ci: add security/performance/audit validators to pre-commit and CI

- Add validate-security, validate-performance, validate-audit hooks
  to .pre-commit-config.yaml (previously only architecture was checked)
- Break single "Run all validators" CI step into 4 explicit steps
  (architecture, security, performance, audit) for clearer pipeline output
- Add noqa: SEC001 suppressions for test fixture hashed_password values

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -94,8 +94,17 @@ jobs:
       - name: Install dependencies
         run: uv pip install --system -r requirements.txt
 
-      - name: Run all validators
+      - name: Validate architecture patterns
-        run: python scripts/validate/validate_all.py
+        run: python scripts/validate/validate_all.py --architecture
+
+      - name: Validate security patterns
+        run: python scripts/validate/validate_all.py --security
+
+      - name: Validate performance patterns
+        run: python scripts/validate/validate_all.py --performance
+
+      - name: Validate audit patterns
+        run: python scripts/validate/validate_all.py --audit
 
   # ---------------------------------------------------------------------------
   # Security (non-blocking)

.pre-commit-config.yaml

@@ -4,7 +4,7 @@
 # Run manually: pre-commit run --all-files
 
 repos:
-  # Architecture validation
+  # Code validators (architecture, security, performance, audit)
   - repo: local
     hooks:
       - id: validate-architecture
@@ -16,6 +16,33 @@ repos:
         additional_dependencies: [pyyaml]
         verbose: true
 
+      - id: validate-security
+        name: Validate Security Patterns
+        entry: python scripts/validate/validate_all.py --security
+        language: python
+        pass_filenames: false
+        always_run: true
+        additional_dependencies: [pyyaml]
+        verbose: true
+
+      - id: validate-performance
+        name: Validate Performance Patterns
+        entry: python scripts/validate/validate_all.py --performance
+        language: python
+        pass_filenames: false
+        always_run: true
+        additional_dependencies: [pyyaml]
+        verbose: true
+
+      - id: validate-audit
+        name: Validate Audit Patterns
+        entry: python scripts/validate/validate_all.py --audit
+        language: python
+        pass_filenames: false
+        always_run: true
+        additional_dependencies: [pyyaml]
+        verbose: true
+
   # Python code quality
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.5.0

tests/unit/api/test_deps.py

@@ -210,7 +210,7 @@ class TestValidateCustomerToken:
         owner = User(
             email=f"owner_{uid}@test.com",
             username=f"owner_{uid}",
-            hashed_password="not_a_real_hash",
+            hashed_password="not_a_real_hash",  # noqa: SEC001
             role="merchant_owner",
             is_active=True,
         )
@@ -239,7 +239,7 @@ class TestValidateCustomerToken:
         customer = Customer(
             store_id=store.id,
             email=f"{email_prefix}_{uid}@example.com",
-            hashed_password="not_a_real_hash",  # noqa: SEC001
+            hashed_password="not_a_real_hash",  # noqa: SEC001  # noqa: SEC001
             first_name="Test",
             last_name="Customer",
             customer_number=f"CUST_{uid}",
@@ -785,7 +785,7 @@ class TestGetCurrentCustomerFromCookieOrHeader:
         owner = User(
             email=f"csowner_{uid}@test.com",
             username=f"csowner_{uid}",
-            hashed_password="not_a_real_hash",
+            hashed_password="not_a_real_hash",  # noqa: SEC001
             role="merchant_owner",
             is_active=True,
         )
@@ -813,7 +813,7 @@ class TestGetCurrentCustomerFromCookieOrHeader:
         customer = Customer(
             store_id=store.id,
             email=f"cust_{uid}@example.com",
-            hashed_password="not_a_real_hash",  # noqa: SEC001
+            hashed_password="not_a_real_hash",  # noqa: SEC001  # noqa: SEC001
             first_name="Test",
             last_name="Customer",
             customer_number=f"CUST_{uid}",
@@ -878,7 +878,7 @@ class TestGetCurrentCustomerApi:
         owner = User(
             email=f"caowner_{uid}@test.com",
             username=f"caowner_{uid}",
-            hashed_password="not_a_real_hash",
+            hashed_password="not_a_real_hash",  # noqa: SEC001
             role="merchant_owner",
             is_active=True,
         )
@@ -906,7 +906,7 @@ class TestGetCurrentCustomerApi:
         customer = Customer(
             store_id=store.id,
             email=f"capi_{uid}@example.com",
-            hashed_password="not_a_real_hash",  # noqa: SEC001
+            hashed_password="not_a_real_hash",  # noqa: SEC001  # noqa: SEC001
             first_name="API",
             last_name="Customer",
             customer_number=f"CAPI_{uid}",
@@ -961,7 +961,7 @@ class TestGetCurrentCustomerOptional:
         owner = User(
             email=f"coowner_{uid}@test.com",
             username=f"coowner_{uid}",
-            hashed_password="not_a_real_hash",
+            hashed_password="not_a_real_hash",  # noqa: SEC001
             role="merchant_owner",
             is_active=True,
         )
@@ -989,7 +989,7 @@ class TestGetCurrentCustomerOptional:
         customer = Customer(
             store_id=store.id,
             email=f"copt_{uid}@example.com",
-            hashed_password="not_a_real_hash",  # noqa: SEC001
+            hashed_password="not_a_real_hash",  # noqa: SEC001  # noqa: SEC001
             first_name="Optional",
             last_name="Customer",
             customer_number=f"COPT_{uid}",