refactor: move vendor product schemas to models/schema and add API-002 rule

- Add API-002 architecture rule preventing Pydantic imports in API endpoints
- Move inline Pydantic models from vendor_products.py to models/schema/vendor_product.py
- Update vendor_products.py to import schemas from proper location

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.architecture-rules/api.yaml

@@ -56,6 +56,54 @@ api_endpoint_rules:
       def get_data(): ...
 
   - id: "API-002"
+    name: "No Pydantic imports in API endpoint files"
+    severity: "error"
+    description: |
+      API endpoint files must NOT import Pydantic directly (BaseModel, Field, etc.).
+      All Pydantic schemas must be defined in models/schema/*.py and imported from there.
+
+      WHY THIS MATTERS:
+      - Separation of concerns: API handles HTTP, schemas handle data structure
+      - Discoverability: All schemas in one place for easy review
+      - Reusability: Schemas can be shared across endpoints
+      - Prevents inline schema definitions that violate API-001
+
+      WRONG:
+        from pydantic import BaseModel, Field
+        class MyRequest(BaseModel):  # Inline schema
+            name: str
+
+      RIGHT:
+        # In models/schema/my_feature.py
+        from pydantic import BaseModel
+        class MyRequest(BaseModel):
+            name: str
+
+        # In app/api/v1/admin/my_feature.py
+        from models.schema.my_feature import MyRequest
+    pattern:
+      file_pattern: "app/api/v1/**/*.py"
+      anti_patterns:
+        - "from pydantic import"
+        - "from pydantic.main import"
+    example_good: |
+      # In app/api/v1/admin/vendors.py
+      from models.schema.vendor import (
+          LetzshopExportRequest,
+          LetzshopExportResponse,
+      )
+
+      @router.post("/export", response_model=LetzshopExportResponse)
+      def export_products(request: LetzshopExportRequest):
+          ...
+    example_bad: |
+      # In app/api/v1/admin/vendors.py
+      from pydantic import BaseModel  # WRONG: Don't import pydantic here
+
+      class LetzshopExportRequest(BaseModel):  # WRONG: Define in models/schema/
+          include_inactive: bool = False
+
+  - id: "API-003"
     name: "Endpoint must NOT contain business logic"
     severity: "error"
     description: |
@@ -76,7 +124,7 @@ api_endpoint_rules:
         - "db.delete("
         - "db.query("
 
-  - id: "API-003"
+  - id: "API-004"
     name: "Endpoint must NOT raise ANY exceptions directly"
     severity: "error"
     description: |
@@ -116,7 +164,7 @@ api_endpoint_rules:
       exceptions:
         - "app/exceptions/handler.py"
 
-  - id: "API-004"
+  - id: "API-005"
     name: "Endpoint must have proper authentication/authorization"
     severity: "warning"
     description: |
@@ -128,7 +176,7 @@ api_endpoint_rules:
 
       Public endpoint markers (place on line before or after decorator):
       - # public - Descriptive marker for intentionally unauthenticated endpoints
-      - # noqa: API-004 - Standard noqa style to suppress warning
+      - # noqa: API-005 - Standard noqa style to suppress warning
 
       Example:
         # public - Stripe webhook receives external callbacks
@@ -143,9 +191,9 @@ api_endpoint_rules:
         - "*/auth.py"
       public_markers:
         - "# public"
-        - "# noqa: api-004"
+        - "# noqa: api-005"
 
-  - id: "API-005"
+  - id: "API-006"
     name: "Multi-tenant endpoints must scope queries to vendor_id"
     severity: "error"
     description: |