chore(ci): add bandit and vulture to pre-commit hooks

Standard --severity-level=low --confidence-level=low thresholds with
B110/B112/B311 skipped (graceful-degradation patterns, non-crypto
random). Existing findings are tracked in issue #221.

Author: markuslf

.pre-commit-config.yaml

@@ -25,3 +25,20 @@ repos:
       - id: 'end-of-file-fixer'
       - id: 'mixed-line-ending'
       - id: 'trailing-whitespace'
+
+  - repo: 'https://github.com/PyCQA/bandit'
+    rev: '1.9.4'
+    hooks:
+      - id: 'bandit'
+        args:
+          - '--severity-level=low'
+          - '--confidence-level=low'
+          - '--skip=B110,B112,B311'  # graceful-degradation patterns, non-crypto randomness
+        types_or: ['python']
+
+  - repo: 'https://github.com/jendrikseipp/vulture'
+    rev: 'v2.16'
+    hooks:
+      - id: 'vulture'
+        args: ['--min-confidence=80']
+        types_or: ['python']

CHANGELOG.md

@@ -10,6 +10,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+* **ci**: Add bandit (security) and vulture (dead code) to pre-commit hooks
+
 ### Fixed
 
 * **execution-environment**: Add missing `sshpass` system package, required for SSH password-based connections (e.g. `--ask-pass`)