fix(diagrams): adds ast parsing to block import and from import

[theagenticguy]

Fixes

Summary

Expands blocklist for potentially harmful code execution

Changes

• Adds AST-based checks to block import statements in AI generated code
• Explicitly disallows an unsafe, deprecated built-in
• Updates minimum python version to block deprecated built-ins

User experience

No change

Checklist

If your change doesn't seem to apply, please leave them unchecked.

• I have reviewed the contributing guidelines
• I have performed a self-review of this change
• Changes have been tested
• Changes are documented

Is this a breaking change? (Y/N)

RFC issue number:

Checklist:

• Migration process documented
• Implement warnings (if it can live side by side)

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

[Copilot]

Pull Request Overview

This PR enhances security for AI-generated diagram code by implementing AST-based validation to block import statements and adding checks for potentially harmful built-in functions. The changes enforce stricter Python version requirements (≥3.12) and update dependencies to address security vulnerabilities.

Key changes:

• Implements AST parsing to detect and block both import and from ... import statements in generated code
• Adds spawn to the list of dangerous functions that are explicitly blocked
• Updates minimum Python version from 3.10 to 3.12 and refreshes all dependencies to latest secure versions

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File	Description
pyproject.toml	Updates Python version requirement to ≥3.12, upgrades all dependencies to latest versions, and reformats configuration sections
scanner.py	Adds AST-based import statement detection in validate_syntax() and adds spawn to dangerous functions blocklist

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[MichaelWalker-git]

LGTM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.44%. Comparing base (5cf3b2c) to head (fd709de).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1528   +/-   ##
=======================================
  Coverage   89.44%   89.44%           
=======================================
  Files         724      724           
  Lines       50959    50966    +7     
  Branches     8144     8147    +3     
=======================================
+ Hits        45581    45588    +7     
  Misses       3467     3467           
  Partials     1911     1911           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[MichaelWalker-git]

LGTM

Instructed to wait for app-sec engineer