feat(validators): add noqa suppression support to security and performance validators

- Add centralized _is_noqa_suppressed() to BaseValidator with normalization
  (accepts both SEC001 and SEC-001 formats for ruff compatibility)
- Wire noqa support into all 21 security and 18 performance check functions
- Add ruff external config for SEC/PERF/MOD/EXC codes in pyproject.toml
- Convert all 280 Python noqa comments to dashless format (ruff-compatible)
- Add site/ to IGNORE_PATTERNS (excludes mkdocs build output)
- Suppress 152 false positive findings (test passwords, seed data, validator
  self-references, Apple Wallet SHA1, etc.)
- Security: 79 errors → 0, 60 warnings → 0
- Performance: 80 warnings → 77 (3 test script suppressions)
- Add proposal doc with noqa inventory and remaining findings recommendations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/modules/tenancy/tests/unit/test_admin_platform_service.py

@@ -255,7 +255,7 @@ class TestAdminPlatformServiceQueries:
         another_admin = User(
             email="another_padmin@example.com",
             username="another_padmin",
-            hashed_password=auth_manager.hash_password("pass"),  # noqa: SEC-001
+            hashed_password=auth_manager.hash_password("pass"),  # noqa: SEC001
             role="admin",
             is_active=True,
             is_super_admin=False,
@@ -342,7 +342,7 @@ class TestAdminPlatformServiceSuperAdmin:
         another_super = User(
             email="another_super@example.com",
             username="another_super",
-            hashed_password=auth_manager.hash_password("pass"),  # noqa: SEC-001
+            hashed_password=auth_manager.hash_password("pass"),  # noqa: SEC001
             role="admin",
             is_active=True,
             is_super_admin=True,
@@ -416,7 +416,7 @@ class TestAdminPlatformServiceCreatePlatformAdmin:
             db=db,
             email="new_padmin@example.com",
             username="new_padmin",
-            password="securepass123",  # noqa: SEC-001
+            password="securepass123",  # noqa: SEC001
             platform_ids=[test_platform.id, another_platform.id],
             created_by_user_id=test_super_admin.id,
             first_name="New",
@@ -444,7 +444,7 @@ class TestAdminPlatformServiceCreatePlatformAdmin:
                 db=db,
                 email=test_platform_admin.email,  # Duplicate
                 username="unique_username",
-                password="securepass123",  # noqa: SEC-001
+                password="securepass123",  # noqa: SEC001
                 platform_ids=[test_platform.id],
                 created_by_user_id=test_super_admin.id,
             )
@@ -461,7 +461,7 @@ class TestAdminPlatformServiceCreatePlatformAdmin:
                 db=db,
                 email="unique@example.com",
                 username=test_platform_admin.username,  # Duplicate
-                password="securepass123",  # noqa: SEC-001
+                password="securepass123",  # noqa: SEC001
                 platform_ids=[test_platform.id],
                 created_by_user_id=test_super_admin.id,
             )

app/modules/tenancy/tests/unit/test_store_team_service.py

@@ -87,7 +87,7 @@ def pending_invitation(db, team_store, test_user, auth_manager):
     new_user = User(
         email=f"pending_{unique_id}@example.com",
         username=f"pending_{unique_id}",
-        hashed_password=auth_manager.hash_password("temppass"),  # noqa: SEC-001
+        hashed_password=auth_manager.hash_password("temppass"),  # noqa: SEC001
         role="store",
         is_active=False,
     )
@@ -129,7 +129,7 @@ def expired_invitation(db, team_store, test_user, auth_manager):
     new_user = User(
         email=f"expired_{unique_id}@example.com",
         username=f"expired_{unique_id}",
-        hashed_password=auth_manager.hash_password("temppass"),  # noqa: SEC-001
+        hashed_password=auth_manager.hash_password("temppass"),  # noqa: SEC001
         role="store",
         is_active=False,
     )
@@ -186,7 +186,7 @@ class TestStoreTeamServiceAccept:
         result = store_team_service.accept_invitation(
             db=db,
             invitation_token=pending_invitation.invitation_token,
-            password="newpassword123",  # noqa: SEC-001
+            password="newpassword123",  # noqa: SEC001
             first_name="John",
             last_name="Doe",
         )
@@ -203,7 +203,7 @@ class TestStoreTeamServiceAccept:
             store_team_service.accept_invitation(
                 db=db,
                 invitation_token="invalid_token_12345",
-                password="password123",  # noqa: SEC-001
+                password="password123",  # noqa: SEC001
             )
 
     def test_accept_invitation_already_accepted(self, db, team_member):
@@ -213,7 +213,7 @@ class TestStoreTeamServiceAccept:
             store_team_service.accept_invitation(
                 db=db,
                 invitation_token="some_token",  # team_member has no token
-                password="password123",  # noqa: SEC-001
+                password="password123",  # noqa: SEC001
             )
 
     def test_accept_invitation_expired(self, db, expired_invitation):
@@ -222,7 +222,7 @@ class TestStoreTeamServiceAccept:
             store_team_service.accept_invitation(
                 db=db,
                 invitation_token=expired_invitation.invitation_token,
-                password="password123",  # noqa: SEC-001
+                password="password123",  # noqa: SEC001
             )
 
         assert "expired" in str(exc_info.value).lower()

app/modules/tenancy/tests/unit/test_user_model.py

@@ -17,7 +17,7 @@ class TestUserModel:
         user = User(
             email="db_test@example.com",
             username="dbtest",
-            hashed_password="hashed_password_123",  # noqa: SEC-001
+            hashed_password="hashed_password_123",  # noqa: SEC001
             role="user",
             is_active=True,
         )
@@ -39,7 +39,7 @@ class TestUserModel:
         user1 = User(
             email="unique@example.com",
             username="user1",
-            hashed_password="hash1",  # noqa: SEC-001
+            hashed_password="hash1",  # noqa: SEC001
         )
         db.add(user1)
         db.commit()
@@ -49,7 +49,7 @@ class TestUserModel:
             user2 = User(
                 email="unique@example.com",
                 username="user2",
-                hashed_password="hash2",  # noqa: SEC-001
+                hashed_password="hash2",  # noqa: SEC001
             )
             db.add(user2)
             db.commit()
@@ -59,7 +59,7 @@ class TestUserModel:
         user1 = User(
             email="user1@example.com",
             username="sameusername",
-            hashed_password="hash1",  # noqa: SEC-001
+            hashed_password="hash1",  # noqa: SEC001
         )
         db.add(user1)
         db.commit()
@@ -69,7 +69,7 @@ class TestUserModel:
             user2 = User(
                 email="user2@example.com",
                 username="sameusername",
-                hashed_password="hash2",  # noqa: SEC-001
+                hashed_password="hash2",  # noqa: SEC001
             )
             db.add(user2)
             db.commit()
@@ -79,7 +79,7 @@ class TestUserModel:
         user = User(
             email="defaults@example.com",
             username="defaultuser",
-            hashed_password="hash",  # noqa: SEC-001
+            hashed_password="hash",  # noqa: SEC001
         )
         db.add(user)
         db.commit()
@@ -93,7 +93,7 @@ class TestUserModel:
         user = User(
             email="optional@example.com",
             username="optionaluser",
-            hashed_password="hash",  # noqa: SEC-001
+            hashed_password="hash",  # noqa: SEC001
             first_name="John",
             last_name="Doe",
         )