feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.

etc/airgap.yaml.sample

@@ -0,0 +1,136 @@
+# StellaOps Air-Gap Controller configuration template.
+# Sprint: SPRINT_4300_0003_0001 (Sealed Knowledge Snapshot Export/Import)
+# Task: SEAL-019 - Staleness policy configuration
+#
+# Copy to airgap.yaml and adjust values to fit your environment.
+# Environment variables prefixed with STELLAOPS_AIRGAP_ override these values.
+
+schemaVersion: 1
+
+# Staleness policy configuration
+# Controls how long knowledge snapshots remain valid before requiring refresh.
+staleness:
+  # Maximum age before snapshot is rejected (default: 168 hours = 7 days)
+  maxAgeHours: 168
+
+  # Age at which warnings are emitted (default: 72 hours = 3 days)
+  warnAgeHours: 72
+
+  # Whether to require a valid time anchor for import
+  requireTimeAnchor: true
+
+  # Action when snapshot is stale: "warn", "block"
+  staleAction: block
+
+  # Per-content staleness budgets (overrides default)
+  contentBudgets:
+    advisories:
+      warningSeconds: 86400     # 24 hours
+      breachSeconds: 259200     # 72 hours (3 days)
+    vex:
+      warningSeconds: 86400     # 24 hours
+      breachSeconds: 604800     # 168 hours (7 days)
+    policy:
+      warningSeconds: 604800    # 7 days
+      breachSeconds: 2592000    # 30 days
+
+# Snapshot export configuration
+export:
+  # Default output directory for exported snapshots
+  outputDirectory: "./snapshots"
+
+  # Compression level (0-9, default: 6)
+  compressionLevel: 6
+
+  # Whether to include trust roots in export
+  includeTrustRoots: true
+
+  # Default feeds to include (empty = all)
+  defaultFeeds: []
+
+  # Default ecosystems to include (empty = all)
+  defaultEcosystems: []
+
+# Snapshot import configuration
+import:
+  # Directory for quarantined failed imports
+  quarantineDirectory: "./quarantine"
+
+  # Quarantine TTL in hours (default: 168 = 7 days)
+  quarantineTtlHours: 168
+
+  # Maximum quarantine size in MB (default: 1024 = 1GB)
+  quarantineMaxSizeMb: 1024
+
+  # Whether to verify signature on import
+  verifySignature: true
+
+  # Whether to verify merkle root on import
+  verifyMerkleRoot: true
+
+  # Whether to enforce version monotonicity (prevent rollback)
+  enforceMonotonicity: true
+
+# Trust store configuration
+trustStore:
+  # Path to trust roots bundle
+  rootBundlePath: "/etc/stellaops/trust-roots.pem"
+
+  # Allowed signature algorithms
+  allowedAlgorithms:
+    - "ES256"
+    - "ES384"
+    - "Ed25519"
+    - "RS256"
+    - "RS384"
+
+  # Key rotation settings
+  rotation:
+    # Require approval for key rotation
+    requireApproval: true
+
+    # Pending key timeout in hours
+    pendingTimeoutHours: 24
+
+# Time anchor configuration
+timeAnchor:
+  # Default time anchor source: "roughtime", "rfc3161", "local"
+  defaultSource: "roughtime"
+
+  # Roughtime server endpoints
+  roughtimeServers:
+    - "roughtime.cloudflare.com:2003"
+    - "roughtime.google.com:2003"
+
+  # RFC 3161 TSA endpoints
+  rfc3161Servers:
+    - "http://timestamp.digicert.com"
+    - "http://timestamp.comodoca.com"
+
+  # Maximum allowed clock drift in seconds
+  maxClockDriftSeconds: 60
+
+# Egress policy (network access control in sealed mode)
+egressPolicy:
+  # Policy mode: "allowlist", "denylist"
+  mode: allowlist
+
+  # Allowed hosts when sealed (allowlist mode)
+  allowedHosts: []
+
+  # Denied hosts (denylist mode)
+  deniedHosts: []
+
+  # Allow localhost traffic when sealed
+  allowLocalhost: true
+
+# Logging and telemetry
+telemetry:
+  # Log staleness warnings
+  logStalenessWarnings: true
+
+  # Emit metrics for staleness tracking
+  emitStalenessMetrics: true
+
+  # Activity source name for tracing
+  activitySourceName: "StellaOps.AirGap"