refactor(backend/api): extract CanonicalControlService (Step 4 — file 6 of 18)

compliance/api/canonical_control_routes.py (514 LOC) -> 192 LOC thin
routes + 316-line CanonicalControlService + 105-line schemas file.

Canonical Control Library manages OWASP/NIST/ENISA-anchored security
control frameworks and controls. Like company_profile_routes, this file
uses raw SQL via sqlalchemy.text() because there are no SQLAlchemy
models for canonical_control_frameworks or canonical_controls.

Single-service split. Session management moved from bespoke
`with SessionLocal() as db:` blocks to Depends(get_db) for consistency.

Legacy test imports preserved via re-export (FrameworkResponse,
ControlResponse, SimilarityCheckRequest, SimilarityCheckResponse,
_control_row).

Validation extracted to a module-level `_validate_control_input` helper
so both create and update share the same checks. ValidationError (from
compliance.domain) replaces raw HTTPException(400) raises.

Verified:
  - 187/187 pytest (173 core + 14 canonical) pass
  - OpenAPI 360/484 unchanged
  - mypy compliance/ -> Success on 130 source files
  - canonical_control_routes.py 514 -> 192 LOC
  - Hard-cap violations: 13 -> 12

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend-compliance/tests/contracts/openapi.baseline.json

@@ -41419,7 +41419,14 @@
           "200": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "items": {
+                    "additionalProperties": true,
+                    "type": "object"
+                  },
+                  "title": "Response List Controls Api Compliance V1 Canonical Controls Get",
+                  "type": "array"
+                }
               }
             },
             "description": "Successful Response"
@@ -41458,7 +41465,11 @@
           "201": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "additionalProperties": true,
+                  "title": "Response Create Control Api Compliance V1 Canonical Controls Post",
+                  "type": "object"
+                }
               }
             },
             "description": "Successful Response"
@@ -41600,7 +41611,11 @@
           "200": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "additionalProperties": true,
+                  "title": "Response Get Control Api Compliance V1 Canonical Controls  Control Id  Get",
+                  "type": "object"
+                }
               }
             },
             "description": "Successful Response"
@@ -41650,7 +41665,11 @@
           "200": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "additionalProperties": true,
+                  "title": "Response Update Control Api Compliance V1 Canonical Controls  Control Id  Put",
+                  "type": "object"
+                }
               }
             },
             "description": "Successful Response"
@@ -41702,7 +41721,11 @@
           "200": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "additionalProperties": true,
+                  "title": "Response Similarity Check Api Compliance V1 Canonical Controls  Control Id  Similarity Check Post",
+                  "type": "object"
+                }
               }
             },
             "description": "Successful Response"
@@ -41733,7 +41756,14 @@
           "200": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "items": {
+                    "additionalProperties": true,
+                    "type": "object"
+                  },
+                  "title": "Response List Frameworks Api Compliance V1 Canonical Frameworks Get",
+                  "type": "array"
+                }
               }
             },
             "description": "Successful Response"
@@ -41765,7 +41795,11 @@
           "200": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "additionalProperties": true,
+                  "title": "Response Get Framework Api Compliance V1 Canonical Frameworks  Framework Id  Get",
+                  "type": "object"
+                }
               }
             },
             "description": "Successful Response"
@@ -41839,7 +41873,14 @@
           "200": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "items": {
+                    "additionalProperties": true,
+                    "type": "object"
+                  },
+                  "title": "Response List Framework Controls Api Compliance V1 Canonical Frameworks  Framework Id  Controls Get",
+                  "type": "array"
+                }
               }
             },
             "description": "Successful Response"
@@ -42140,7 +42181,9 @@
           "200": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "title": "Response List Licenses Api Compliance V1 Canonical Licenses Get"
+                }
               }
             },
             "description": "Successful Response"
@@ -42161,7 +42204,9 @@
           "200": {
             "content": {
               "application/json": {
-                "schema": {}
+                "schema": {
+                  "title": "Response List Sources Api Compliance V1 Canonical Sources Get"
+                }
               }
             },
             "description": "Successful Response"