phase 5: flip loc-budget to whole-repo blocking gate [guardrail-change]

- loc-budget CI job: remove if/else PR-only guard; now runs scripts/check-loc.sh
  (no || true) on every push and PR, scanning the full repo
- sbom-scan: remove || true from grype command — high+ CVEs now block PRs
- scripts/check-loc.sh: add test_*.py / */test_*.py and *.html exclusions so
  Python test files and Jinja/HTML templates are not counted against the budget
- .claude/rules/loc-exceptions.txt: grandfather 40 remaining oversized files
  into the exceptions list (one-off scripts, docs copies, platform SDKs,
  and Phase 1 backend-compliance refactor backlog)
- ai-compliance-sdk/.golangci.yml: add strict golangci-lint config (errcheck,
  govet, staticcheck, gosec, gocyclo, gocritic, revive, goimports)
- delete stray routes.py.backup (2512 LOC)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ai-compliance-sdk/.golangci.yml

@@ -0,0 +1,88 @@
+# golangci-lint configuration for ai-compliance-sdk
+# Docs: https://golangci-lint.run/usage/configuration/
+#
+# Philosophy: catch real bugs and security issues; skip style nits on legacy code.
+# Run: cd ai-compliance-sdk && golangci-lint run --timeout 5m ./...
+
+run:
+  timeout: 5m
+  modules-download-mode: readonly
+
+linters:
+  disable-all: true
+  enable:
+    # --- Correctness ---
+    - errcheck        # unhandled error returns
+    - govet           # suspicious constructs (shadow, printf, copylocks, …)
+    - staticcheck     # SA* checks: bugs, deprecated APIs, ineffectual code
+    - ineffassign     # assignments whose result is never used
+    - unused          # exported/unexported symbols that are never referenced
+
+    # --- Security ---
+    - gosec           # G* checks: SQL injection, hardcoded credentials, weak crypto, …
+
+    # --- Complexity / maintainability ---
+    - gocyclo         # cyclomatic complexity > threshold
+    - gocritic        # opinionated but practical style + correctness checks
+    - revive          # linter on top of golint; many useful checks
+
+    # --- Formatting / imports ---
+    - goimports       # gofmt + import grouping
+
+linters-settings:
+  errcheck:
+    # Don't flag fmt.Print* and similar convenience functions.
+    exclude-functions:
+      - fmt.Print
+      - fmt.Println
+      - fmt.Printf
+      - fmt.Fprint
+      - fmt.Fprintln
+      - fmt.Fprintf
+
+  gocyclo:
+    # Handlers and store methods that wrap many DB queries are allowed to be
+    # somewhat complex. This is a reasonable threshold.
+    min-complexity: 20
+
+  gosec:
+    # G104 (unhandled errors) is covered by errcheck; G304/G306 (file
+    # path injection) would need context — keep but accept on review.
+    excludes:
+      - G104
+
+  revive:
+    rules:
+      - name: exported
+        arguments:
+          - checkPrivateReceivers: false
+          - disableStutteringCheck: true
+      - name: error-return
+      - name: increment-decrement
+      - name: var-declaration
+      - name: package-comments
+        disabled: true   # not enforced on internal packages
+
+  gocritic:
+    enabled-tags:
+      - diagnostic
+      - performance
+    disabled-checks:
+      - hugeParam       # flags large structs passed by value — too noisy until we audit
+      - rangeValCopy    # same reason
+
+issues:
+  # Don't fail on generated protobuf stubs or vendor code.
+  exclude-rules:
+    - path: "_pb\\.go$"
+      linters: [all]
+    - path: "vendor/"
+      linters: [all]
+
+  # Report at most 50 issues per linter so the first run is readable.
+  max-issues-per-linter: 50
+  max-same-issues: 5
+
+  # New code only: don't fail on pre-existing issues in files we haven't touched.
+  # Remove this once a clean baseline is established.
+  new: false