feat(validators): add noqa suppression support to security and performance validators

- Add centralized _is_noqa_suppressed() to BaseValidator with normalization
  (accepts both SEC001 and SEC-001 formats for ruff compatibility)
- Wire noqa support into all 21 security and 18 performance check functions
- Add ruff external config for SEC/PERF/MOD/EXC codes in pyproject.toml
- Convert all 280 Python noqa comments to dashless format (ruff-compatible)
- Add site/ to IGNORE_PATTERNS (excludes mkdocs build output)
- Suppress 152 false positive findings (test passwords, seed data, validator
  self-references, Apple Wallet SHA1, etc.)
- Security: 79 errors → 0, 60 warnings → 0
- Performance: 80 warnings → 77 (3 test script suppressions)
- Add proposal doc with noqa inventory and remaining findings recommendations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/modules/marketplace/exceptions.py

@@ -110,7 +110,7 @@ class LetzshopClientError(MarketplaceException):
         self.response = response
 
 
-class LetzshopAuthenticationError(LetzshopClientError):  # noqa: MOD-025
+class LetzshopAuthenticationError(LetzshopClientError):  # noqa: MOD025
     """Raised when Letzshop authentication fails."""
 
     def __init__(self, message: str = "Letzshop authentication failed"):
@@ -118,7 +118,7 @@ class LetzshopAuthenticationError(LetzshopClientError):  # noqa: MOD-025
         self.error_code = "LETZSHOP_AUTHENTICATION_FAILED"
 
 
-class LetzshopCredentialsNotFoundException(ResourceNotFoundException):  # noqa: MOD-025
+class LetzshopCredentialsNotFoundException(ResourceNotFoundException):  # noqa: MOD025
     """Raised when Letzshop credentials not found for store."""
 
     def __init__(self, store_id: int):
@@ -130,7 +130,7 @@ class LetzshopCredentialsNotFoundException(ResourceNotFoundException):  # noqa:
         self.store_id = store_id
 
 
-class LetzshopConnectionFailedException(BusinessLogicException):  # noqa: MOD-025
+class LetzshopConnectionFailedException(BusinessLogicException):  # noqa: MOD025
     """Raised when Letzshop API connection test fails."""
 
     def __init__(self, error_message: str):
@@ -158,7 +158,7 @@ class ImportJobNotFoundException(ResourceNotFoundException):
         )
 
 
-class HistoricalImportJobNotFoundException(ResourceNotFoundException):  # noqa: MOD-025
+class HistoricalImportJobNotFoundException(ResourceNotFoundException):  # noqa: MOD025
     """Raised when a historical import job is not found."""
 
     def __init__(self, job_id: int):
@@ -184,7 +184,7 @@ class ImportJobNotOwnedException(AuthorizationException):
         )
 
 
-class ImportJobCannotBeCancelledException(BusinessLogicException):  # noqa: MOD-025
+class ImportJobCannotBeCancelledException(BusinessLogicException):  # noqa: MOD025
     """Raised when trying to cancel job that cannot be cancelled."""
 
     def __init__(self, job_id: int, current_status: str):
@@ -198,7 +198,7 @@ class ImportJobCannotBeCancelledException(BusinessLogicException):  # noqa: MOD-
         )
 
 
-class ImportJobCannotBeDeletedException(BusinessLogicException):  # noqa: MOD-025
+class ImportJobCannotBeDeletedException(BusinessLogicException):  # noqa: MOD025
     """Raised when trying to delete job that cannot be deleted."""
 
     def __init__(self, job_id: int, current_status: str):
@@ -212,7 +212,7 @@ class ImportJobCannotBeDeletedException(BusinessLogicException):  # noqa: MOD-02
         )
 
 
-class ImportJobAlreadyProcessingException(BusinessLogicException):  # noqa: MOD-025
+class ImportJobAlreadyProcessingException(BusinessLogicException):  # noqa: MOD025
     """Raised when trying to start import while another is already processing."""
 
     def __init__(self, store_code: str, existing_job_id: int):
@@ -238,7 +238,7 @@ class ImportValidationError(MarketplaceException):
         self.errors = errors or []
 
 
-class InvalidImportDataException(ValidationException):  # noqa: MOD-025
+class InvalidImportDataException(ValidationException):  # noqa: MOD025
     """Raised when import data is invalid."""
 
     def __init__(
@@ -262,7 +262,7 @@ class InvalidImportDataException(ValidationException):  # noqa: MOD-025
         self.error_code = "INVALID_IMPORT_DATA"
 
 
-class ImportRateLimitException(BusinessLogicException):  # noqa: MOD-025
+class ImportRateLimitException(BusinessLogicException):  # noqa: MOD025
     """Raised when import rate limit is exceeded."""
 
     def __init__(
@@ -291,7 +291,7 @@ class ImportRateLimitException(BusinessLogicException):  # noqa: MOD-025
 # =============================================================================
 
 
-class MarketplaceImportException(BusinessLogicException):  # noqa: MOD-025
+class MarketplaceImportException(BusinessLogicException):  # noqa: MOD025
     """Base exception for marketplace import operations."""
 
     def __init__(
@@ -314,7 +314,7 @@ class MarketplaceImportException(BusinessLogicException):  # noqa: MOD-025
         )
 
 
-class MarketplaceConnectionException(ExternalServiceException):  # noqa: MOD-025
+class MarketplaceConnectionException(ExternalServiceException):  # noqa: MOD025
     """Raised when marketplace connection fails."""
 
     def __init__(
@@ -327,7 +327,7 @@ class MarketplaceConnectionException(ExternalServiceException):  # noqa: MOD-025
         )
 
 
-class MarketplaceDataParsingException(ValidationException):  # noqa: MOD-025
+class MarketplaceDataParsingException(ValidationException):  # noqa: MOD025
     """Raised when marketplace data cannot be parsed."""
 
     def __init__(
@@ -347,7 +347,7 @@ class MarketplaceDataParsingException(ValidationException):  # noqa: MOD-025
         self.error_code = "MARKETPLACE_DATA_PARSING_FAILED"
 
 
-class InvalidMarketplaceException(ValidationException):  # noqa: MOD-025
+class InvalidMarketplaceException(ValidationException):  # noqa: MOD025
     """Raised when marketplace is not supported."""
 
     def __init__(self, marketplace: str, supported_marketplaces: list | None = None):
@@ -451,7 +451,7 @@ class MarketplaceProductValidationException(ValidationException):
         self.error_code = "PRODUCT_VALIDATION_FAILED"
 
 
-class InvalidGTINException(ValidationException):  # noqa: MOD-025
+class InvalidGTINException(ValidationException):  # noqa: MOD025
     """Raised when GTIN format is invalid."""
 
     def __init__(self, gtin: str, message: str = "Invalid GTIN format"):
@@ -463,7 +463,7 @@ class InvalidGTINException(ValidationException):  # noqa: MOD-025
         self.error_code = "INVALID_GTIN"
 
 
-class MarketplaceProductCSVImportException(BusinessLogicException):  # noqa: MOD-025
+class MarketplaceProductCSVImportException(BusinessLogicException):  # noqa: MOD025
     """Raised when product CSV import fails."""
 
     def __init__(
@@ -490,7 +490,7 @@ class MarketplaceProductCSVImportException(BusinessLogicException):  # noqa: MOD
 # =============================================================================
 
 
-class ExportError(MarketplaceException):  # noqa: MOD-025
+class ExportError(MarketplaceException):  # noqa: MOD025
     """Raised when product export fails."""
 
     def __init__(self, message: str, language: str | None = None):

app/modules/marketplace/schemas/marketplace_import_job.py

@@ -25,8 +25,8 @@ class MarketplaceImportJobRequest(BaseModel):
     @field_validator("source_url")
     @classmethod
     def validate_url(cls, v):
-        if not v.startswith(("http://", "https://")):  # SEC-034
-            raise ValueError("URL must start with http:// or https://")  # SEC-034
+        if not v.startswith(("http://", "https://")):  # noqa: SEC034
+            raise ValueError("URL must start with http:// or https://")  # noqa: SEC034
         return v.strip()
 
     @field_validator("marketplace")
@@ -64,8 +64,8 @@ class AdminMarketplaceImportJobRequest(BaseModel):
     @field_validator("source_url")
     @classmethod
     def validate_url(cls, v):
-        if not v.startswith(("http://", "https://")):  # SEC-034
-            raise ValueError("URL must start with http:// or https://")  # SEC-034
+        if not v.startswith(("http://", "https://")):  # noqa: SEC034
+            raise ValueError("URL must start with http:// or https://")  # noqa: SEC034
         return v.strip()
 
     @field_validator("marketplace")

app/modules/marketplace/services/letzshop/store_sync_service.py

@@ -467,7 +467,7 @@ class LetzshopStoreSyncService:
             .first()
         )
         if existing:
-            store_code = f"{store_code[:16]}_{random.randint(100, 999)}"
+            store_code = f"{store_code[:16]}_{random.randint(100, 999)}"  # noqa: SEC042
 
         # Generate subdomain from slug
         subdomain = letzshop_slug.lower().replace("_", "-")[:30]
@@ -477,7 +477,7 @@ class LetzshopStoreSyncService:
             .first()
         )
         if existing_subdomain:
-            subdomain = f"{subdomain[:26]}-{random.randint(100, 999)}"
+            subdomain = f"{subdomain[:26]}-{random.randint(100, 999)}"  # noqa: SEC042
 
         # Create store data from cache
         address = f"{cache_entry.street or ''} {cache_entry.street_number or ''}".strip()

app/modules/marketplace/services/platform_signup_service.py

@@ -540,7 +540,7 @@ class PlatformSignupService:
 
             logger.info(f"Welcome email sent to {user.email}")
 
-        except Exception as e:  # noqa: EXC-003
+        except Exception as e:  # noqa: EXC003
             # Log error but don't fail signup
             logger.error(f"Failed to send welcome email to {user.email}: {e}")
 

app/modules/marketplace/tests/unit/test_import_job_schema.py

@@ -33,7 +33,7 @@ class TestMarketplaceImportJobRequestSchema:
         assert "source_url" in str(exc_info.value).lower()
 
     def test_source_url_must_be_http_or_https(self):
-        """Test source_url must start with http:// or https://."""
+        """Test source_url must start with http:// or https://."""  # noqa: SEC034
         with pytest.raises(ValidationError) as exc_info:
             MarketplaceImportJobRequest(
                 source_url="ftp://example.com/products.csv",
@@ -41,7 +41,7 @@ class TestMarketplaceImportJobRequestSchema:
         assert "url" in str(exc_info.value).lower()
 
     def test_source_url_http_is_valid(self):
-        """Test http:// URLs are valid."""
+        """Test http:// URLs are valid."""  # noqa: SEC034
         request = MarketplaceImportJobRequest(
             source_url="http://example.com/products.csv",
         )

app/modules/marketplace/tests/unit/test_letzshop_service.py

@@ -36,7 +36,7 @@ class TestEncryptionService:
 
     def test_encrypt_and_decrypt(self):
         """Test basic encryption and decryption."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
         original = "my-secret-api-key"
 
         encrypted = service.encrypt(original)
@@ -47,28 +47,28 @@ class TestEncryptionService:
 
     def test_encrypt_empty_string_fails(self):
         """Test that encrypting empty string raises error."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
 
         with pytest.raises(EncryptionError):
             service.encrypt("")
 
     def test_decrypt_empty_string_fails(self):
         """Test that decrypting empty string raises error."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
 
         with pytest.raises(EncryptionError):
             service.decrypt("")
 
     def test_decrypt_invalid_ciphertext_fails(self):
         """Test that decrypting invalid ciphertext raises error."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
 
         with pytest.raises(EncryptionError):
             service.decrypt("invalid-ciphertext")
 
     def test_is_valid_ciphertext(self):
         """Test ciphertext validation."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
         encrypted = service.encrypt("test-value")
 
         assert service.is_valid_ciphertext(encrypted) is True
@@ -76,8 +76,8 @@ class TestEncryptionService:
 
     def test_different_keys_produce_different_results(self):
         """Test that different keys produce different encryptions."""
-        service1 = EncryptionService(secret_key="key-one-12345")
-        service2 = EncryptionService(secret_key="key-two-12345")
+        service1 = EncryptionService(secret_key="key-one-12345")  # noqa: SEC001
+        service2 = EncryptionService(secret_key="key-two-12345")  # noqa: SEC001
 
         original = "test-value"
         encrypted1 = service1.encrypt(original)
@@ -128,13 +128,13 @@ class TestLetzshopCredentialsService:
 
         credentials = service.create_credentials(
             store_id=test_store.id,
-            api_key="test-api-key-12345",
+            api_key="test-api-key-12345",  # noqa: SEC001
             auto_sync_enabled=False,
             sync_interval_minutes=30,
         )
 
         assert credentials.store_id == test_store.id
-        assert credentials.api_key_encrypted != "test-api-key-12345"
+        assert credentials.api_key_encrypted != "test-api-key-12345"  # noqa: SEC001
         assert credentials.auto_sync_enabled is False
         assert credentials.sync_interval_minutes == 30
 
@@ -262,7 +262,7 @@ class TestLetzshopCredentialsService:
 
         service.create_credentials(
             store_id=test_store.id,
-            api_key="letzshop-api-key-12345",
+            api_key="letzshop-api-key-12345",  # noqa: SEC001
         )
 
         masked = service.get_masked_api_key(test_store.id)