feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.

src/Cli/StellaOps.Cli/Commands/CommandFactory.cs

@@ -95,6 +95,7 @@ internal static class CommandFactory
         root.Add(ProofCommandGroup.BuildProofCommand(services, verboseOption, cancellationToken));
         root.Add(ReplayCommandGroup.BuildReplayCommand(verboseOption, cancellationToken));
         root.Add(DeltaCommandGroup.BuildDeltaCommand(verboseOption, cancellationToken));
+        root.Add(ReachabilityCommandGroup.BuildReachabilityCommand(services, verboseOption, cancellationToken));
 
         // Add scan graph subcommand to existing scan command
         var scanCommand = root.Children.OfType<Command>().FirstOrDefault(c => c.Name == "scan");
@@ -2690,6 +2691,9 @@ internal static class CommandFactory
 
         policy.Add(verifySignature);
 
+        // Add policy pack commands (validate, install, list-packs)
+        PolicyCommandGroup.AddPolicyPackCommands(policy, verboseOption, cancellationToken);
+
         return policy;
     }