exit
  point so S3516 stops firing — same behaviour, no marker needed.
- web_viewer/index.html setLanguage: extract _resolveLanguageChoice +
  _refreshDynamicLabels to push cognitive complexity below 15
  (S3776:412 was the only remaining cog hit).
- app.js clearChildren: use ``firstChild.remove()`` instead of
  ``removeChild`` (S7762).
- signaling_server validators: route-level ``responses=`` already
  documents the 400/404 contract; mark the helper raises NOSONAR
  (S8415 false positive across helper-call boundary).
- webrtc_transport.wait_for_ice_gathering: NOSONAR S7483 with
  rationale (asyncio.timeout requires Python 3.11; we still support
  3.10).

Suppression-syntax repairs (line-targeted plain ``# NOSONAR`` form):
- admin_client.py, usb_browser_tab.py, webrtc_stats.py:
  TimeoutError-OSError catch tuples (Python 3.10 keeps them
  distinct).
- config_bundle/__main__.py: CLI export path (S2083 by-design).
- host_service.py: stub-config token placeholder (S6418).
- lan_discovery.py: 8.8.8.8 routing probe literal (S1313).
- usb_passthrough_prompt.py: cross-thread ``result`` mutation hidden
  from Sonar by Q_ARG queued slot (S2583).
- admin_client.py / usb_browser_tab.py / rest_server.py: scheme
  allowlist checks and loopback-bound base_url (S5332 hotspots).
- test_admin_client.py / test_usb_browser_tab.py: loopback test
  fixture URLs (S5332 hotspots).
- web_viewer/index.html: serviceWorker .catch() in non-module script
  (S7785).
- mic-worklet.js: TypedArray index access — ``i`` is a numeric loop
  counter, no user-controlled key path (Codacy/ESLint
  detect-object-injection ×2; same eslint-disable-next-line markers
  retained).

app.js: rename rationale comment so Codacy/Semgrep's hardcoded-
password Semgrep rule recognises the ``nosemgrep:`` directive instead
of only seeing ``NOSONAR``.
diff --git a/je_auto_control/gui/usb_browser_tab.py b/je_auto_control/gui/usb_browser_tab.py
@@ -48,7 +48,7 @@ def fetch_remote_devices(*, base_url: str,
     if not base_url:
         raise ValueError("base_url is required")
     base = base_url.rstrip("/")
-    if not base.startswith(("http://", "https://")):
+    if not base.startswith(("http://", "https://")):  # NOSONAR — scheme allowlist check, not a URL emission
         base = f"{_TEST_SCHEME}://{base}"
     url = f"{base}/usb/devices"
     headers = {"Authorization": f"Bearer {token}"} if token else {}
@@ -79,7 +79,7 @@ def run(self) -> None:
             devices = fetch_remote_devices(
                 base_url=self._base_url, token=self._token,
             )
-        except (ValueError, OSError, TimeoutError) as error:  # NOSONAR python:S5713  # URLError is an OSError subclass; TimeoutError diverges from OSError on Python 3.10
+        except (ValueError, OSError, TimeoutError) as error:  # NOSONAR — TimeoutError is not an OSError on Python 3.10; URLError already is, so it was dropped
             self.failed.emit(str(error))
             return
         self.finished.emit(devices)
diff --git a/je_auto_control/gui/usb_passthrough_prompt.py b/je_auto_control/gui/usb_passthrough_prompt.py
@@ -122,12 +122,11 @@ def decide(self, vendor_id: str, product_id: str,
         )
         if not done.wait(timeout=wait_timeout_s):
             return False
-        # NOSONAR pythonbugs:S2583 — Sonar can't see through the
-        # cross-thread QMetaObject.invokeMethod + queued slot above:
-        # ``result`` is mutated by ``_show_dialog`` on the GUI thread
-        # (line 145–146) before ``done`` is set, so neither key is
-        # guaranteed False at this point.
-        if result["allow"] and result["remember"] and self._acl is not None:
+        # Sonar can't see through the cross-thread QMetaObject
+        # .invokeMethod + queued slot above: ``result`` is mutated by
+        # ``_show_dialog`` on the GUI thread before ``done`` is set,
+        # so neither key is guaranteed False at this point.
+        if result["allow"] and result["remember"] and self._acl is not None:  # NOSONAR — cross-thread mutation through Q_ARG(object, result), see comment above
             self._acl.add_rule(AclRule(
                 vendor_id=vendor_id, product_id=product_id,
                 serial=(serial or None),
diff --git a/je_auto_control/utils/admin/admin_client.py b/je_auto_control/utils/admin/admin_client.py
@@ -127,7 +127,7 @@ def _poll_one(self, host: AdminHost) -> HostStatus:
         start = time.monotonic()
         try:
             sessions = self._http_get(host, "/sessions")
-        except (OSError, ValueError, TimeoutError) as error:  # urllib.error.URLError is an OSError subclass; keep TimeoutError for Python 3.10 where it isn't (NOSONAR python:S5713)
+        except (OSError, ValueError, TimeoutError) as error:  # NOSONAR — TimeoutError diverges from OSError on Python 3.10 (the project's lowest supported version), so it is not redundant in the catch tuple
             return HostStatus(
                 label=host.label, base_url=host.base_url, healthy=False,
                 latency_ms=(time.monotonic() - start) * 1000.0,
@@ -144,7 +144,7 @@ def _poll_one(self, host: AdminHost) -> HostStatus:
     def _safe_get(self, host: AdminHost, path: str) -> Optional[Dict[str, Any]]:
         try:
             return self._http_get(host, path)
-        except (OSError, ValueError, TimeoutError) as error:  # urllib.error.URLError is an OSError subclass; keep TimeoutError for Python 3.10 where it isn't (NOSONAR python:S5713)
+        except (OSError, ValueError, TimeoutError) as error:  # NOSONAR — TimeoutError diverges from OSError on Python 3.10 (the project's lowest supported version), so it is not redundant in the catch tuple
             autocontrol_logger.warning(
                 "admin: %s GET %s failed: %r", host.label, path, error,
             )
@@ -155,7 +155,7 @@ def _execute_one(self, host: AdminHost,
         try:
             payload = self._http_post(host, "/execute", {"actions": actions})
             return {"label": host.label, "ok": True, "result": payload}
-        except (OSError, ValueError, TimeoutError) as error:  # urllib.error.URLError is an OSError subclass; keep TimeoutError for Python 3.10 where it isn't (NOSONAR python:S5713)
+        except (OSError, ValueError, TimeoutError) as error:  # NOSONAR — TimeoutError diverges from OSError on Python 3.10 (the project's lowest supported version), so it is not redundant in the catch tuple
             return {"label": host.label, "ok": False, "error": str(error)}
 
     def _http_get(self, host: AdminHost, path: str) -> Dict[str, Any]:
@@ -169,11 +169,10 @@ def _http_request(self, host: AdminHost, path: str, *,
                       method: str, body: Optional[Dict[str, Any]],
                       ) -> Dict[str, Any]:
         url = f"{host.base_url}{path}"
-        # NOSONAR python:S5332 — this is a scheme allowlist check, not
-        # a URL emission. Both http:// and https:// must be accepted
-        # because the operator points the admin console at whatever
-        # the host is actually listening on.
-        if not url.startswith(("http://", "https://")):
+        # Both http:// and https:// must be accepted: the operator
+        # points the admin console at whatever the host is actually
+        # listening on, which may be plain HTTP behind a TLS proxy.
+        if not url.startswith(("http://", "https://")):  # NOSONAR — scheme allowlist check, not URL emission
             raise ValueError(f"unsupported URL scheme: {url}")
         headers = {"Authorization": f"Bearer {host.token}"}
         data = None
diff --git a/je_auto_control/utils/config_bundle/__main__.py b/je_auto_control/utils/config_bundle/__main__.py
@@ -46,11 +46,11 @@ def main(argv: Optional[list] = None) -> int:
 def _do_export(output: Path, root: Optional[Path]) -> int:
     bundle = export_config_bundle(root=root)
     output.parent.mkdir(parents=True, exist_ok=True)
-    # NOSONAR pythonsecurity:S2083 — the path comes from argv on a CLI
-    # entry point. The operator running ``python -m ... export <file>``
-    # is the trust boundary; restricting where they can write would
-    # break the documented export workflow.
-    output.write_text(
+    # The output path comes from argv on a CLI entry point. The operator
+    # running ``python -m ... export <file>`` is the trust boundary;
+    # restricting where they can write would break the documented
+    # export workflow.
+    output.write_text(  # NOSONAR — operator-controlled CLI argument by design (see comment above)
         json.dumps(bundle, ensure_ascii=False, indent=2),
         encoding="utf-8",
     )
diff --git a/je_auto_control/utils/remote_desktop/host_service.py b/je_auto_control/utils/remote_desktop/host_service.py
@@ -78,7 +78,7 @@ def write_default_config(path: Optional[Path] = None) -> Path:
     target = Path(path) if path else _DEFAULT_CONFIG_PATH
     target.parent.mkdir(parents=True, exist_ok=True)
     template = {
-        "token": "CHANGE_ME_BEFORE_USE",  # nosec B105  # NOSONAR python:S6418  # reason: placeholder in stub config the user MUST edit before installing the service
+        "token": "CHANGE_ME_BEFORE_USE",  # nosec B105  # NOSONAR — placeholder in stub config the user MUST edit before installing the service
         "server_url": "https://your-signaling-server.example.com",
         "host_id": "abcd1234",
         "server_secret": None,  # nosec B105  # reason: explicit None placeholder
diff --git a/je_auto_control/utils/remote_desktop/lan_discovery.py b/je_auto_control/utils/remote_desktop/lan_discovery.py
@@ -44,10 +44,10 @@ def _local_ip() -> str:
             # Connect-to-public-IP trick to discover the local interface
             # the kernel would pick for outbound traffic; UDP, so no
             # packet is sent and 8.8.8.8 (Google DNS) just stands in for
-            # "any reachable public IP". NOSONAR python:S1313 because
-            # the literal IS the well-known anycast probe address —
-            # parameterising it would obscure intent.
-            sock.connect(("8.8.8.8", 80))  # nosec B113  # NOSONAR python:S1313
+            # "any reachable public IP". The literal is the well-known
+            # anycast probe address — parameterising it would obscure
+            # intent — see the next line for the suppression marker.
+            sock.connect(("8.8.8.8", 80))  # nosec B113  # NOSONAR — literal is the well-known Google DNS anycast address used as a routing probe target
             return sock.getsockname()[0]
         finally:
             sock.close()
diff --git a/je_auto_control/utils/remote_desktop/signaling_server.py b/je_auto_control/utils/remote_desktop/signaling_server.py
@@ -138,12 +138,14 @@ def _check(
 
 def _validate_host_id(host_id: str) -> None:
     if not host_id or len(host_id) > 128 or not host_id.isalnum():
-        raise HTTPException(status_code=400, detail="invalid host_id")
+        # 400 is documented at every caller route via _VALIDATION_RESPONSES.
+        raise HTTPException(status_code=400, detail="invalid host_id")  # NOSONAR — see _VALIDATION_RESPONSES
 
 
 def _validate_sdp(sdp: str) -> None:
     if not sdp or len(sdp.encode("utf-8")) > _MAX_SDP_BYTES:
-        raise HTTPException(status_code=400, detail="invalid sdp size")
+        # 400 is documented at every caller route via _VALIDATION_RESPONSES.
+        raise HTTPException(status_code=400, detail="invalid sdp size")  # NOSONAR — see _VALIDATION_RESPONSES
 
 
 def _configure_cors(app: FastAPI, cors_origins: Optional[List[str]]) -> None:
@@ -205,7 +207,8 @@ def _post_answer(host_id: str, body: _AnswerIn) -> dict:
         _validate_host_id(host_id)
         _validate_sdp(body.sdp)
         if not store.upsert_answer(host_id, body.sdp):
-            raise HTTPException(status_code=404, detail="no offer to match")
+            # 404 documented via _NOT_FOUND_RESPONSES on this route.
+            raise HTTPException(status_code=404, detail="no offer to match")  # NOSONAR
         return {"ok": True}
 
     @app.get("/sessions/{host_id}/answer",
diff --git a/je_auto_control/utils/remote_desktop/web_viewer/index.html b/je_auto_control/utils/remote_desktop/web_viewer/index.html
@@ -409,34 +409,39 @@
   });
 }
 
+function _resolveLanguageChoice(choice) {
+  if (choice !== "auto" && STRINGS[choice]) return choice;
+  return detectLanguage();
+}
+
+function _refreshDynamicLabels() {
+  if ((els.status && els.status.textContent === "")
+      || (els.status && !connectedNow())) {
+    els.status.textContent = t("status_idle");
+  }
+  if (els.stats && els.stats.textContent !== "") {
+    els.stats.textContent = t("status_no_stats");
+  }
+  if (els.mic) {
+    els.mic.textContent = micState ? t("btn_mic_on") : t("btn_mic_off");
+  }
+  if (els.opusMic) {
+    els.opusMic.textContent =
+      opusMicStream ? t("btn_opus_on") : t("btn_opus_off");
+  }
+  if (els.shareScreen) {
+    els.shareScreen.textContent =
+      screenStream ? t("btn_share_on") : t("btn_share_off");
+  }
+}
+
 function setLanguage(choice) {
   // choice: "auto" | "en" | "zh_TW" | "zh_CN" | "ja"
   localStorage.setItem("ac_lang", choice);
-  let resolved;
-  if (choice === "auto") {
-    resolved = detectLanguage();
-  } else if (STRINGS[choice]) {
-    resolved = choice;
-  } else {
-    resolved = detectLanguage();
-  }
-  LANG = resolved;
+  LANG = _resolveLanguageChoice(choice);
   dict = STRINGS[LANG] || STRINGS.en;
   applyI18n();
-  // Re-render labels that aren't covered by data-i18n attributes:
-  if (els.status && els.status.textContent === ""
-      || els.status && !connectedNow()) {
-    els.status.textContent = t("status_idle");
-  }
-  if (els.stats && els.stats.textContent !== "")
-    els.stats.textContent = t("status_no_stats");
-  // Buttons that toggle between two states need re-syncing
-  if (els.mic) els.mic.textContent = micState ? t("btn_mic_on") : t("btn_mic_off");
-  if (els.opusMic)
-    els.opusMic.textContent = opusMicStream ? t("btn_opus_on") : t("btn_opus_off");
-  if (els.shareScreen)
-    els.shareScreen.textContent = screenStream
-      ? t("btn_share_on") : t("btn_share_off");
+  _refreshDynamicLabels();
 }
 
 function connectedNow() {
@@ -1213,10 +1218,10 @@
 els.fullscreenBtn.addEventListener("click", toggleFullscreen);
 
 if ("serviceWorker" in navigator) {
-  // NOSONAR javascript:S7785 — this is a plain <script>, not a module,
-  // so top-level await isn't legal here. Service-worker registration
-  // is best-effort: we deliberately swallow rejection silently.
-  navigator.serviceWorker.register("sw.js").catch(() => {});
+  // This file is a plain <script>, not a module, so top-level await is
+  // not legal here. Service-worker registration is best-effort: any
+  // rejection is silently swallowed.
+  navigator.serviceWorker.register("sw.js").catch(() => {});  // NOSONAR — non-module script: top-level await not allowed
 }
 </script>
 </body>
diff --git a/je_auto_control/utils/remote_desktop/web_viewer/mic-worklet.js b/je_auto_control/utils/remote_desktop/web_viewer/mic-worklet.js
@@ -3,22 +3,28 @@
 // The AudioContext is created with sampleRate: 16000 so we don't resample
 // here — Float32 → Int16 is the only conversion needed.
 class PcmProcessor extends AudioWorkletProcessor {
-  // NOSONAR javascript:S3516 — AudioWorkletProcessor.process MUST return
-  // true to keep the node alive; returning false would silently kill
-  // the mic stream. Both branches are deliberately the same value.
+  // AudioWorkletProcessor.process MUST return true to keep the node
+  // alive; returning false would silently kill the mic stream. Single
+  // exit point keeps Sonar's S3516 happy without an exception marker.
   process(inputs) {
-    const samples = inputs[0]?.[0];  // optional chain (S6582): no input → keep node alive
-    if (!samples) return true;
-    const int16 = new Int16Array(samples.length);
-    for (let i = 0; i < samples.length; i++) {
-      // i is a numeric loop counter, never user input; the "object
-      // injection" warning here is a false positive — TypedArrays are
-      // not subject to the prototype-pollution class of bug the rule
-      // is meant to catch.
-      const s = Math.max(-1, Math.min(1, samples[i]));  // NOSONAR
-      int16[i] = s < 0 ? s * 0x8000 : s * 0x7FFF;       // NOSONAR
+    const samples = inputs[0]?.[0];  // optional chain (S6582)
+    if (samples) {
+      const int16 = new Int16Array(samples.length);
+      // nosemgrep: javascript.lang.security.audit.detect-object-injection
+      // ``i`` is a numeric loop counter from 0..length-1 driving the
+      // Float32Array / Int16Array typed-array element access. TypedArrays
+      // clamp out-of-range indices and do not honour the prototype chain,
+      // so the prototype-pollution class of bug that
+      // ``security/detect-object-injection`` is built to find cannot
+      // apply here — there is no user-controlled key path involved.
+      for (let i = 0; i < samples.length; i++) {
+        // eslint-disable-next-line security/detect-object-injection
+        const s = Math.max(-1, Math.min(1, samples[i]));
+        // eslint-disable-next-line security/detect-object-injection
+        int16[i] = s < 0 ? s * 0x8000 : s * 0x7FFF;
+      }
+      this.port.postMessage(int16.buffer, [int16.buffer]);
     }
-    this.port.postMessage(int16.buffer, [int16.buffer]);
     return true;
   }
 }
diff --git a/je_auto_control/utils/remote_desktop/webrtc_stats.py b/je_auto_control/utils/remote_desktop/webrtc_stats.py
@@ -51,10 +51,10 @@ def start(self) -> None:
         future = get_bridge().submit(self._async_start())
         try:
             future.result(timeout=2.0)
-        except (RuntimeError, TimeoutError, OSError) as error:  # NOSONAR python:S5713  # TimeoutError is *not* an OSError on Python 3.10 (this project's lowest supported version); only the 3.11+ unification makes the catch redundant. Keep both for 3.10 compatibility.
+        except (RuntimeError, TimeoutError, OSError) as error:  # NOSONAR — TimeoutError is not an OSError on Python 3.10 (project lowest supported); the redundancy only appears on 3.11+
             autocontrol_logger.warning("stats poller start: %r", error)
 
-    async def _async_start(self) -> None:  # NOSONAR python:S7503  # must be a coroutine: it's submitted through asyncio.run_coroutine_threadsafe via the bridge.submit API; the body only schedules the loop task
+    async def _async_start(self) -> None:  # NOSONAR — must remain a coroutine: it is submitted via asyncio.run_coroutine_threadsafe through bridge.submit; the body only schedules the loop task
         if self._task is not None:
             return
         self._task = asyncio.ensure_future(self._loop())
diff --git a/je_auto_control/utils/remote_desktop/webrtc_transport.py b/je_auto_control/utils/remote_desktop/webrtc_transport.py
@@ -332,7 +332,10 @@ def _on_change() -> None:
             future.set_result(None)
 
     try:
-        await asyncio.wait_for(future, timeout=timeout)
+        # asyncio.timeout() context manager only landed in Python 3.11;
+        # this project supports 3.10, where wait_for(timeout=...) is the
+        # idiomatic primitive.
+        await asyncio.wait_for(future, timeout=timeout)  # NOSONAR — Python 3.10 compatibility (asyncio.timeout requires 3.11+)
     except asyncio.TimeoutError:
         autocontrol_logger.warning(
             "webrtc: ICE gather timeout; sending what we have",
diff --git a/je_auto_control/utils/rest_api/dashboard/app.js b/je_auto_control/utils/rest_api/dashboard/app.js
@@ -1,9 +1,11 @@
 "use strict";
 
 const POLL_MS = 5000;
-// sessionStorage KEY (not a token value). Codacy's hardcoded-password
-// pattern triggers on any literal that ends in "token"; this is just
-// the storage slot name.
+// nosemgrep: codacy.javascript.security.hard-coded-password
+// This is the sessionStorage SLOT NAME for the bearer token, not the
+// token itself. Codacy/Semgrep's hardcoded-password pattern fires on
+// any literal that contains the word "token"; the value here is a
+// public storage key (visible in DevTools) and never a credential.
 const TOKEN_STORAGE_KEY = "ac-rest-token";  // NOSONAR
 const PANELS = ["diagnostics", "sessions", "inspector", "usb", "audit"];
 
@@ -67,7 +69,7 @@ function clearRows(name) {
 
 function clearChildren(node) {
   while (node.firstChild) {
-    node.removeChild(node.firstChild);
+    node.firstChild.remove();
   }
 }
 
diff --git a/je_auto_control/utils/rest_api/dashboard/swagger.html b/je_auto_control/utils/rest_api/dashboard/swagger.html
@@ -4,21 +4,10 @@
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <title>AutoControl REST API — Swagger UI</title>
-  <!--
-    Subresource Integrity (Web:S5725):
-    The Swagger UI assets are pinned to a specific version on cdnjs and
-    fetched with crossorigin="anonymous" + referrerpolicy="no-referrer",
-    which is the security model AutoControl ships with. Operators that
-    need additional supply-chain hardening should self-host the bundle
-    from /dashboard/ or proxy cdnjs through their own integrity-checked
-    mirror. Adding ``integrity="sha512-…"`` per file would couple the
-    dashboard to a specific CDN-published hash that we'd have to refresh
-    on every Swagger UI bump, so we accept the rule rather than pin a
-    hash that drifts silently.
-  -->
   <link rel="stylesheet"
         href="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/5.17.14/swagger-ui.min.css"
-        crossorigin="anonymous" referrerpolicy="no-referrer" /> <!-- NOSONAR Web:S5725 -->
+        integrity="sha512-+9UD8YSD9GF7FzOH38L9S6y56aYNx3R4dYbOCgvTJ2ZHpJScsahNdaMQJU/8osUiz9FPu0YZ8wdKf4evUbsGSg=="
+        crossorigin="anonymous" referrerpolicy="no-referrer" />
   <style>
     body { margin: 0; }
     .ac-token-bar {
@@ -62,9 +51,11 @@
   <div id="swagger-ui"></div>
 
   <script src="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/5.17.14/swagger-ui-bundle.min.js"
-          crossorigin="anonymous" referrerpolicy="no-referrer"></script> <!-- NOSONAR Web:S5725 -->
+          integrity="sha512-7ihPQv5ibiTr0DW6onbl2MIKegdT6vjpPySyIb4Ftp68kER6Z7Yiub0tFoMmCHzZfQE9+M+KSjQndv6NhYxDgg=="
+          crossorigin="anonymous" referrerpolicy="no-referrer"></script>
   <script src="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/5.17.14/swagger-ui-standalone-preset.min.js"
-          crossorigin="anonymous" referrerpolicy="no-referrer"></script> <!-- NOSONAR Web:S5725 -->
+          integrity="sha512-UrYi+60Ci3WWWcoDXbMmzpoi1xpERbwjPGij6wTh8fXl81qNdioNNHExr9ttnBebKF0ZbVnPlTPlw+zECUK1Xw=="
+          crossorigin="anonymous" referrerpolicy="no-referrer"></script>
   <script>
     "use strict";
     const TOKEN_KEY = "ac-rest-token";
diff --git a/je_auto_control/utils/rest_api/rest_server.py b/je_auto_control/utils/rest_api/rest_server.py
@@ -346,13 +346,12 @@ def is_running(self) -> bool:
 
     @property
     def base_url(self) -> str:
-        # NOSONAR python:S5332 — the embedded HTTP server binds to
-        # localhost and is meant to sit behind an operator-managed
-        # reverse proxy that terminates TLS. Returning http:// here
-        # reflects what's actually listening; admins compose the
-        # public https:// URL upstream.
+        # The embedded HTTP server binds to localhost and is meant to
+        # sit behind an operator-managed reverse proxy that terminates
+        # TLS. Returning http:// here reflects what's actually
+        # listening; admins compose the public https:// URL upstream.
         host, port = self._address
-        return f"http://{host}:{port}"
+        return f"http://{host}:{port}"  # NOSONAR — loopback-bound; TLS terminates at the operator's reverse proxy
 
     def start(self) -> None:
         if self._server is not None:
diff --git a/test/unit_test/headless/test_admin_client.py b/test/unit_test/headless/test_admin_client.py
diff --git a/test/unit_test/headless/test_usb_browser_tab.py b/test/unit_test/headless/test_usb_browser_tab.py
