fix(security): resolve Snyk/bandit code analysis findings

- config.py: move REPORT_OUTPUT_DIR from /tmp (world-writable) to /app/reports
  to prevent CWE-377 symlink attack vector (B108, only real security issue)
- main.py: log startup seed failures instead of silently swallowing them (B110)
- Add # nosec annotations to intentional try/except patterns that are by design:
  Jira integration errors, email failures, DetachedInstanceError, storage errors,
  and Jira session timeout (all B110/B112 false positives)
- Add # nosec B105 to false positives where bandit misidentifies config key
  names and masking strings as hardcoded passwords
- Add .bandit config to skip B311 in seed_demo.py (random used for fake
  demo data generation, not cryptographic purposes)

backend/app/routers/system.py

@@ -72,7 +72,7 @@ _SMTP_KEYS = {
     "host": "smtp.host",
     "port": "smtp.port",
     "username": "smtp.username",
-    "password": "smtp.password",
+    "password": "smtp.password",  # nosec B105
     "from_email": "smtp.from_email",
     "use_tls": "smtp.use_tls",
 }
@@ -355,7 +355,7 @@ def test_jira_connection(
         # 10-second timeout so we never block Cloudflare into a 524
         try:
             jira._session.timeout = 10  # type: ignore[attr-defined]
-        except Exception:
+        except Exception:  # nosec B110
             pass
         myself = jira.myself()
         logger.info("Jira myself() response keys: %s", list(myself.keys()) if isinstance(myself, dict) else type(myself))