refactor: modernize code quality tooling with Ruff

- Replace black, isort, and flake8 with Ruff (all-in-one linter and formatter)
- Add comprehensive pyproject.toml configuration
- Simplify Makefile code quality targets
- Configure exclusions for venv/.venv in pyproject.toml
- Auto-fix 1,359 linting issues across codebase

Benefits:
- Much faster builds (Ruff is written in Rust)
- Single tool replaces multiple tools
- More comprehensive rule set (UP, B, C4, SIM, PIE, RET, Q)
- All configuration centralized in pyproject.toml
- Better import sorting and formatting consistency

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

tests/integration/api/v1/vendor/test_authentication.py

@@ -10,7 +10,7 @@ These tests verify that:
 5. Vendor context middleware works correctly with API authentication
 """
 
-from datetime import datetime, timedelta, timezone
+from datetime import UTC, datetime, timedelta
 
 import pytest
 from jose import jwt
@@ -88,8 +88,8 @@ class TestVendorAPIAuthentication:
             "username": test_vendor_user.username,
             "email": test_vendor_user.email,
             "role": test_vendor_user.role,
-            "exp": datetime.now(timezone.utc) - timedelta(hours=1),
-            "iat": datetime.now(timezone.utc) - timedelta(hours=2),
+            "exp": datetime.now(UTC) - timedelta(hours=1),
+            "iat": datetime.now(UTC) - timedelta(hours=2),
         }
 
         expired_token = jwt.encode(
@@ -184,9 +184,9 @@ class TestVendorAPIAuthentication:
             response = client.get(endpoint)
 
             # All should fail with 401 (header required)
-            assert (
-                response.status_code == 401
-            ), f"Endpoint {endpoint} should reject cookie-only auth"
+            assert response.status_code == 401, (
+                f"Endpoint {endpoint} should reject cookie-only auth"
+            )
 
     # ========================================================================
     # Role-Based Access Control Tests
@@ -205,15 +205,15 @@ class TestVendorAPIAuthentication:
         for endpoint in endpoints:
             # Test with regular user token
             response = client.get(endpoint, headers=auth_headers)
-            assert (
-                response.status_code == 403
-            ), f"Endpoint {endpoint} should reject regular users"
+            assert response.status_code == 403, (
+                f"Endpoint {endpoint} should reject regular users"
+            )
 
             # Test with admin token
             response = client.get(endpoint, headers=admin_headers)
-            assert (
-                response.status_code == 403
-            ), f"Endpoint {endpoint} should reject admin users"
+            assert response.status_code == 403, (
+                f"Endpoint {endpoint} should reject admin users"
+            )
 
     def test_vendor_api_accepts_only_vendor_role(
         self, client, vendor_user_headers, test_vendor_user
@@ -228,7 +228,9 @@ class TestVendorAPIAuthentication:
             assert response.status_code in [
                 200,
                 404,
-            ], f"Endpoint {endpoint} should accept vendor users (got {response.status_code})"
+            ], (
+                f"Endpoint {endpoint} should accept vendor users (got {response.status_code})"
+            )
 
     # ========================================================================
     # Token Validation Tests
@@ -246,9 +248,9 @@ class TestVendorAPIAuthentication:
 
         for headers in malformed_headers:
             response = client.get("/api/v1/vendor/auth/me", headers=headers)
-            assert (
-                response.status_code == 401
-            ), f"Should reject malformed header: {headers}"
+            assert response.status_code == 401, (
+                f"Should reject malformed header: {headers}"
+            )
 
     def test_token_with_missing_claims(self, client, auth_manager):
         """Test token missing required claims"""
@@ -256,7 +258,7 @@ class TestVendorAPIAuthentication:
         invalid_payload = {
             "sub": "123",
             "username": "test",
-            "exp": datetime.now(timezone.utc) + timedelta(hours=1),
+            "exp": datetime.now(UTC) + timedelta(hours=1),
         }
 
         invalid_token = jwt.encode(
@@ -348,9 +350,9 @@ class TestVendorAPIConsistency:
                 response = client.post(endpoint, json={})
 
             # All should reject cookie-only auth with 401
-            assert (
-                response.status_code == 401
-            ), f"Endpoint {endpoint} should require Authorization header (got {response.status_code})"
+            assert response.status_code == 401, (
+                f"Endpoint {endpoint} should require Authorization header (got {response.status_code})"
+            )
 
     def test_vendor_endpoints_accept_vendor_token(
         self, client, vendor_user_headers, test_vendor_with_vendor_user
@@ -371,4 +373,6 @@ class TestVendorAPIConsistency:
             assert response.status_code not in [
                 401,
                 403,
-            ], f"Endpoint {endpoint} should accept vendor token (got {response.status_code}: {response.text})"
+            ], (
+                f"Endpoint {endpoint} should accept vendor token (got {response.status_code}: {response.text})"
+            )