Wire pnpm compliance:emit-all into the pre-commit hook (conditional on
staged Payload configs, library traces, or compliance/ files) and add a
hard-fail compliance drift check step to the CI validate job positioned
after pnpm conformance.
Also fix emit-all.mjs: it previously hardcoded --check on every invocation,
so it never actually regenerated artifacts. Now the default mode writes and
--check mode diffs only — matching the pre-commit (write) vs CI (check) split.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds scripts/compliance/emit-all.mjs which runs all three compliance
emitters in --check mode and exits non-zero if any artifact is stale.
Adds compliance:emit-all root package script.
Generates initial compliance/retention-policy.yml and
compliance/sub-processors.yml from the template collections.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
