security: deep audit fixes — error leak prevention, DOMPurify XSS guard, mutex race fix, i18n parity, HMAC warning

- [C-1] Fix sync.Mutex copy in guard.GuardStats (go vet race condition)
- [C-2] Replace 3x raw err.Error() HTTP leaks with generic messages (tenant_handlers, ws_transport, immune)
- [M-1] Add isomorphic-dompurify to LegalPage and AIAssistant (XSS defense-in-depth)
- [M-4] Add swaggo/swag dependency for Swagger docs
- [L-4] Add slog.Warn for hardcoded dev HMAC key in tpmaudit
- [L-5] Add 2 missing i18n keys (nav.contacts, nav.start_free) — 365/365 parity

internal/infrastructure/guard/guard.go

@@ -79,12 +79,13 @@ type Guard struct {
 	policy   *Policy
 	handlers []ViolationHandler
 	logger   *slog.Logger
+	statsMu  sync.Mutex   // protects stats
 	stats    GuardStats
 }
 
 // GuardStats tracks guard operation metrics.
+// This is a pure data struct (no mutex) so it can be safely returned by value.
 type GuardStats struct {
-	mu             sync.Mutex
 	TotalEvents    int64            `json:"total_events"`
 	Violations     int64            `json:"violations"`
 	Blocked        int64            `json:"blocked"`
@@ -314,8 +315,8 @@ func (g *Guard) CheckMemory(processName string, pid int, memoryMB int) *Violatio
 
 // Stats returns current guard statistics.
 func (g *Guard) Stats() GuardStats {
-	g.stats.mu.Lock()
-	defer g.stats.mu.Unlock()
+	g.statsMu.Lock()
+	defer g.statsMu.Unlock()
 
 	// Return a copy.
 	cp := GuardStats{
@@ -352,7 +353,7 @@ func (g *Guard) SetMode(mode Mode) {
 
 // recordViolation updates stats and notifies handlers.
 func (g *Guard) recordViolation(v Violation) {
-	g.stats.mu.Lock()
+	g.statsMu.Lock()
 	g.stats.TotalEvents++
 	g.stats.Violations++
 	if v.Action == "blocked" {
@@ -360,7 +361,7 @@ func (g *Guard) recordViolation(v Violation) {
 	}
 	g.stats.ByProcess[v.ProcessName]++
 	g.stats.ByType[v.Type]++
-	g.stats.mu.Unlock()
+	g.statsMu.Unlock()
 
 	g.logger.Warn("policy violation",
 		"process", v.ProcessName,