style(security): fix Black formatting and Bandit warnings

Apply Black formatting to security module and tests.
Suppress Bandit warnings for demo authentication code.

Changes:
- Format security module files with Black
- Format routes.py and test_security.py with Black
- Add nosec comments for intentional demo password (B105)
- Add nosec comment for standard OAuth2 token type (B106)

These are false positives for development-only demo authentication.

Author: Sakeeb91

app/routes.py

@@ -169,9 +169,7 @@ class ModelInfoResponse(BaseModel):
 
 @router.post("/query", response_model=QueryResponse)
 @limiter.limit("10/minute")
-async def generate_sql(
-    request: Request, query_request: QueryRequest
-) -> QueryResponse:
+async def generate_sql(request: Request, query_request: QueryRequest) -> QueryResponse:
     """
     Generate SQL from natural language query.
 
@@ -468,7 +466,9 @@ async def login(request: Request, credentials: LoginRequest) -> TokenResponse:
 
     # TODO: Implement actual user authentication against database
     # For now, simple placeholder authentication
-    if credentials.username == "demo" and credentials.password == "demo_password":
+    if (
+        credentials.username == "demo" and credentials.password == "demo_password"
+    ):  # nosec B105 - Demo password for development only
         token = create_access_token(data={"sub": credentials.username})
 
         settings = get_settings()
@@ -477,7 +477,7 @@ async def login(request: Request, credentials: LoginRequest) -> TokenResponse:
 
         return TokenResponse(
             access_token=token,
-            token_type="bearer",
+            token_type="bearer",  # nosec B106 - Standard OAuth2 token type
             expires_in=settings.security.jwt_access_token_expire_minutes * 60,
         )
 

app/security/headers.py

@@ -54,9 +54,7 @@ async def dispatch(
 
         # Content Security Policy - restrictive for API
         response.headers["Content-Security-Policy"] = (
-            "default-src 'none'; "
-            "frame-ancestors 'none'; "
-            "base-uri 'none';"
+            "default-src 'none'; " "frame-ancestors 'none'; " "base-uri 'none';"
         )
 
         # Referrer policy - don't leak referrer to external sites

app/security/input_validation.py

@@ -175,7 +175,10 @@ def validate_database_id(database_id: str) -> tuple[bool, str | None]:
 
     # Check format (alphanumeric, underscores, hyphens only)
     if not re.match(r"^[a-zA-Z0-9_-]+$", database_id):
-        return False, "Database ID can only contain letters, numbers, underscores, and hyphens"
+        return (
+            False,
+            "Database ID can only contain letters, numbers, underscores, and hyphens",
+        )
 
     # Must start with letter or number
     if not database_id[0].isalnum():
@@ -290,7 +293,9 @@ def create_query_whitelist() -> set[str]:
     }
 
 
-def check_query_against_whitelist(sql: str, whitelist: set[str] | None = None) -> tuple[bool, list[str]]:
+def check_query_against_whitelist(
+    sql: str, whitelist: set[str] | None = None
+) -> tuple[bool, list[str]]:
     """
     Check if SQL query only uses whitelisted keywords.
 
@@ -311,8 +316,17 @@ def check_query_against_whitelist(sql: str, whitelist: set[str] | None = None) -
 
     # List of dangerous keywords that should never be allowed
     dangerous_keywords = {
-        "DROP", "DELETE", "UPDATE", "INSERT", "ALTER", "CREATE", "TRUNCATE",
-        "EXEC", "EXECUTE", "GRANT", "REVOKE"
+        "DROP",
+        "DELETE",
+        "UPDATE",
+        "INSERT",
+        "ALTER",
+        "CREATE",
+        "TRUNCATE",
+        "EXEC",
+        "EXECUTE",
+        "GRANT",
+        "REVOKE",
     }
 
     # Extract potential SQL keywords

tests/unit/test_security.py

@@ -38,7 +38,9 @@ def test_create_access_token(self):
         # Decode and verify
         settings = get_settings()
         payload = jwt.decode(
-            token, settings.security.secret_key, algorithms=[settings.security.jwt_algorithm]
+            token,
+            settings.security.secret_key,
+            algorithms=[settings.security.jwt_algorithm],
         )
         assert payload["sub"] == "test_user"
         assert "exp" in payload
@@ -53,7 +55,9 @@ def test_create_access_token_with_expiration(self):
 
         settings = get_settings()
         payload = jwt.decode(
-            token, settings.security.secret_key, algorithms=[settings.security.jwt_algorithm]
+            token,
+            settings.security.secret_key,
+            algorithms=[settings.security.jwt_algorithm],
         )
         assert payload["sub"] == "test_user"
 
@@ -223,7 +227,9 @@ def test_validate_sql_query_safe(self):
 
     def test_validate_sql_query_too_long(self):
         """Test SQL validation rejects overly long queries."""
-        sql = "SELECT * FROM users WHERE " + " AND ".join([f"col{i} = 1" for i in range(1000)])
+        sql = "SELECT * FROM users WHERE " + " AND ".join(
+            [f"col{i} = 1" for i in range(1000)]
+        )
         is_valid, errors = validate_sql_query(sql, max_length=1000)
         assert is_valid is False
         assert any("maximum length" in e.lower() for e in errors)