Fix audit release blockers — remove custom build backend and local shims, lock analysis to deterministic baseline

[Spbd1]

Motivation

• Remove a custom local build backend and local third-party shims that shadow real dependencies so the project installs and uses upstream packages normally.
• Ensure the uvicorn CLI maps to the real dependency and that running uvicorn backend.app.main:app --reload works with a standard environment.
• Prevent claims that LLM-backed analysis is available unless the selected provider is actually invoked, and reduce obvious false positives in the starter taxonomy and mini-eval.
• Serve the real React/Vite frontend when built and ensure the API routes remain available at both root and /api prefixes.

Description

• Replaced the custom build backend by updating pyproject.toml build-system to use requires = ["setuptools>=68", "wheel"] and build-backend = "setuptools.build_meta" and removed build_backend.py so package discovery uses normal setuptools behavior.
• Deleted local shims that shadow third-party packages (uvicorn/, fastapi/ and pydantic/ stubs) so runtime imports resolve to installed dependencies instead of repository shims.
• Restricted analysis to the deterministic baseline by changing engine/argument_risk_engine/analyzer.py to force mode = "deterministic_baseline" and model_provider_id = "deterministic_baseline", and added a clear warning when callers request non-deterministic/LLM modes.
• Reduced overgeneralization false positives by adding a gating helper _has_unsupported_universal_claim in engine/argument_risk_engine/classification/deterministic.py that avoids matching trigger words in bounded, literal, quoted, or clearly sourced statements.
• Added required starter taxonomy quality fields in data/taxonomy/packs/starter-pack.yaml and aligned the in-code default_taxonomy_pack() in engine/argument_risk_engine/taxonomy/models.py with negative_examples, minimum_evidence_requirement, and common_false_positives for active entries.
• Switched frontend defaults to the React/Vite entrypoint by updating frontend/index.html, frontend/package.json scripts/deps, and frontend/src/api/client.ts to use same-origin /api base; and changed backend/app/main.py to add /api/health and mount frontend/dist via StaticFiles when present.

Testing

• python -m compileall backend engine tests — succeeded (byte-compilation passed across backend, engine, and tests).
• pip install -e .[dev] — could not complete in this environment because the runner could not fetch build/install dependencies from upstream (setuptools/network 403), so editable install was not verified here.
• pytest — could not complete end-to-end because real pydantic/fastapi/uvicorn were not available in the test environment after removal of local shims (dependency install blocked); test collection failed due to missing packages.
• uvicorn backend.app.main:app --reload --port 8002 and subsequent curl checks — could not run because uvicorn was not installed in this environment after dependency installation failed.
• cd frontend && npm install and cd frontend && npm run build — could not complete because this environment cannot fetch npm packages (403 Forbidden) so Vite build verification did not run.

If CI or a developer workstation has network access, the expected verification steps are: pip install -e .[dev], python -m compileall backend engine tests, pytest, uvicorn backend.app.main:app --reload --port 8002 and then curl -fsS http://127.0.0.1:8002/health and curl -fsS http://127.0.0.1:8002/taxonomy-workbench/quality-report, and cd frontend && npm install && npm run build.

---

Codex Task