Document trusted patterns for semgrep

[matthewp]

Changes

• Adds narrow nosemgrep annotations where the flagged patterns are generated by Astro or framework internals rather than untrusted input.
• Leaves runtime behavior unchanged while making future Semgrep runs easier to review across Astro and the affected integrations.

Testing

• Installed dependencies in a fresh worktree to validate the split branch in isolation.
• Ran Biome against the touched source files and changeset to confirm the branch stays formatted and lint-clean.

Docs

• No docs update needed, because this only documents internal scan expectations.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8bf17f2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codspeed-hq]

Merging this PR will not alter performance

✅ 18 untouched benchmarks

---

_{Comparing semgrep-trusted-patterns (8bf17f2) with main (a002540)¹}

Footnotes

1. No successful run was found on main (32b361d) during the generation of this report, so a002540 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩