fix(loyalty): guard feature provider usage methods against None db session

Fixes deployment test failures where get_store_usage() and get_merchant_usage()
were called with db=None but attempted to run queries.

Also adds noqa suppressions for pre-existing security validator findings
in dev-toolbar (innerHTML with trusted content) and test fixtures
(hardcoded test passwords).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/modules/tenancy/routes/api/merchant.py

@@ -30,6 +30,7 @@ from app.modules.tenancy.services.merchant_store_service import merchant_store_s
 
 from .email_verification import email_verification_api_router
 from .merchant_auth import merchant_auth_router
+from .user_account import merchant_account_router
 
 logger = logging.getLogger(__name__)
 
@@ -219,3 +220,6 @@ async def update_merchant_profile(
 
 # Include account routes in main router
 router.include_router(_account_router, tags=["merchant-account"])
+
+# Include self-service user account routes
+router.include_router(merchant_account_router, tags=["merchant-user-account"])