refactor: phase 0 guardrails + phase 1 step 2 (models.py split)

Squash of branch refactor/phase0-guardrails-and-models-split — 4 commits,
81 files, 173/173 pytest green, OpenAPI contract preserved (360 paths /
484 operations).

## Phase 0 — Architecture guardrails

Three defense-in-depth layers to keep the architecture rules enforced
regardless of who opens Claude Code in this repo:

  1. .claude/settings.json PreToolUse hook on Write/Edit blocks any file
     that would exceed the 500-line hard cap. Auto-loads in every Claude
     session in this repo.
  2. scripts/githooks/pre-commit (install via scripts/install-hooks.sh)
     enforces the LOC cap locally, freezes migrations/ without
     [migration-approved], and protects guardrail files without
     [guardrail-change].
  3. .gitea/workflows/ci.yaml gains loc-budget + guardrail-integrity +
     sbom-scan (syft+grype) jobs, adds mypy --strict for the new Python
     packages (compliance/{services,repositories,domain,schemas}), and
     tsc --noEmit for admin-compliance + developer-portal.

Per-language conventions documented in AGENTS.python.md, AGENTS.go.md,
AGENTS.typescript.md at the repo root — layering, tooling, and explicit
"what you may NOT do" lists. Root CLAUDE.md is prepended with the six
non-negotiable rules. Each of the 10 services gets a README.md.

scripts/check-loc.sh enforces soft 300 / hard 500 and surfaces the
current baseline of 205 hard + 161 soft violations so Phases 1-4 can
drain it incrementally. CI gates only CHANGED files in PRs so the
legacy baseline does not block unrelated work.

## Deprecation sweep

47 files. Pydantic V1 regex= -> pattern= (2 sites), class Config ->
ConfigDict in source_policy_router.py (schemas.py intentionally skipped;
it is the Phase 1 Step 3 split target). datetime.utcnow() ->
datetime.now(timezone.utc) everywhere including SQLAlchemy default=
callables. All DB columns already declare timezone=True, so this is a
latent-bug fix at the Python side, not a schema change.

DeprecationWarning count dropped from 158 to 35.

## Phase 1 Step 1 — Contract test harness

tests/contracts/test_openapi_baseline.py diffs the live FastAPI /openapi.json
against tests/contracts/openapi.baseline.json on every test run. Fails on
removed paths, removed status codes, or new required request body fields.
Regenerate only via tests/contracts/regenerate_baseline.py after a
consumer-updated contract change. This is the safety harness for all
subsequent refactor commits.

## Phase 1 Step 2 — models.py split (1466 -> 85 LOC shim)

compliance/db/models.py is decomposed into seven sibling aggregate modules
following the existing repo pattern (dsr_models.py, vvt_models.py, ...):

  regulation_models.py       (134) — Regulation, Requirement
  control_models.py          (279) — Control, Mapping, Evidence, Risk
  ai_system_models.py        (141) — AISystem, AuditExport
  service_module_models.py   (176) — ServiceModule, ModuleRegulation, ModuleRisk
  audit_session_models.py    (177) — AuditSession, AuditSignOff
  isms_governance_models.py  (323) — ISMSScope, Context, Policy, Objective, SoA
  isms_audit_models.py       (468) — Finding, CAPA, MgmtReview, InternalAudit,
                                     AuditTrail, Readiness

models.py becomes an 85-line re-export shim in dependency order so
existing imports continue to work unchanged. Schema is byte-identical:
__tablename__, column definitions, relationship strings, back_populates,
cascade directives all preserved.

All new sibling files are under the 500-line hard cap; largest is
isms_audit_models.py at 468. No file in compliance/db/ now exceeds
the hard cap.

## Phase 1 Step 3 — infrastructure only

backend-compliance/compliance/{schemas,domain,repositories}/ packages
are created as landing zones with docstrings. compliance/domain/
exports DomainError / NotFoundError / ConflictError / ValidationError /
PermissionError — the base classes services will use to raise
domain-level errors instead of HTTPException.

PHASE1_RUNBOOK.md at backend-compliance/PHASE1_RUNBOOK.md documents
the nine-step execution plan for Phase 1: snapshot baseline,
characterization tests, split models.py (this commit), split schemas.py
(next), extract services, extract repositories, mypy --strict, coverage.

## Verification

  backend-compliance/.venv-phase1: uv python install 3.12 + pip -r requirements.txt
  PYTHONPATH=. pytest compliance/tests/ tests/contracts/
  -> 173 passed, 0 failed, 35 warnings, OpenAPI 360/484 unchanged

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend-compliance/compliance/tests/test_isms_routes.py

@@ -15,7 +15,7 @@ Run with: pytest backend/compliance/tests/test_isms_routes.py -v
 """
 
 import pytest
-from datetime import datetime, date
+from datetime import datetime, date, timezone
 from unittest.mock import MagicMock
 from uuid import uuid4
 
@@ -56,7 +56,7 @@ def sample_scope():
         status=ApprovalStatusEnum.DRAFT,
         version="1.0",
         created_by="admin@breakpilot.de",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
     )
 
 
@@ -65,7 +65,7 @@ def sample_approved_scope(sample_scope):
     """Create an approved ISMS scope for testing."""
     sample_scope.status = ApprovalStatusEnum.APPROVED
     sample_scope.approved_by = "ceo@breakpilot.de"
-    sample_scope.approved_at = datetime.utcnow()
+    sample_scope.approved_at = datetime.now(timezone.utc)
     sample_scope.effective_date = date.today()
     sample_scope.review_date = date(date.today().year + 1, date.today().month, date.today().day)
     sample_scope.approval_signature = "sha256_signature_hash"
@@ -88,7 +88,7 @@ def sample_policy():
         authored_by="iso@breakpilot.de",
         status=ApprovalStatusEnum.DRAFT,
         version="1.0",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
     )
 
 
@@ -116,7 +116,7 @@ def sample_objective():
         related_controls=["OPS-003"],
         status="active",
         progress_percentage=0.0,
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
     )
 
 
@@ -136,7 +136,7 @@ def sample_soa_entry():
         coverage_level="full",
         evidence_description="ISMS Policy v2.0, signed by CEO",
         version="1.0",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
     )
 
 
@@ -158,7 +158,7 @@ def sample_finding():
         identified_date=date.today(),
         due_date=date(2026, 3, 31),
         status=FindingStatusEnum.OPEN,
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
     )
 
 
@@ -178,7 +178,7 @@ def sample_major_finding():
         identified_date=date.today(),
         due_date=date(2026, 2, 28),
         status=FindingStatusEnum.OPEN,
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
     )
 
 
@@ -198,7 +198,7 @@ def sample_capa(sample_finding):
         planned_completion=date(2026, 2, 15),
         effectiveness_criteria="Document approved and distributed to audit team",
         status="planned",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
     )
 
 
@@ -219,7 +219,7 @@ def sample_management_review():
             {"name": "ISO", "role": "ISMS Manager"},
         ],
         status="draft",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
     )
 
 
@@ -239,7 +239,7 @@ def sample_internal_audit():
         lead_auditor="internal.auditor@breakpilot.de",
         audit_team=["internal.auditor@breakpilot.de", "qa@breakpilot.de"],
         status="planned",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
     )
 
 
@@ -502,7 +502,7 @@ class TestISMSReadinessCheck:
         """Readiness check should identify potential major findings."""
         check = ISMSReadinessCheckDB(
             id=str(uuid4()),
-            check_date=datetime.utcnow(),
+            check_date=datetime.now(timezone.utc),
             triggered_by="admin@breakpilot.de",
             overall_status="not_ready",
             certification_possible=False,
@@ -532,7 +532,7 @@ class TestISMSReadinessCheck:
         """Readiness check should show status for each ISO chapter."""
         check = ISMSReadinessCheckDB(
             id=str(uuid4()),
-            check_date=datetime.utcnow(),
+            check_date=datetime.now(timezone.utc),
             triggered_by="admin@breakpilot.de",
             overall_status="ready",
             certification_possible=True,
@@ -606,7 +606,7 @@ class TestAuditTrail:
             entity_name="ISMS Scope v1.0",
             action="approve",
             performed_by="ceo@breakpilot.de",
-            performed_at=datetime.utcnow(),
+            performed_at=datetime.now(timezone.utc),
             checksum="sha256_hash",
         )
 
@@ -630,7 +630,7 @@ class TestAuditTrail:
             new_value="approved",
             change_summary="Policy approved by CEO",
             performed_by="ceo@breakpilot.de",
-            performed_at=datetime.utcnow(),
+            performed_at=datetime.now(timezone.utc),
             checksum="sha256_hash",
         )