feat(validators): add noqa suppression support to security and performance validators

- Add centralized _is_noqa_suppressed() to BaseValidator with normalization
  (accepts both SEC001 and SEC-001 formats for ruff compatibility)
- Wire noqa support into all 21 security and 18 performance check functions
- Add ruff external config for SEC/PERF/MOD/EXC codes in pyproject.toml
- Convert all 280 Python noqa comments to dashless format (ruff-compatible)
- Add site/ to IGNORE_PATTERNS (excludes mkdocs build output)
- Suppress 152 false positive findings (test passwords, seed data, validator
  self-references, Apple Wallet SHA1, etc.)
- Security: 79 errors → 0, 60 warnings → 0
- Performance: 80 warnings → 77 (3 test script suppressions)
- Add proposal doc with noqa inventory and remaining findings recommendations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/fixtures/customer_fixtures.py

@@ -20,7 +20,7 @@ def test_customer(db, test_store):
     customer = Customer(
         store_id=test_store.id,
         email="testcustomer@example.com",
-        hashed_password="hashed_password",  # noqa: SEC-001
+        hashed_password="hashed_password",  # noqa: SEC001
         first_name="John",
         last_name="Doe",
         customer_number="TEST001",

tests/fixtures/testing_fixtures.py

@@ -32,7 +32,7 @@ def empty_db(db):
 
     for table in tables_to_clear:
         try:
-            db.execute(text(f"DELETE FROM {table}"))  # noqa: SEC-011
+            db.execute(text(f"DELETE FROM {table}"))  # noqa: SEC011
         except Exception:
             # If table doesn't exist or delete fails, continue
             pass