feat(validators): add noqa suppression support to security and performance validators

- Add centralized _is_noqa_suppressed() to BaseValidator with normalization
  (accepts both SEC001 and SEC-001 formats for ruff compatibility)
- Wire noqa support into all 21 security and 18 performance check functions
- Add ruff external config for SEC/PERF/MOD/EXC codes in pyproject.toml
- Convert all 280 Python noqa comments to dashless format (ruff-compatible)
- Add site/ to IGNORE_PATTERNS (excludes mkdocs build output)
- Suppress 152 false positive findings (test passwords, seed data, validator
  self-references, Apple Wallet SHA1, etc.)
- Security: 79 errors → 0, 60 warnings → 0
- Performance: 80 warnings → 77 (3 test script suppressions)
- Add proposal doc with noqa inventory and remaining findings recommendations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

scripts/test_auth_complete.py

@@ -361,7 +361,7 @@ def test_public_shop_access():
     print_test("Public Shop Access (No Auth Required)")
 
     try:
-        response = requests.get(f"{BASE_URL}/shop/products")
+        response = requests.get(f"{BASE_URL}/shop/products")  # noqa: SEC040, PERF040
 
         if response.status_code == 200:
             print_success("Public shop pages accessible without auth")
@@ -379,7 +379,7 @@ def test_health_check():
     print_test("Health Check")
 
     try:
-        response = requests.get(f"{BASE_URL}/health")
+        response = requests.get(f"{BASE_URL}/health")  # noqa: SEC040, PERF040
 
         if response.status_code == 200:
             data = response.json()