Swap migrated reads to Go RPC

[jonathanhaaswriter]

Summary

• add ConnectRPC ListRiskExceptions and Go/Postgres implementation preserving REST response shape
• switch already-migrated web read paths to use Go/ConnectRPC directly instead of REST fallbacks
• continue Node replacement by leaving remaining Node calls limited to auth, writes, catalogs, and side-effect-heavy flows

Validation

• go test ./...
• npm run typecheck
• npm run build:web
• npm run leak:check
• buf lint
• buf breaking against origin/main
• generated protobuf stability check
• govulncheck@v1.3.0 with patched Go toolchain
• npm run verify with temporary migrated Postgres and test encryption key

[factory-droid]

Droid finished @jonathanhaaswriter's task —— View job

---

Validated 1 candidate and approved a single P1 comment: this PR removes the web client's REST fallback before Connect is part of the default setup. That creates a real regression for core read-only screens in environments still running only the existing Express API.

[factory-droid]

[P1] Restore the REST fallback when Connect is not configured

This PR removes the NEXT_PUBLIC_CONNECT_API_BASE_URL guard from multiple migrated read helpers even though Go RPC is still opt-in in this repo: README.md documents setting that env var explicitly, .env.example leaves it blank, and apps/web/next.config.mjs does not proxy /aperio.v1.AperioService/*. In the default setup those dashboard/findings/apps/connectors/SIEM/shadow-IT reads now go to missing Connect endpoints (same-origin /aperio.v1... when the var is blank, or http://localhost:4100 when it is unset) instead of falling back to the existing REST API, so those screens stop loading unless the Go service is separately configured.