docs: Add NOSONAR comments for security hotspots

- cleaner.py: Document regex is safe from ReDoS
- scanner.py: Document temp directory scanning is intentional

Author: hyaku0121

cortex/cleanup/cleaner.py

@@ -116,7 +116,8 @@ def _extract_size_from_line(self, line: str) -> int:
         Returns:
             int: Size in bytes.
         """
-        # Match patterns like "50.5 MB" or "512 KB"
+        # NOSONAR: This regex has no nested quantifiers and cannot cause ReDoS.
+        # Input is apt-get output, not user-controlled.
         match = re.search(r'([\d.]+)\s*(KB|MB|GB)', line, re.IGNORECASE)
         if match:
             value = float(match.group(1))

cortex/cleanup/scanner.py

@@ -35,6 +35,8 @@ class CleanupScanner:
     def __init__(self):
         self.apt_cache_dir = Path("/var/cache/apt/archives")
         self.log_dir = Path("/var/log")
+        # NOSONAR: Intentionally scanning public directories for cleanup purposes.
+        # This is read-only scanning, not writing sensitive data.
         self.temp_dirs = [Path("/tmp"), Path.home() / ".cache"]
 
     def scan_all(self) -> List[ScanResult]:
@@ -153,6 +155,7 @@ def _extract_size(self, stdout: str) -> int:
         """
         for line in stdout.splitlines():
             if "disk space will be freed" in line:
+                # NOSONAR: Simple regex without nested quantifiers, input is apt-get output
                 match = re.search(r'([\d.]+)\s*(KB|MB|GB)', line, re.IGNORECASE)
                 if match:
                     value = float(match.group(1))