feat: add unified code quality dashboard with multiple validators

- Add validator_type field to scans and violations (architecture,
  security, performance)
- Create security validator with SEC-xxx rules
- Create performance validator with PERF-xxx rules
- Add base validator class for shared functionality
- Add validate_all.py script to run all validators
- Update code quality service with validator type filtering
- Add validator type tabs to dashboard UI
- Add validator type filter to violations list
- Update stats response with per-validator breakdown
- Add security and performance rules documentation
- Add chat-bubble icons to icon library

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.performance-rules/caching.yaml

@@ -0,0 +1,125 @@
+# Caching Performance Rules
+# =========================
+
+caching_rules:
+  - id: "PERF-016"
+    name: "Cache expensive computations"
+    severity: info
+    description: |
+      Computationally expensive operations should be cached:
+      - Complex aggregations
+      - External API results
+      - Template rendering
+      - Data transformations
+    file_pattern: "**/service*.py"
+    suggested_patterns:
+      - "@cache|@lru_cache|@cached|redis|memcache"
+
+  - id: "PERF-017"
+    name: "Cache key includes tenant context"
+    severity: warning
+    description: |
+      Multi-tenant cache keys must include vendor_id.
+      Otherwise, cached data may leak between tenants.
+    file_pattern: "**/*cache*.py|**/service*.py"
+    context_patterns:
+      - "cache|@cached|redis"
+    required_patterns:
+      - "vendor_id|tenant"
+    example_bad: |
+      @cache.memoize()
+      def get_products():
+          return db.query(Product).all()
+    example_good: |
+      @cache.memoize()
+      def get_products(vendor_id: int):
+          return db.query(Product).filter_by(vendor_id=vendor_id).all()
+
+  - id: "PERF-018"
+    name: "Cache TTL configuration"
+    severity: info
+    description: |
+      Cache entries should have appropriate TTL:
+      - Short TTL (1-5 min): Frequently changing data
+      - Medium TTL (5-60 min): Semi-static data
+      - Long TTL (1+ hour): Reference data
+    file_pattern: "**/*cache*.py"
+    suggested_patterns:
+      - "ttl|expire|timeout"
+
+  - id: "PERF-019"
+    name: "Cache invalidation strategy"
+    severity: warning
+    description: |
+      Define cache invalidation strategy:
+      - Time-based (TTL)
+      - Event-based (on data change)
+      - Manual (admin action)
+
+      Without invalidation, stale data may be served.
+    file_pattern: "**/*cache*.py|**/service*.py"
+    suggested_patterns:
+      - "invalidate|delete|clear|purge"
+
+  - id: "PERF-020"
+    name: "Response caching headers"
+    severity: info
+    description: |
+      API responses can use HTTP caching headers:
+      - Cache-Control for browser/CDN caching
+      - ETag for conditional requests
+      - Last-Modified for validation
+    file_pattern: "**/api/**/*.py"
+    suggested_patterns:
+      - "Cache-Control|ETag|Last-Modified"
+
+  - id: "PERF-021"
+    name: "Query result caching"
+    severity: info
+    description: |
+      Frequently accessed, rarely changed data should be cached:
+      - User preferences
+      - Configuration settings
+      - Static reference data
+    file_pattern: "**/service*.py"
+
+  - id: "PERF-022"
+    name: "Session-level caching"
+    severity: info
+    description: |
+      Use SQLAlchemy's identity map for request-scoped caching.
+      Avoid re-fetching the same entity within a request.
+    file_pattern: "**/service*.py"
+
+  - id: "PERF-023"
+    name: "Distributed cache for scalability"
+    severity: info
+    description: |
+      For multi-instance deployments, use distributed cache:
+      - Redis
+      - Memcached
+      - Database-backed cache
+
+      Local caches don't work across instances.
+    file_pattern: "**/config*.py"
+    suggested_patterns:
+      - "redis|memcache|CACHE_TYPE"
+
+  - id: "PERF-024"
+    name: "Cache warming strategy"
+    severity: info
+    description: |
+      Pre-warm cache for predictable high-traffic patterns:
+      - On application startup
+      - Before marketing campaigns
+      - After cache flush
+
+  - id: "PERF-025"
+    name: "Monitor cache hit rates"
+    severity: info
+    description: |
+      Track cache performance:
+      - Hit rate (should be > 80%)
+      - Miss penalty (time saved)
+      - Memory usage
+      - Eviction rate