feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.

policies/starter-day1/overrides/development.yaml

@@ -0,0 +1,52 @@
+# Stella Ops Starter Policy - Development Override
+# Version: 1.0.0
+#
+# Development environment is lenient to enable rapid iteration:
+# - Never block, only warn
+# - Higher unknowns threshold
+# - No signing requirements
+# - All vulnerabilities logged but allowed
+#
+# NOTE: Development policy is for local dev only. Pre-commit hooks
+# or CI should use staging or production policies.
+
+apiVersion: policy.stellaops.io/v1
+kind: PolicyOverride
+metadata:
+  name: starter-day1-development
+  version: "1.0.0"
+  parent: starter-day1
+  environment: development
+  description: "Lenient settings for development - warn only, never block"
+
+spec:
+  # Development settings - maximum leniency
+  settings:
+    defaultAction: allow
+    unknownsThreshold: 0.50  # 50% unknowns allowed in dev
+    requireSignedSbom: false
+    requireSignedVerdict: false
+    minimumVexTrustScore: 0.0  # Accept any VEX in dev
+
+  ruleOverrides:
+    # Downgrade all blocking rules to warnings
+    - name: block-reachable-high-critical
+      action: warn  # Warn instead of block
+
+    - name: block-kev
+      action: warn  # Warn instead of block
+
+    - name: fail-on-unknowns
+      action: warn  # Warn instead of block
+
+    # Disable signing requirements entirely
+    - name: require-signed-sbom-prod
+      enabled: false
+
+    - name: require-signed-verdict-prod
+      enabled: false
+
+    # Enable verbose logging for all findings (helpful for debugging)
+    - name: default-allow
+      log: true
+      logLevel: verbose