feat(ci): add CI/CD integration — --fail-on, --compact, pipeline templates

Add threshold-based exit codes (--fail-on <severity>) and compact
output mode (--compact) to scan-orchestrator and CLI. Pipeline
templates for GitHub Actions, Azure DevOps, GitLab CI with SARIF
upload. CI/CD guide with Schrems II/NSM compliance documentation.
npm publish preparation (files whitelist, .npmignore). Policy ci
section for distributable CI defaults. Version 6.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/llm-security/ci/azure-pipelines.yml

@@ -0,0 +1,46 @@
+# llm-security — Azure DevOps pipeline
+# Deterministic security scanning for AI/LLM projects.
+# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
+#
+# See docs/ci-cd-guide.md for configuration options and detailed setup.
+#
+# Alternative (without npx): replace the scan script with:
+#   script: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file $(Build.ArtifactStagingDirectory)/results.sarif
+
+trigger:
+  branches:
+    include:
+      - main
+
+pool:
+  vmImage: ubuntu-latest
+
+steps:
+  - task: NodeTool@0
+    displayName: Install Node.js 18
+    inputs:
+      versionSpec: '18.x'
+
+  - script: npx llm-security scan . --fail-on high --format sarif --output-file $(Build.ArtifactStagingDirectory)/results.sarif
+    displayName: Run llm-security scan
+
+  - task: PublishBuildArtifacts@1
+    condition: always()
+    displayName: Publish SARIF results
+    inputs:
+      pathToPublish: $(Build.ArtifactStagingDirectory)/results.sarif
+      artifactName: llm-security-scan
+
+# For Azure DevOps Advanced Security (if enabled):
+# Replace PublishBuildArtifacts with:
+#   - task: AdvancedSecurity-Publish@1
+#     condition: always()
+#     displayName: Publish to Advanced Security
+#
+# Configuration:
+#   --fail-on <critical|high|medium|low>  Exit 1 if findings at or above severity
+#   --compact                              One-liner per finding (reduced log noise)
+#   --format sarif                         OASIS SARIF 2.1.0 output
+#
+# Or configure via .llm-security/policy.json:
+#   { "ci": { "failOn": "high", "compact": true } }

plugins/llm-security/ci/github-action.yml

@@ -0,0 +1,47 @@
+# llm-security — GitHub Actions workflow
+# Deterministic security scanning for AI/LLM projects.
+# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
+#
+# See docs/ci-cd-guide.md for configuration options and detailed setup.
+#
+# Alternative (without npx): replace the scan step with:
+#   run: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file results.sarif
+
+name: LLM Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Run llm-security scan
+        run: npx llm-security scan . --fail-on high --format sarif --output-file results.sarif
+
+      - name: Upload SARIF to GitHub Advanced Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: results.sarif
+
+# Configuration:
+#   --fail-on <critical|high|medium|low>  Exit 1 if findings at or above severity
+#   --compact                              One-liner per finding (reduced log noise)
+#   --format sarif                         OASIS SARIF 2.1.0 output
+#   --output-file <path>                   Write full results to file
+#   --baseline                             Diff against stored baseline
+#
+# Or configure via .llm-security/policy.json:
+#   { "ci": { "failOn": "high", "compact": true } }

plugins/llm-security/ci/gitlab-ci.yml

@@ -0,0 +1,37 @@
+# llm-security — GitLab CI template
+# Deterministic security scanning for AI/LLM projects.
+# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
+#
+# Include in your .gitlab-ci.yml:
+#   include:
+#     - local: ci/gitlab-ci.yml
+#
+# See docs/ci-cd-guide.md for configuration options and detailed setup.
+#
+# Alternative (without npx): replace the script with:
+#   script: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file results.sarif
+
+llm-security-scan:
+  image: node:18-alpine
+  stage: test
+  script:
+    - npx llm-security scan . --fail-on high --format sarif --output-file results.sarif
+  artifacts:
+    paths:
+      - results.sarif
+    reports:
+      sast: results.sarif
+    when: always
+
+# Notes:
+#   - GitLab SAST report parsing of SARIF requires GitLab Ultimate
+#   - The artifact is always available regardless of license tier
+#   - For GitLab Free/Premium, results are in the downloadable artifact only
+#
+# Configuration:
+#   --fail-on <critical|high|medium|low>  Exit 1 if findings at or above severity
+#   --compact                              One-liner per finding (reduced log noise)
+#   --format sarif                         OASIS SARIF 2.1.0 output
+#
+# Or configure via .llm-security/policy.json:
+#   { "ci": { "failOn": "high", "compact": true } }