fix(security): resolve Snyk/bandit code analysis findings

- config.py: move REPORT_OUTPUT_DIR from /tmp (world-writable) to /app/reports
  to prevent CWE-377 symlink attack vector (B108, only real security issue)
- main.py: log startup seed failures instead of silently swallowing them (B110)
- Add # nosec annotations to intentional try/except patterns that are by design:
  Jira integration errors, email failures, DetachedInstanceError, storage errors,
  and Jira session timeout (all B110/B112 false positives)
- Add # nosec B105 to false positives where bandit misidentifies config key
  names and masking strings as hardcoded passwords
- Add .bandit config to skip B311 in seed_demo.py (random used for fake
  demo data generation, not cryptographic purposes)

backend/app/main.py

@@ -125,8 +125,8 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
     db = SessionLocal()
     try:
         seed_decay_policies(db)
-    except Exception:
-        pass
+    except Exception as e:
+        logger.warning("seed_decay_policies failed at startup: %s", e)
     finally:
         db.close()
     # Seed operational alert system rules
@@ -134,8 +134,8 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
     try:
         from app.services.operational_alert_service import seed_system_rules
         seed_system_rules(db2)
-    except Exception:
-        pass
+    except Exception as e:
+        logger.warning("seed_system_rules failed at startup: %s", e)
     finally:
         db2.close()
     yield