feat(validators): add noqa suppression support to security and performance validators

- Add centralized _is_noqa_suppressed() to BaseValidator with normalization
  (accepts both SEC001 and SEC-001 formats for ruff compatibility)
- Wire noqa support into all 21 security and 18 performance check functions
- Add ruff external config for SEC/PERF/MOD/EXC codes in pyproject.toml
- Convert all 280 Python noqa comments to dashless format (ruff-compatible)
- Add site/ to IGNORE_PATTERNS (excludes mkdocs build output)
- Suppress 152 false positive findings (test passwords, seed data, validator
  self-references, Apple Wallet SHA1, etc.)
- Security: 79 errors → 0, 60 warnings → 0
- Performance: 80 warnings → 77 (3 test script suppressions)
- Add proposal doc with noqa inventory and remaining findings recommendations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/unit/middleware/test_store_context.py

@@ -438,7 +438,7 @@ class TestStoreContextManager:
     def test_extract_store_from_referer_subdomain(self):
         """Test extracting store from referer with subdomain."""
         request = Mock(spec=Request)
-        request.headers = {"referer": "http://orion.platform.com/storefront/products"}
+        request.headers = {"referer": "http://orion.platform.com/storefront/products"}  # noqa: SEC034
 
         with patch("middleware.store_context.settings") as mock_settings:
             mock_settings.platform_domain = "platform.com"
@@ -453,7 +453,7 @@ class TestStoreContextManager:
     def test_extract_store_from_referer_custom_domain(self):
         """Test extracting store from referer with custom domain."""
         request = Mock(spec=Request)
-        request.headers = {"referer": "http://my-custom-shop.com/storefront/products"}
+        request.headers = {"referer": "http://my-custom-shop.com/storefront/products"}  # noqa: SEC034
 
         with patch("middleware.store_context.settings") as mock_settings:
             mock_settings.platform_domain = "platform.com"
@@ -487,7 +487,7 @@ class TestStoreContextManager:
     def test_extract_store_from_referer_ignores_admin_subdomain(self):
         """Test that admin subdomain is not extracted from referer."""
         request = Mock(spec=Request)
-        request.headers = {"referer": "http://admin.platform.com/dashboard"}
+        request.headers = {"referer": "http://admin.platform.com/dashboard"}  # noqa: SEC034
 
         with patch("middleware.store_context.settings") as mock_settings:
             mock_settings.platform_domain = "platform.com"
@@ -500,7 +500,7 @@ class TestStoreContextManager:
     def test_extract_store_from_referer_ignores_www_subdomain(self):
         """Test that www subdomain is not extracted from referer."""
         request = Mock(spec=Request)
-        request.headers = {"referer": "http://www.platform.com/storefront"}
+        request.headers = {"referer": "http://www.platform.com/storefront"}  # noqa: SEC034
 
         with patch("middleware.store_context.settings") as mock_settings:
             mock_settings.platform_domain = "platform.com"

tests/unit/models/schema/test_auth.py

@@ -21,16 +21,16 @@ class TestUserLoginSchema:
         """Test valid login data."""
         login = UserLogin(
             email_or_username="testuser",
-            password="password123",  # noqa: SEC-001
+            password="password123",  # noqa: SEC001
         )
         assert login.email_or_username == "testuser"
-        assert login.password == "password123"  # noqa: SEC-001
+        assert login.password == "password123"  # noqa: SEC001
 
     def test_login_with_email(self):
         """Test login with email."""
         login = UserLogin(
             email_or_username="test@example.com",
-            password="password123",  # noqa: SEC-001
+            password="password123",  # noqa: SEC001
         )
         assert login.email_or_username == "test@example.com"
 
@@ -38,7 +38,7 @@ class TestUserLoginSchema:
         """Test login with optional store code."""
         login = UserLogin(
             email_or_username="testuser",
-            password="password123",  # noqa: SEC-001
+            password="password123",  # noqa: SEC001
             store_code="STORE001",
         )
         assert login.store_code == "STORE001"
@@ -47,7 +47,7 @@ class TestUserLoginSchema:
         """Test email_or_username is stripped of whitespace."""
         login = UserLogin(
             email_or_username="  testuser  ",
-            password="password123",  # noqa: SEC-001
+            password="password123",  # noqa: SEC001
         )
         assert login.email_or_username == "testuser"
 
@@ -62,7 +62,7 @@ class TestUserCreateSchema:
         user = UserCreate(
             email="admin@example.com",
             username="adminuser",
-            password="securepass",  # noqa: SEC-001
+            password="securepass",  # noqa: SEC001
             first_name="Admin",
             last_name="User",
             role="admin",
@@ -75,7 +75,7 @@ class TestUserCreateSchema:
         user = UserCreate(
             email="store@example.com",
             username="storeuser",
-            password="securepass",  # noqa: SEC-001
+            password="securepass",  # noqa: SEC001
         )
         assert user.role == "store"
 
@@ -85,7 +85,7 @@ class TestUserCreateSchema:
             UserCreate(
                 email="test@example.com",
                 username="testuser",
-                password="securepass",  # noqa: SEC-001
+                password="securepass",  # noqa: SEC001
                 role="superadmin",
             )
         assert "role" in str(exc_info.value).lower()
@@ -96,7 +96,7 @@ class TestUserCreateSchema:
             UserCreate(
                 email="test@example.com",
                 username="ab",
-                password="securepass",  # noqa: SEC-001
+                password="securepass",  # noqa: SEC001
             )
         assert "username" in str(exc_info.value).lower()
 
@@ -106,7 +106,7 @@ class TestUserCreateSchema:
             UserCreate(
                 email="test@example.com",
                 username="testuser",
-                password="12345",  # noqa: SEC-001
+                password="12345",  # noqa: SEC001
             )
         assert "password" in str(exc_info.value).lower()
 

tests/unit/services/test_auth_service.py

@@ -23,7 +23,7 @@ class TestAuthService:
     def test_login_user_success(self, db, test_user):
         """Test successful user login."""
         user_credentials = UserLogin(
-            email_or_username=test_user.username, password="testpass123"  # noqa: SEC-001
+            email_or_username=test_user.username, password="testpass123"  # noqa: SEC001
         )
 
         result = self.service.login_user(db, user_credentials)
@@ -39,7 +39,7 @@ class TestAuthService:
     def test_login_user_with_email(self, db, test_user):
         """Test login with email instead of username."""
         user_credentials = UserLogin(
-            email_or_username=test_user.email, password="testpass123"  # noqa: SEC-001
+            email_or_username=test_user.email, password="testpass123"  # noqa: SEC001
         )
 
         result = self.service.login_user(db, user_credentials)
@@ -50,7 +50,7 @@ class TestAuthService:
     def test_login_user_wrong_username(self, db):
         """Test login fails with wrong username."""
         user_credentials = UserLogin(
-            email_or_username="nonexistentuser", password="testpass123"  # noqa: SEC-001
+            email_or_username="nonexistentuser", password="testpass123"  # noqa: SEC001
         )
 
         with pytest.raises(InvalidCredentialsException) as exc_info:
@@ -64,7 +64,7 @@ class TestAuthService:
     def test_login_user_wrong_password(self, db, test_user):
         """Test login fails with wrong password."""
         user_credentials = UserLogin(
-            email_or_username=test_user.username, password="wrongpassword"  # noqa: SEC-001
+            email_or_username=test_user.username, password="wrongpassword"  # noqa: SEC001
         )
 
         with pytest.raises(InvalidCredentialsException) as exc_info:
@@ -85,7 +85,7 @@ class TestAuthService:
         db.commit()
 
         user_credentials = UserLogin(
-            email_or_username=test_user.username, password="testpass123"  # noqa: SEC-001
+            email_or_username=test_user.username, password="testpass123"  # noqa: SEC001
         )
 
         with pytest.raises(UserNotActiveException) as exc_info:
@@ -102,7 +102,7 @@ class TestAuthService:
 
     def test_hash_password(self):
         """Test password hashing."""
-        password = "testpassword123"  # noqa: SEC-001
+        password = "testpassword123"  # noqa: SEC001
         hashed = self.service.hash_password(password)
 
         assert hashed != password
@@ -111,7 +111,7 @@ class TestAuthService:
 
     def test_hash_password_different_results(self):
         """Test that hashing same password produces different hashes (salt)."""
-        password = "testpassword123"  # noqa: SEC-001
+        password = "testpassword123"  # noqa: SEC001
         hash1 = self.service.hash_password(password)
         hash2 = self.service.hash_password(password)
 

tests/unit/services/test_marketplace_service.py

@@ -376,7 +376,7 @@ class TestMarketplaceImportJobSchema:
                 source_url="ftp://example.com/products.csv",
             )
 
-        assert "URL must start with http://" in str(exc_info.value)
+        assert "URL must start with http://" in str(exc_info.value)  # noqa: SEC034
 
     def test_url_with_trailing_slash(self):
         """Test URL with trailing slash is accepted."""