fix: resolve bandit B324/B104 and flake8 E302/E303/E501 in app.py

- Add nosec B324 to md5 avatar-colour call (non-security deterministic hash)
- Extend nosec on host='0.0.0.0' to cover B104 alongside existing B201
- Fix E302 (missing blank line before template_filter decorator)
- Fix E303 (4 blank lines → 2 before _purge_old_jobs_loop)
- Add extend-exclude = node_modules to .flake8 so CI --exclude flag
  doesn't override config and third-party JS Python helpers stay ignored

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.flake8

@@ -3,4 +3,5 @@ max-line-length = 120
 # E221: multiple spaces before operator — intentional column alignment
 # E305: two blank lines after function — relaxed for module-level code
 extend-ignore = E221, E305
-exclude = __pycache__, .git
+exclude = __pycache__, .git, node_modules
+extend-exclude = node_modules

app.py

@@ -31,9 +31,10 @@ app = Flask(__name__)
 
 _AVATAR_COLORS = ['lt-avatar--orange', 'lt-avatar--green', 'lt-avatar--purple', '']
 
+
 @app.template_filter('avatar_color')
 def avatar_color_filter(name: str) -> str:
-    return _AVATAR_COLORS[int(hashlib.md5(name.encode()).hexdigest(), 16) % len(_AVATAR_COLORS)]
+    return _AVATAR_COLORS[int(hashlib.md5(name.encode()).hexdigest(), 16) % len(_AVATAR_COLORS)]  # nosec B324
 
 _cfg = None
 _cfg_lock = threading.Lock()
@@ -57,8 +58,6 @@ _diag_jobs: dict = {}
 _diag_lock = threading.Lock()
 
 
-
-
 def _purge_old_jobs_loop():
     """Background thread: remove stale diag jobs and run daily event purge."""
     while True:
@@ -479,4 +478,4 @@ def health():
 
 
 if __name__ == '__main__':
-    app.run(debug=True, host='0.0.0.0', port=5000)  # nosec B201 — dev runner only; production uses gunicorn
+    app.run(debug=True, host='0.0.0.0', port=5000)  # nosec B201 B104 — dev runner only; production uses gunicorn