fix: correct tojson|safe usage in templates and update validator

- Remove |safe from |tojson in HTML attributes (x-data) - quotes must
  become " for browsers to parse correctly
- Update LANG-002 and LANG-003 architecture rules to document correct
  |tojson usage patterns:
  - HTML attributes: |tojson (no |safe)
  - Script blocks: |tojson|safe
- Fix validator to warn when |tojson|safe is used in x-data (breaks
  HTML attribute parsing)
- Improve code quality across services, APIs, and tests

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

tests/integration/security/test_authorization.py

@@ -6,6 +6,7 @@ Tests role-based access control:
 - Admin endpoints require admin role
 - Vendor endpoints require vendor context (vendor_id in token)
 """
+
 import pytest
 
 
@@ -29,7 +30,9 @@ class TestAuthorization:
 
         for endpoint in admin_endpoints:
             response = client.get(endpoint, headers=admin_headers)
-            assert response.status_code == 200, f"Admin should have access to {endpoint}"
+            assert response.status_code == 200, (
+                f"Admin should have access to {endpoint}"
+            )
 
     def test_vendor_endpoint_requires_vendor_context(self, client, admin_headers):
         """Test that vendor endpoints require vendor context in token"""
@@ -38,9 +41,7 @@ class TestAuthorization:
         # Should fail - admin token lacks vendor_id claim
         assert response.status_code in [401, 403]
 
-    def test_vendor_owner_access_control(
-        self, client, admin_headers, test_vendor
-    ):
+    def test_vendor_owner_access_control(self, client, admin_headers, test_vendor):
         """Test admin can access vendor by vendor code"""
         response = client.get(
             f"/api/v1/admin/vendors/{test_vendor.vendor_code}", headers=admin_headers