refactor: fix all architecture validator findings (202 → 0)

Eliminate all 103 errors and 96 warnings from the architecture validator:

Phase 1 - Validator rules & YAML:
- Add NAM-001/NAM-002 exceptions for module-scoped router/service files
- Fix API-004 to detect # public comments on decorator lines
- Add module-specific exception bases to EXC-004 valid_bases
- Exclude storefront files from AUTH-004 store context check
- Add SVC-006 exceptions for loyalty service atomic commits
- Fix _get_rule() to search naming_rules and auth_rules categories
- Use plain # CODE comments instead of # noqa: CODE for custom rules

Phase 2 - Billing module (5 route files):
- Move _resolve_store_to_merchant to subscription_service
- Move tier/feature queries to feature_service, admin_subscription_service
- Extract 22 inline Pydantic schemas to billing/schemas/billing.py
- Replace all HTTPException with domain exceptions

Phase 3 - Loyalty module (4 routes + points_service):
- Add 7 domain exceptions (Apple auth, enrollment, device registration)
- Add service methods to card_service, program_service, apple_wallet_service
- Move all db.query() from routes to service layer
- Fix SVC-001: replace HTTPException in points_service with domain exception

Phase 4 - Remaining modules:
- tenancy: move store stats queries to admin_service
- cms: move platform resolution to content_page_service, add NoPlatformSubscriptionException
- messaging: move user/customer lookups to messaging_service
- Add ConfigDict(from_attributes=True) to ContentPageResponse

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.architecture-rules/auth.yaml

@@ -9,7 +9,9 @@ auth_rules:
     description: |
       Authentication must use JWT tokens in Authorization: Bearer header
     pattern:
-      file_pattern: "app/api/**/*.py"
+      file_pattern:
+        - "app/api/**/*.py"
+        - "app/modules/*/routes/api/**/*.py"
       enforcement: "middleware"
 
   - id: "AUTH-002"
@@ -18,7 +20,9 @@ auth_rules:
     description: |
       Use Depends(get_current_admin/vendor/customer) for role checks
     pattern:
-      file_pattern: "app/api/v1/**/*.py"
+      file_pattern:
+        - "app/api/v1/**/*.py"
+        - "app/modules/*/routes/api/**/*.py"
       required: "Depends\\(get_current_"
 
   - id: "AUTH-003"
@@ -36,10 +40,10 @@ auth_rules:
     description: |
       Two vendor context patterns exist - use the appropriate one:
 
-      1. SHOP ENDPOINTS (public, no authentication required):
+      1. STOREFRONT ENDPOINTS (public, no authentication required):
          - Use: vendor: Vendor = Depends(require_vendor_context())
          - Vendor is detected from URL/subdomain/domain
-         - File pattern: app/api/v1/storefront/**/*.py
+         - File pattern: app/api/v1/storefront/**/*.py, app/modules/*/routes/api/storefront*.py
          - Mark as public with: # public
 
       2. VENDOR API ENDPOINTS (authenticated):
@@ -49,15 +53,19 @@ auth_rules:
          - File pattern: app/api/v1/vendor/**/*.py
 
       DEPRECATED for vendor APIs:
-         - require_vendor_context() - only for shop endpoints
+         - require_vendor_context() - only for storefront endpoints
          - getattr(request.state, "vendor", None) without permission dependency
 
       See: docs/backend/vendor-in-token-architecture.md
     pattern:
-      file_pattern: "app/api/v1/vendor/**/*.py"
+      file_pattern:
+        - "app/api/v1/vendor/**/*.py"
+        - "app/modules/*/routes/api/store*.py"
       anti_patterns:
         - "require_vendor_context\\(\\)"
-      file_pattern: "app/api/v1/storefront/**/*.py"
+      file_pattern:
+        - "app/api/v1/storefront/**/*.py"
+        - "app/modules/*/routes/api/storefront*.py"
       required_patterns:
         - "require_vendor_context\\(\\)|# public"
 
@@ -149,7 +157,9 @@ multi_tenancy_rules:
     description: |
       In vendor/shop contexts, all database queries must filter by vendor_id
     pattern:
-      file_pattern: "app/services/**/*.py"
+      file_pattern:
+        - "app/services/**/*.py"
+        - "app/modules/*/services/**/*.py"
       context: "vendor_shop"
       required_pattern: ".filter\\(.*vendor_id.*\\)"
 
@@ -159,5 +169,7 @@ multi_tenancy_rules:
     description: |
       Queries must never access data from other vendors
     pattern:
-      file_pattern: "app/services/**/*.py"
+      file_pattern:
+        - "app/services/**/*.py"
+        - "app/modules/*/services/**/*.py"
       enforcement: "database_query_level"