diff --git a/app/api/routes.py b/app/api/routes.py
index 7e3499d..a77234b 100644
--- a/app/api/routes.py
+++ b/app/api/routes.py
@@ -565,7 +565,7 @@ def is_trusted_proxy() -> bool:
     Result is cached per-request in Flask's g object for efficiency.
     """
     if hasattr(g, "_trusted_proxy"):
-        return g._trusted_proxy
+        return bool(g._trusted_proxy)
 
     expected = current_app.config.get("TRUSTED_PROXY_SECRET", "")
     if not expected:
@@ -573,7 +573,7 @@ def is_trusted_proxy() -> bool:
         return True
     provided = request.headers.get("X-Proxy-Secret", "")
     g._trusted_proxy = hmac.compare_digest(expected, provided)
-    return g._trusted_proxy
+    return bool(g._trusted_proxy)
 
 
 def get_client_fingerprint() -> str | None:
diff --git a/tests/security/cli_security_audit.py b/tests/security/cli_security_audit.py
index d405b92..5583981 100644
--- a/tests/security/cli_security_audit.py
+++ b/tests/security/cli_security_audit.py
@@ -47,7 +47,7 @@ def test_trusted_path_validation():
     ]
 
     for path, expected, desc in trusted_tests + untrusted_tests:
-        result = is_trusted_clipboard_path(path)
+        result = is_trusted_clipboard_path(path)  # type: ignore[operator]
         status = "PASS" if result == expected else "FAIL"
         results.append((status, desc, path, expected, result))
         print(f"  {status}: {desc}")
@@ -76,7 +76,7 @@ def test_path_injection():
         os.environ["PATH"] = f"/tmp:{original_path}"  # noqa: S108
 
         # Try to find clipboard command
-        cmd = find_clipboard_command(CLIPBOARD_READ_COMMANDS)
+        cmd = find_clipboard_command(CLIPBOARD_READ_COMMANDS)  # type: ignore[operator]
 
         # Restore PATH
         os.environ["PATH"] = original_path
@@ -159,7 +159,7 @@ def test_config_permissions():
 
         stderr_capture = io.StringIO()
         with redirect_stderr(stderr_capture):
-            check_config_permissions(config_path)
+            check_config_permissions(config_path)  # type: ignore[operator]
 
         warning = stderr_capture.getvalue()
 
@@ -173,7 +173,7 @@ def test_config_permissions():
         config_path.chmod(0o600)
         stderr_capture = io.StringIO()
         with redirect_stderr(stderr_capture):
-            check_config_permissions(config_path)
+            check_config_permissions(config_path)  # type: ignore[operator]
 
         warning = stderr_capture.getvalue()
         if not warning:
diff --git a/tests/security/dos_memory_test.py b/tests/security/dos_memory_test.py
index bf27e25..5b5e9ad 100644
--- a/tests/security/dos_memory_test.py
+++ b/tests/security/dos_memory_test.py
@@ -175,7 +175,7 @@ def test_concurrent_memory_pressure():
         reset_rate_limits()
         errors = []
 
-        def make_requests(thread_id: int):
+        def make_requests(thread_id: int) -> None:
             # Each thread needs its own app context
             with app.app_context():
                 try:
diff --git a/tests/security/pentest_session.py b/tests/security/pentest_session.py
index 5c03b29..0b86f57 100644
--- a/tests/security/pentest_session.py
+++ b/tests/security/pentest_session.py
@@ -9,6 +9,7 @@ import time
 import urllib.error
 import urllib.request
 from concurrent.futures import ThreadPoolExecutor, as_completed
+from typing import Any
 
 BASE_URL = "http://127.0.0.1:5099"
 
@@ -65,9 +66,9 @@ def random_content(size=1024):
     return os.urandom(size)
 
 
-def run_tests():
+def run_tests() -> dict[str, Any]:
     """Run comprehensive pentest suite."""
-    results = {"passed": 0, "failed": 0, "tests": []}
+    results: dict[str, Any] = {"passed": 0, "failed": 0, "tests": []}
     paste_ids = []
 
     def log_test(name, passed, details=""):