Wire bandit into make ci, scan tests/ too, update CLAUDE.md

Wanted make ci to be the one command that catches everything locally -- same as what the GitHub Action runs. Two things were missing:
- bandit wasn't in requirements.txt (so the venv didn't have it)
- the GH Action was only scanning bitmath/, skipping tests/

Changes:
- Add bandit to requirements.txt
- Add ci-bandit target, scanning bitmath/ and tests/ with -r -v
- Wire ci-bandit into the ci chain between ci-pylint and ci-unittests
- Update GH Action to pass targets: "bitmath/ tests/"
- Update CLAUDE.md: versioning section (VERSION is the single source of truth), security scan section

Author: timlnx

.github/workflows/bandit.yml

@@ -23,3 +23,5 @@ jobs:
 
       - name: Perform Bandit Analysis
         uses: PyCQA/bandit-action@v1
+        with:
+          targets: "bitmath/ tests/"

CLAUDE.md

@@ -27,11 +27,14 @@ Phases 1 (maintenance 1.4.0) and 2 (bitmath 2.0.0) are complete. The project:
 ## Common Commands
 
 ```bash
-# Run the full test suite with coverage (creates venv, runs pytest + linting)
+# Run the full test suite with coverage (creates venv, runs pytest + linting + bandit)
 make ci
 
+# Run security scan only
+make ci-bandit
+
 # Run linting only
-ruff check bitmath/ tests/
+make ci-pylint
 
 # Build a wheel
 make build
@@ -66,6 +69,14 @@ All unit values are normalized to bits internally; conversion between units happ
 
 **Constants:** `NIST`, `SI`, `NIST_PREFIXES`, `SI_PREFIXES`, `ALL_UNIT_TYPES`
 
+## Versioning
+
+The single source of truth for the version is the `VERSION` file. `pyproject.toml` reads it dynamically via `[tool.hatch.version]` — do not edit the version in `pyproject.toml` directly. The `Makefile` also reads `VERSION` for docs, man pages, and RPM builds. To bump the version, edit `VERSION` only.
+
+## Security Scanning
+
+Bandit runs as part of `make ci` via the `ci-bandit` target, scanning both `bitmath/` and `tests/`. It also runs as a GitHub Actions workflow (`.github/workflows/bandit.yml`) on push/PR to master and weekly. No issues were present as of 2.0.2.
+
 ## Testing Notes
 
 - Test runner: `pytest`

Makefile

@@ -216,5 +216,12 @@ ci-pylint:
 	@echo "#################################################"
 	. $(NAME)env3/bin/activate && pylint bitmath/__init__.py
 
-ci: clean uniquetestnames virtualenv ci-list-deps ci-pycodestyle ci-pylint ci-unittests
+ci-bandit:
+	@echo ""
+	@echo "#############################################"
+	@echo "# Running Bandit Security Scan in virtualenv"
+	@echo "#############################################"
+	. $(NAME)env3/bin/activate && bandit -r -v bitmath/ tests/
+
+ci: clean uniquetestnames virtualenv ci-list-deps ci-pycodestyle ci-pylint ci-bandit ci-unittests
 	:

requirements.txt

@@ -1,3 +1,4 @@
+bandit
 pycodestyle
 pylint
 pytest