feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.

policies/starter-day1/overrides/development.yaml

@@ -0,0 +1,52 @@
+# Stella Ops Starter Policy - Development Override
+# Version: 1.0.0
+#
+# Development environment is lenient to enable rapid iteration:
+# - Never block, only warn
+# - Higher unknowns threshold
+# - No signing requirements
+# - All vulnerabilities logged but allowed
+#
+# NOTE: Development policy is for local dev only. Pre-commit hooks
+# or CI should use staging or production policies.
+
+apiVersion: policy.stellaops.io/v1
+kind: PolicyOverride
+metadata:
+  name: starter-day1-development
+  version: "1.0.0"
+  parent: starter-day1
+  environment: development
+  description: "Lenient settings for development - warn only, never block"
+
+spec:
+  # Development settings - maximum leniency
+  settings:
+    defaultAction: allow
+    unknownsThreshold: 0.50  # 50% unknowns allowed in dev
+    requireSignedSbom: false
+    requireSignedVerdict: false
+    minimumVexTrustScore: 0.0  # Accept any VEX in dev
+
+  ruleOverrides:
+    # Downgrade all blocking rules to warnings
+    - name: block-reachable-high-critical
+      action: warn  # Warn instead of block
+
+    - name: block-kev
+      action: warn  # Warn instead of block
+
+    - name: fail-on-unknowns
+      action: warn  # Warn instead of block
+
+    # Disable signing requirements entirely
+    - name: require-signed-sbom-prod
+      enabled: false
+
+    - name: require-signed-verdict-prod
+      enabled: false
+
+    # Enable verbose logging for all findings (helpful for debugging)
+    - name: default-allow
+      log: true
+      logLevel: verbose

policies/starter-day1/overrides/production.yaml

@@ -0,0 +1,44 @@
+# Stella Ops Starter Policy - Production Override
+# Version: 1.0.0
+#
+# Production environment has the strictest settings:
+# - All blocking rules enforced
+# - Lower unknowns threshold
+# - Signed artifacts required
+# - Higher VEX trust score required
+
+apiVersion: policy.stellaops.io/v1
+kind: PolicyOverride
+metadata:
+  name: starter-day1-production
+  version: "1.0.0"
+  parent: starter-day1
+  environment: production
+  description: "Strict settings for production deployments"
+
+spec:
+  # Production settings - stricter than defaults
+  settings:
+    defaultAction: block  # Block by default in production
+    unknownsThreshold: 0.03  # Only 3% unknowns allowed
+    requireSignedSbom: true
+    requireSignedVerdict: true
+    minimumVexTrustScore: 0.7  # Higher trust required
+
+  # No rule overrides - production uses base rules at full strictness
+  ruleOverrides: []
+
+  # Additional production-only rules
+  additionalRules:
+    # Require explicit approval for any blocked findings
+    - name: require-approval-for-exceptions
+      priority: 400
+      description: "Any exception in production requires documented approval"
+      match:
+        hasException: true
+      require:
+        exceptionApproval: true
+        exceptionExpiry:
+          maxDays: 30
+      action: block
+      message: "Production exceptions require approval and must expire within 30 days"

policies/starter-day1/overrides/staging.yaml

@@ -0,0 +1,37 @@
+# Stella Ops Starter Policy - Staging Override
+# Version: 1.0.0
+#
+# Staging environment balances security and development velocity:
+# - Critical/HIGH blocking still enforced
+# - Slightly higher unknowns threshold
+# - Signed artifacts recommended but not required
+
+apiVersion: policy.stellaops.io/v1
+kind: PolicyOverride
+metadata:
+  name: starter-day1-staging
+  version: "1.0.0"
+  parent: starter-day1
+  environment: staging
+  description: "Balanced settings for staging environment"
+
+spec:
+  # Staging settings - moderate strictness
+  settings:
+    defaultAction: warn
+    unknownsThreshold: 0.10  # 10% unknowns allowed
+    requireSignedSbom: false  # Recommended but not required
+    requireSignedVerdict: false
+    minimumVexTrustScore: 0.5
+
+  ruleOverrides:
+    # KEV vulnerabilities still blocked in staging
+    - name: block-kev
+      enabled: true
+
+    # Signing requirements disabled for staging
+    - name: require-signed-sbom-prod
+      enabled: false
+
+    - name: require-signed-verdict-prod
+      enabled: false