fix(security): suppress pre-existing semgrep urllib finding in agent/src/config.py

## Problem
The pre-push hook's `security:sast` semgrep scan flags a pre-existing finding in `agent/src/config.py:165`:

```
python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
```

> Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files.

This blocks `git push` for any branch, even when the change is unrelated to this file.

## Context
- The line already has a `# noqa: S310` bandit suppression
- The URL is constructed from a hardcoded OAuth token endpoint (not user-controlled input)
- CI on `main` passes — the pre-push hook is stricter than CI's semgrep config
- Introduced in commit `08b91bf` (PR #160, Linear OAuth migration)

## Acceptance criteria
- [ ] Add `# nosemgrep: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected` inline comment at line 165
- [ ] Verify `mise run security:sast` passes cleanly
- [ ] Confirm pre-push hook passes

## Labels
`bug`, `good first issue`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(security): suppress pre-existing semgrep urllib finding in agent/src/config.py #196

Problem

Context

Acceptance criteria

Labels

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

fix(security): suppress pre-existing semgrep urllib finding in agent/src/config.py #196

Description

Problem

Context

Acceptance criteria

Labels

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions