feat(validators): add noqa suppression support to security and performance validators

- Add centralized _is_noqa_suppressed() to BaseValidator with normalization
  (accepts both SEC001 and SEC-001 formats for ruff compatibility)
- Wire noqa support into all 21 security and 18 performance check functions
- Add ruff external config for SEC/PERF/MOD/EXC codes in pyproject.toml
- Convert all 280 Python noqa comments to dashless format (ruff-compatible)
- Add site/ to IGNORE_PATTERNS (excludes mkdocs build output)
- Suppress 152 false positive findings (test passwords, seed data, validator
  self-references, Apple Wallet SHA1, etc.)
- Security: 79 errors → 0, 60 warnings → 0
- Performance: 80 warnings → 77 (3 test script suppressions)
- Add proposal doc with noqa inventory and remaining findings recommendations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/modules/marketplace/tests/unit/test_import_job_schema.py

@@ -33,7 +33,7 @@ class TestMarketplaceImportJobRequestSchema:
         assert "source_url" in str(exc_info.value).lower()
 
     def test_source_url_must_be_http_or_https(self):
-        """Test source_url must start with http:// or https://."""
+        """Test source_url must start with http:// or https://."""  # noqa: SEC034
         with pytest.raises(ValidationError) as exc_info:
             MarketplaceImportJobRequest(
                 source_url="ftp://example.com/products.csv",
@@ -41,7 +41,7 @@ class TestMarketplaceImportJobRequestSchema:
         assert "url" in str(exc_info.value).lower()
 
     def test_source_url_http_is_valid(self):
-        """Test http:// URLs are valid."""
+        """Test http:// URLs are valid."""  # noqa: SEC034
         request = MarketplaceImportJobRequest(
             source_url="http://example.com/products.csv",
         )

app/modules/marketplace/tests/unit/test_letzshop_service.py

@@ -36,7 +36,7 @@ class TestEncryptionService:
 
     def test_encrypt_and_decrypt(self):
         """Test basic encryption and decryption."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
         original = "my-secret-api-key"
 
         encrypted = service.encrypt(original)
@@ -47,28 +47,28 @@ class TestEncryptionService:
 
     def test_encrypt_empty_string_fails(self):
         """Test that encrypting empty string raises error."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
 
         with pytest.raises(EncryptionError):
             service.encrypt("")
 
     def test_decrypt_empty_string_fails(self):
         """Test that decrypting empty string raises error."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
 
         with pytest.raises(EncryptionError):
             service.decrypt("")
 
     def test_decrypt_invalid_ciphertext_fails(self):
         """Test that decrypting invalid ciphertext raises error."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
 
         with pytest.raises(EncryptionError):
             service.decrypt("invalid-ciphertext")
 
     def test_is_valid_ciphertext(self):
         """Test ciphertext validation."""
-        service = EncryptionService(secret_key="test-secret-key-12345")
+        service = EncryptionService(secret_key="test-secret-key-12345")  # noqa: SEC001
         encrypted = service.encrypt("test-value")
 
         assert service.is_valid_ciphertext(encrypted) is True
@@ -76,8 +76,8 @@ class TestEncryptionService:
 
     def test_different_keys_produce_different_results(self):
         """Test that different keys produce different encryptions."""
-        service1 = EncryptionService(secret_key="key-one-12345")
-        service2 = EncryptionService(secret_key="key-two-12345")
+        service1 = EncryptionService(secret_key="key-one-12345")  # noqa: SEC001
+        service2 = EncryptionService(secret_key="key-two-12345")  # noqa: SEC001
 
         original = "test-value"
         encrypted1 = service1.encrypt(original)
@@ -128,13 +128,13 @@ class TestLetzshopCredentialsService:
 
         credentials = service.create_credentials(
             store_id=test_store.id,
-            api_key="test-api-key-12345",
+            api_key="test-api-key-12345",  # noqa: SEC001
             auto_sync_enabled=False,
             sync_interval_minutes=30,
         )
 
         assert credentials.store_id == test_store.id
-        assert credentials.api_key_encrypted != "test-api-key-12345"
+        assert credentials.api_key_encrypted != "test-api-key-12345"  # noqa: SEC001
         assert credentials.auto_sync_enabled is False
         assert credentials.sync_interval_minutes == 30
 
@@ -262,7 +262,7 @@ class TestLetzshopCredentialsService:
 
         service.create_credentials(
             store_id=test_store.id,
-            api_key="letzshop-api-key-12345",
+            api_key="letzshop-api-key-12345",  # noqa: SEC001
         )
 
         masked = service.get_masked_api_key(test_store.id)