CCI page: support both 800-53 Rev 4 and Rev 5, default to Rev 5

New reference data (public, license-clean for a public site):
- resources/data/rmf/NIST_SP-800-53_rev5_catalog_OSCAL.json — authoritative NIST
  OSCAL 5.2.0 catalog (Rev 5 controls + 800-53A Rev 5 assessment procedures), kept
  for provenance.
- resources/data/800-53r5.json — Rev 5 analog of 800-53r4.json, generated from that
  OSCAL + the 2024 CCI list: per-control name/definition/guidance/status, 800-53A
  assessment objectives + methods, ODP params, withdrawn->incorporated_into, and the
  Rev 5 CCI mappings.

CciController — revision-aware, defaults to Rev 5:
- Switched to U_CCI_List_2024.xml (carries both v4 and v5 control refs per CCI; 5,100
  CCIs). Per CCI: Rev 5 mapping live + any differing Rev 4 struck; Rev-4-only shown
  struck (dropped in Rev 5); v3-only resolved against Rev 5 as a legacy mapping; DoD
  per-CCI assessment overlay carried forward from Rev 4 where it exists.
- Split /cci (tiny shell) from /cci/data (JSON). The table loads client-side via
  DataTables ajax + deferRender, and per-control text is deduped (sent once, not per
  CCI), so the page is a 65 KB shell + ~0.5 MB gzipped data instead of a multi-MB,
  5,100-row server-rendered DOM. The 503 data guard moved to /cci/data.

Template — client-side rev-aware rendering: struck/dual controls, "Rev 4 only" /
"Rev 3 (legacy)" / "withdrawn" / "deprecated" badges, dimmed rows, top-aligned cells,
and muted "—" placeholders (with tooltip) where data is genuinely not public.

Tests: page renders, data endpoint is revision-aware; full suite green (201).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: CyberSecDef