feat(ci): add CI/CD integration — --fail-on, --compact, pipeline templates

Add threshold-based exit codes (--fail-on <severity>) and compact
output mode (--compact) to scan-orchestrator and CLI. Pipeline
templates for GitHub Actions, Azure DevOps, GitLab CI with SARIF
upload. CI/CD guide with Schrems II/NSM compliance documentation.
npm publish preparation (files whitelist, .npmignore). Policy ci
section for distributable CI defaults. Version 6.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/llm-security/ci/gitlab-ci.yml

@@ -0,0 +1,37 @@
+# llm-security — GitLab CI template
+# Deterministic security scanning for AI/LLM projects.
+# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
+#
+# Include in your .gitlab-ci.yml:
+#   include:
+#     - local: ci/gitlab-ci.yml
+#
+# See docs/ci-cd-guide.md for configuration options and detailed setup.
+#
+# Alternative (without npx): replace the script with:
+#   script: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file results.sarif
+
+llm-security-scan:
+  image: node:18-alpine
+  stage: test
+  script:
+    - npx llm-security scan . --fail-on high --format sarif --output-file results.sarif
+  artifacts:
+    paths:
+      - results.sarif
+    reports:
+      sast: results.sarif
+    when: always
+
+# Notes:
+#   - GitLab SAST report parsing of SARIF requires GitLab Ultimate
+#   - The artifact is always available regardless of license tier
+#   - For GitLab Free/Premium, results are in the downloadable artifact only
+#
+# Configuration:
+#   --fail-on <critical|high|medium|low>  Exit 1 if findings at or above severity
+#   --compact                              One-liner per finding (reduced log noise)
+#   --format sarif                         OASIS SARIF 2.1.0 output
+#
+# Or configure via .llm-security/policy.json:
+#   { "ci": { "failOn": "high", "compact": true } }