feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.

policies/starter-day1/overrides/production.yaml

@@ -0,0 +1,44 @@
+# Stella Ops Starter Policy - Production Override
+# Version: 1.0.0
+#
+# Production environment has the strictest settings:
+# - All blocking rules enforced
+# - Lower unknowns threshold
+# - Signed artifacts required
+# - Higher VEX trust score required
+
+apiVersion: policy.stellaops.io/v1
+kind: PolicyOverride
+metadata:
+  name: starter-day1-production
+  version: "1.0.0"
+  parent: starter-day1
+  environment: production
+  description: "Strict settings for production deployments"
+
+spec:
+  # Production settings - stricter than defaults
+  settings:
+    defaultAction: block  # Block by default in production
+    unknownsThreshold: 0.03  # Only 3% unknowns allowed
+    requireSignedSbom: true
+    requireSignedVerdict: true
+    minimumVexTrustScore: 0.7  # Higher trust required
+
+  # No rule overrides - production uses base rules at full strictness
+  ruleOverrides: []
+
+  # Additional production-only rules
+  additionalRules:
+    # Require explicit approval for any blocked findings
+    - name: require-approval-for-exceptions
+      priority: 400
+      description: "Any exception in production requires documented approval"
+      match:
+        hasException: true
+      require:
+        exceptionApproval: true
+        exceptionExpiry:
+          maxDays: 30
+      action: block
+      message: "Production exceptions require approval and must expire within 30 days"