fix: AUTH-004 rule now accepts # authenticated marker

Shop endpoints can use three valid vendor context patterns:
- require_vendor_context() dependency
- # public - for public endpoints
- # authenticated - for customer-authenticated endpoints

Customer auth (get_current_customer_api) includes vendor context
validation, so # authenticated is a valid marker.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/validate_architecture.py

@@ -2612,9 +2612,12 @@ class ArchitectureValidator:
         if "noqa: auth-004" in content.lower():
             return
 
-        # Shop APIs that need vendor context should use require_vendor_context or # public
+        # Shop APIs that need vendor context should use require_vendor_context,
+        # # public, or # authenticated (customer auth includes vendor context)
         has_vendor_context = (
-            "require_vendor_context" in content or "# public" in content
+            "require_vendor_context" in content
+            or "# public" in content
+            or "# authenticated" in content
         )
 
         # Check for routes that might need vendor context
@@ -2623,10 +2626,11 @@ class ArchitectureValidator:
             lines = content.split("\n")
             for i, line in enumerate(lines, 1):
                 if "@router." in line:
-                    # Check next few lines for public marker or vendor context
+                    # Check next few lines for public/authenticated marker or vendor context
                     context_lines = "\n".join(lines[i - 1 : i + 10])
                     if (
                         "# public" not in context_lines
+                        and "# authenticated" not in context_lines
                         and "require_vendor_context" not in context_lines
                     ):
                         self._add_violation(