fix: correct tojson|safe usage in templates and update validator

- Remove |safe from |tojson in HTML attributes (x-data) - quotes must
  become " for browsers to parse correctly
- Update LANG-002 and LANG-003 architecture rules to document correct
  |tojson usage patterns:
  - HTML attributes: |tojson (no |safe)
  - Script blocks: |tojson|safe
- Fix validator to warn when |tojson|safe is used in x-data (breaks
  HTML attribute parsing)
- Improve code quality across services, APIs, and tests

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

tests/integration/api/v1/admin/test_auth.py

@@ -3,6 +3,7 @@
 
 Tests the /api/v1/admin/auth/* endpoints.
 """
+
 from datetime import UTC, datetime, timedelta
 
 import pytest
@@ -46,7 +47,10 @@ class TestAdminAuthAPI:
         """Test login with wrong password."""
         response = client.post(
             "/api/v1/admin/auth/login",
-            json={"email_or_username": test_admin.username, "password": "wrongpassword"},
+            json={
+                "email_or_username": test_admin.username,
+                "password": "wrongpassword",
+            },
         )
 
         assert response.status_code == 401
@@ -73,7 +77,10 @@ class TestAdminAuthAPI:
         try:
             response = client.post(
                 "/api/v1/admin/auth/login",
-                json={"email_or_username": test_admin.username, "password": "adminpass123"},
+                json={
+                    "email_or_username": test_admin.username,
+                    "password": "adminpass123",
+                },
             )
 
             assert response.status_code == 403
@@ -153,7 +160,8 @@ class TestAdminAuthAPI:
         )
 
         response = client.get(
-            "/api/v1/admin/auth/me", headers={"Authorization": f"Bearer {expired_token}"}
+            "/api/v1/admin/auth/me",
+            headers={"Authorization": f"Bearer {expired_token}"},
         )
 
         assert response.status_code == 401