feat: diff size policy check — warn or block oversized pushes

[coopernetes]

Problem

Operators have no way to guard against pushes that are so large they are effectively unreviable — whether accidentally (wrong remote, unrelated history) or intentionally (huge batch commits, vendored dependencies committed wholesale).

Proposed solution

A configurable diff size check in the filter chain with warn and block tiers:

commit:
  diff:
    size:
      warn-lines: 5000   # emit WARN step, push proceeds
      block-lines: 50000 # block push outright

Both thresholds are off by default (0 = disabled). Operators opt in.

Exclusions

Known generated/vendored paths should be excluded from the line count by default:

• package-lock.json, yarn.lock, *.lock
• vendor/, dist/, build/
• *.generated.*, *.min.js, *.min.css

Operators can extend or replace this list via config.

Design considerations

• Uses WARN step status (separate issue — prerequisite)
• Exclusion list needs careful defaults; over-aggressive defaults create false positives on legitimate large changes (dependency updates, generated code, initial repo imports)
• Orphan branch initial push is a known false positive for block tier — consider allowing via a --allow-large-diff push option or attestation question
• UI: diffs above the warn threshold redirect to the dedicated diff page (separate from this feature — already planned for Dashboard push record page hangs/slow for large pushes with many violations #102)

Why 1.1.0

Depends on WARN status. Needs scoping of default exclusions list and operator configurability before shipping.