fix: add .dockerignore and env_file to docker-compose

Prevents .env from being baked into Docker image (was overriding
config defaults). Adds env_file directive so containers load host
.env properly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

scripts/validate/base_validator.py

@@ -4,6 +4,7 @@ Base Validator Class
 Shared functionality for all validators.
 """
 
+import re
 from abc import ABC
 from dataclasses import dataclass, field
 from enum import Enum
@@ -62,8 +63,18 @@ class BaseValidator(ABC):
         ".venv", "venv", "node_modules", "__pycache__", ".git",
         ".pytest_cache", ".mypy_cache", "dist", "build", "*.egg-info",
         "migrations", "alembic/versions", ".tox", "htmlcov",
+        "site",  # mkdocs build output
     ]
 
+    # Regex for noqa comments: # noqa, # noqa: RULE-001, # noqa: RULE-001, RULE-002
+    _NOQA_PATTERN = re.compile(
+        r"#\s*noqa(?::\s*([A-Z]+-\d+(?:\s*,\s*[A-Z]+-\d+)*))?",
+    )
+    # Same for HTML comments: <!-- noqa: RULE-001 -->
+    _NOQA_HTML_PATTERN = re.compile(
+        r"<!--\s*noqa(?::\s*([A-Z]+-\d+(?:\s*,\s*[A-Z]+-\d+)*))?\s*-->",
+    )
+
     def __init__(
         self,
         rules_dir: str = "",
@@ -180,6 +191,26 @@ class BaseValidator(ABC):
         path_str = str(file_path)
         return any(pattern in path_str for pattern in self.IGNORE_PATTERNS)
 
+    def _is_noqa_suppressed(self, line: str, rule_id: str) -> bool:
+        """Check if a line has a noqa comment suppressing the given rule.
+
+        Supports:
+          - ``# noqa`` — suppresses all rules
+          - ``# noqa: SEC-001`` — suppresses specific rule
+          - ``# noqa: SEC-001, SEC-002`` — suppresses multiple rules
+          - ``<!-- noqa: SEC-015 -->`` — HTML comment variant
+        """
+        for pattern in (self._NOQA_PATTERN, self._NOQA_HTML_PATTERN):
+            match = pattern.search(line)
+            if match:
+                rule_list = match.group(1)
+                if not rule_list:
+                    return True  # bare # noqa → suppress everything
+                suppressed = [r.strip() for r in rule_list.split(",")]
+                if rule_id in suppressed:
+                    return True
+        return False
+
     def _add_violation(
         self,
         rule_id: str,