ruff: enable S324 (hashlib insecure hash functions)

Adds usedforsecurity=False to all hashlib.md5() calls, documenting
that these are used for file checksum comparison, not security.
The production call in _path_matches_checksum will be replaced with
compute_checksum() (SHA-256) in a separate branch.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

pyproject.toml

@@ -189,6 +189,7 @@ extend-select = [
   "COM",  # https://docs.astral.sh/ruff/rules/#flake8-commas-com
   "DTZ",  # https://docs.astral.sh/ruff/rules/#flake8-datetimez-dtz
   "PERF", # https://docs.astral.sh/ruff/rules/#perflint-perf
+  "S324", # https://docs.astral.sh/ruff/rules/hashlib-insecure-hash-functions/
   "DJ",   # https://docs.astral.sh/ruff/rules/#flake8-django-dj
   "EXE",  # https://docs.astral.sh/ruff/rules/#flake8-executable-exe
   "FBT",  # https://docs.astral.sh/ruff/rules/#flake8-boolean-trap-fbt

src/documents/signals/handlers.py

@@ -411,7 +411,7 @@ def _path_matches_checksum(path: Path, checksum: str | None) -> bool:
         return False
 
     with path.open("rb") as f:
-        return hashlib.md5(f.read()).hexdigest() == checksum
+        return hashlib.md5(f.read(), usedforsecurity=False).hexdigest() == checksum
 
 
 def _filename_template_uses_custom_fields(doc: Document) -> bool:

src/documents/tests/test_file_handling.py

@@ -220,8 +220,11 @@ class TestFileHandling(DirectoriesMixin, FileSystemAssertsMixin, TestCase):
         doc = Document.objects.create(
             title="document",
             mime_type="application/pdf",
-            checksum=hashlib.md5(original_bytes).hexdigest(),
-            archive_checksum=hashlib.md5(archive_bytes).hexdigest(),
+            checksum=hashlib.md5(original_bytes, usedforsecurity=False).hexdigest(),
+            archive_checksum=hashlib.md5(
+                archive_bytes,
+                usedforsecurity=False,
+            ).hexdigest(),
             filename="old/document.pdf",
             archive_filename="old/document.pdf",
             storage_path=old_storage_path,