fix(security): move nosemgrep to same line as subprocess call

Semgrep requires the suppression comment to be on the exact line of the
finding. Preceding-line comments are not reliably associated with the
call when both the finding and suppression are new (introduced in this PR).

Moved all five nosemgrep suppressions to inline on the subprocess.run()
/ Popen() line itself, using the full rule ID:
  python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: harmjeff

scripts/aidlc-evaluator/packages/cli-harness/src/cli_harness/adapters/claude_code_sdk.py

@@ -299,9 +299,7 @@ def _exec_tool(name: str, tool_input: dict, run_folder: Path, rules_dir: Path) -
                 if (val := os.environ.get(var)):
                     env[var] = val
             try:
-                # nosec B603 - shlex.split with shell=False, path validated via _resolve_safe
-                # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
-                result = subprocess.run(
+                result = subprocess.run(  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
                     shlex.split(command),
                     shell=False,
                     cwd=str(cwd),

scripts/aidlc-evaluator/packages/cli-harness/src/cli_harness/adapters/kiro_cli.py

@@ -171,9 +171,7 @@ def _run_kiro_stage(stage_prompt: str, stage_name: str, is_first: bool) -> tuple
 
                 _log(f"{stage_name}: launching kiro ({len(stage_prompt)} chars)")
 
-                # nosec B603 - Executing user's Kiro CLI with validated configuration
-                # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
-                proc = subprocess.Popen(
+                proc = subprocess.Popen(  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
                     cmd,
                     cwd=str(workspace),
                     stdout=subprocess.PIPE,

scripts/aidlc-evaluator/run.py

@@ -93,9 +93,7 @@ def check_docker_sandbox() -> bool:
     if cli is None:
         return False
     try:
-        # nosec B603 - Static container CLI info command for sandbox availability check
-        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
-        result = subprocess.run(
+        result = subprocess.run(  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
             [cli, "info"],
             stdout=subprocess.DEVNULL,
             stderr=subprocess.DEVNULL,
@@ -104,9 +102,7 @@ def check_docker_sandbox() -> bool:
         if result.returncode != 0:
             return False
 
-        # nosec B603 - Static container CLI images command with fixed arguments
-        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
-        result = subprocess.run(
+        result = subprocess.run(  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
             [cli, "images", "-q", "aidlc-sandbox:latest"],
             capture_output=True,
             text=True,

scripts/aidlc-evaluator/scripts/run_git_compare.py

@@ -367,9 +367,7 @@ def run_single_evaluation(
         log_file.write(f"{'=' * 70}\n\n")
         log_file.flush()
 
-        # nosec B603 - Executing trusted run_evaluation.py with git-compare config
-        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
-        result = subprocess.run(cmd, stdout=log_file, stderr=subprocess.STDOUT)
+        result = subprocess.run(cmd, stdout=log_file, stderr=subprocess.STDOUT)  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
 
     elapsed_s = time.monotonic() - start_monotonic
     status = "success" if result.returncode == 0 else "failed"