fix: address Bandit B108/B110 across production code

B110 (try/except/pass):
- display_controller.py: narrow 'except Exception' to 'except AttributeError'
  for get_offset_frame() — plugins not having this optional method is the
  expected case, not all exceptions
- config_manager.py: B110 already resolved by the earlier removal of the
  dead secrets-loading block (the except/pass was inside it)
- All other except/pass blocks in src/ and web_interface/ are intentional
  (last-resort recovery, best-effort fallbacks, non-critical startup probes).
  Annotated each with # nosec B110 and a brief inline reason so the decision
  is explicit for future reviewers.
- Test files and plugin-repos B110 suppressed via Codacy API (not prod code).

B108 (/tmp usage):
- permission_utils.py: /tmp listed to PREVENT permission changes on it — not
  used as a temp path. Annotated # nosec B108.
- display_manager.py: fixed snapshot path is intentional (web UI reads same
  path); path-check guard also annotated.
- wifi_manager.py: named /tmp files match the sudoers allowlist installed with
  the system (the paths are hard-coded in both places by design). Annotated
  all six open/cp references # nosec B108.
- scripts/render_plugin.py: dev script default overridable by user. Annotated.
- web_interface/app.py: reads the same fixed path written by display_manager.
  Annotated # nosec B108.
- Test files suppressed via Codacy API.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web_interface/app.py

@@ -324,7 +324,7 @@ def after_request_logging(response):
                 duration_ms=duration_ms,
                 ip_address=ip_address
             )
-        except Exception:
+        except Exception:  # nosec B110 - request logging must never interrupt a live HTTP response
             pass  # Don't break response if logging fails
     return response
 
@@ -502,7 +502,7 @@ def display_preview_generator():
     from PIL import Image
     import io
     
-    snapshot_path = "/tmp/led_matrix_preview.png"
+    snapshot_path = "/tmp/led_matrix_preview.png"  # nosec B108 - fixed path matches display_manager; only read here
     last_modified = None
     
     # Get display dimensions from config
@@ -542,7 +542,7 @@ def display_preview_generator():
                             }
                             last_modified = current_modified
                             yield preview_data
-                    except Exception:
+                    except Exception:  # nosec B110 - SSE preview file may be mid-write; transient error, skip this update
                         # File might be being written, skip this update
                         pass
             else:

web_interface/blueprints/pages_v3.py

@@ -395,7 +395,7 @@ def _load_plugin_config_partial(plugin_id):
                                             config['images'] = config.get('images', []) + new_images
                             except Exception as e:
                                 print(f"Warning: Could not load metadata for {plugin_id}: {e}")
-            except Exception:
+            except Exception:  # nosec B110 - metadata pre-load is optional; schema loads fully below
                 pass  # Will load schema properly below
         
         # Get plugin schema

web_interface/start.py

@@ -25,7 +25,7 @@ def get_local_ips():
         )
         if result.returncode == 0 and result.stdout.strip() == "active":
             ips.append("192.168.4.1 (AP Mode)")
-    except Exception:
+    except Exception:  # nosec B110 - AP mode IP detection is non-critical startup info; systemctl may not exist
         pass
     
     # Get IPs from hostname -I