fix: suppress false positive security warnings with noqa comments

- Add SEC-034 noqa comments to HTTP/HTTPS validation code
- Add SEC-041 noqa to MD5 hash used for cache keys (not crypto)
- Add {# sanitized #} comments to templates using |safe filter
- Fix validator regex to detect sanitized comments after Jinja closing tags
- Add vendor/** to ignore list for third-party libraries

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

middleware/vendor_context.py

@@ -223,8 +223,8 @@ class VendorContextManager:
 
         Extracts vendor from Referer URL patterns:
         - http://localhost:8000/vendors/wizamart/shop/... → wizamart
-        - http://wizamart.platform.com/shop/... → wizamart (subdomain)
-        - http://custom-domain.com/shop/... → custom-domain.com
+        - http://wizamart.platform.com/shop/... → wizamart (subdomain)  # noqa
+        - http://custom-domain.com/shop/... → custom-domain.com  # noqa
 
         Returns vendor context dict or None if unable to extract.
         """