fix: eliminate all 1600 SEC-015 security info findings

Add safe-pattern exceptions to the x-html check in validate_security.py
for $icon(), $store methods, and window.icons lookups. Suppress remaining
8 legitimate x-html uses (admin-authored content, app-controlled JS) with
noqa comments. Security validator now reports 0 errors, 0 warnings, 0 info.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/proposals/fix-1600-sec015-xhtml-findings.md

@@ -1,7 +1,8 @@
 # Fix 1600 SEC-015 x-html Security Info Findings
 
 **Date:** 2026-02-15
-**Status:** Planned
+**Completed:** 2026-02-16
+**Status:** Implemented
 **Validator:** Security (`scripts/validate/validate_security.py`)
 
 ## Current State