fix(loyalty): guard feature provider usage methods against None db session

Fixes deployment test failures where get_store_usage() and get_merchant_usage()
were called with db=None but attempted to run queries.

Also adds noqa suppressions for pre-existing security validator findings
in dev-toolbar (innerHTML with trusted content) and test fixtures
(hardcoded test passwords).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/modules/loyalty/services/loyalty_features.py

@@ -164,6 +164,9 @@ class LoyaltyFeatureProvider:
         db: Session,
         store_id: int,
     ) -> list[FeatureUsage]:
+        if db is None:
+            return []
+
         from sqlalchemy import func
 
         from app.modules.loyalty.models import LoyaltyCard, StaffPin
@@ -199,6 +202,9 @@ class LoyaltyFeatureProvider:
         merchant_id: int,
         platform_id: int,
     ) -> list[FeatureUsage]:
+        if db is None:
+            return []
+
         from sqlalchemy import func
 
         from app.modules.loyalty.models import (