[flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)
<!--
Thank you for contributing to Ruff/ty! To help us out with reviewing,
please consider the following:
- Does this pull request include a summary of the change? (See below.)
- Does this pull request include a descriptive title? (Please prefix
with `[ty]` for ty pull
requests.)
- Does this pull request include references to any relevant issues?
- Does this PR follow our AI policy
(https://github.com/astral-sh/.github/blob/main/AI_POLICY.md)?
-->
## Summary
Fixes #18863
Rewrites `parse_mask` as a known-bits abstract domain over `u64`, so
partial bitwise expressions (`|`,`&`, `^`) are tracked through unknown
operands. This fixes:
- `mode | 0o777` — previously unflagged, now reports the
statically-known dangerous bits.
- `0o777777 & 0o700` — previously a false positive (u16 overflow), now
correctly silent.
- `0o777777 & 0o777` — now flagged as permissive, not "invalid mask".
"Invalid mask" now triggers when a bit outside `0o7777` is statically
set, keeping `0o1000` (sticky) valid per RUF064 note.
Under preview, the dangerous-bit set matches upstream Bandit (`0o33`)
instead of the current `0o12`.
## Test Plan
- New fixture cases for each repro + partial `|`/`&` edges; stable
snapshot updated, preview diff snapshot added.
- `cargo nextest run -p ruff_linter -- flake8_bandit` .
- Ecosystem checks ran locally
ruff
e1f1875f - [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)
