feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.

src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/KpiEndpoints.cs

@@ -0,0 +1,136 @@
+using Microsoft.AspNetCore.Mvc;
+using StellaOps.Metrics.Kpi;
+
+namespace StellaOps.Orchestrator.WebService.Endpoints;
+
+/// <summary>
+/// Quality KPI endpoints for explainable triage metrics.
+/// </summary>
+public static class KpiEndpoints
+{
+    /// <summary>
+    /// Maps KPI endpoints to the route builder.
+    /// </summary>
+    public static IEndpointRouteBuilder MapKpiEndpoints(this IEndpointRouteBuilder app)
+    {
+        var group = app.MapGroup("/api/v1/metrics/kpis")
+            .WithTags("Quality KPIs")
+            .RequireAuthorization("metrics:read");
+
+        // GET /api/v1/metrics/kpis
+        group.MapGet("/", GetQualityKpis)
+            .WithName("Orchestrator_GetQualityKpis")
+            .WithDescription("Get quality KPIs for explainable triage");
+
+        // GET /api/v1/metrics/kpis/reachability
+        group.MapGet("/reachability", GetReachabilityKpis)
+            .WithName("Orchestrator_GetReachabilityKpis")
+            .WithDescription("Get reachability-specific KPIs");
+
+        // GET /api/v1/metrics/kpis/explainability
+        group.MapGet("/explainability", GetExplainabilityKpis)
+            .WithName("Orchestrator_GetExplainabilityKpis")
+            .WithDescription("Get explainability-specific KPIs");
+
+        // GET /api/v1/metrics/kpis/runtime
+        group.MapGet("/runtime", GetRuntimeKpis)
+            .WithName("Orchestrator_GetRuntimeKpis")
+            .WithDescription("Get runtime corroboration KPIs");
+
+        // GET /api/v1/metrics/kpis/replay
+        group.MapGet("/replay", GetReplayKpis)
+            .WithName("Orchestrator_GetReplayKpis")
+            .WithDescription("Get replay/determinism KPIs");
+
+        // GET /api/v1/metrics/kpis/trend
+        group.MapGet("/trend", GetKpiTrend)
+            .WithName("Orchestrator_GetKpiTrend")
+            .WithDescription("Get KPI trend over time");
+
+        return app;
+    }
+
+    private static async Task<IResult> GetQualityKpis(
+        [FromQuery] DateTimeOffset? from,
+        [FromQuery] DateTimeOffset? to,
+        [FromQuery] string? tenant,
+        [FromServices] IKpiCollector collector,
+        CancellationToken ct)
+    {
+        var start = from ?? DateTimeOffset.UtcNow.AddDays(-7);
+        var end = to ?? DateTimeOffset.UtcNow;
+
+        var kpis = await collector.CollectAsync(start, end, tenant, ct);
+        return Results.Ok(kpis);
+    }
+
+    private static async Task<IResult> GetReachabilityKpis(
+        [FromQuery] DateTimeOffset? from,
+        [FromQuery] DateTimeOffset? to,
+        [FromQuery] string? tenant,
+        [FromServices] IKpiCollector collector,
+        CancellationToken ct)
+    {
+        var kpis = await collector.CollectAsync(
+            from ?? DateTimeOffset.UtcNow.AddDays(-7),
+            to ?? DateTimeOffset.UtcNow,
+            tenant,
+            ct);
+        return Results.Ok(kpis.Reachability);
+    }
+
+    private static async Task<IResult> GetExplainabilityKpis(
+        [FromQuery] DateTimeOffset? from,
+        [FromQuery] DateTimeOffset? to,
+        [FromQuery] string? tenant,
+        [FromServices] IKpiCollector collector,
+        CancellationToken ct)
+    {
+        var kpis = await collector.CollectAsync(
+            from ?? DateTimeOffset.UtcNow.AddDays(-7),
+            to ?? DateTimeOffset.UtcNow,
+            tenant,
+            ct);
+        return Results.Ok(kpis.Explainability);
+    }
+
+    private static async Task<IResult> GetRuntimeKpis(
+        [FromQuery] DateTimeOffset? from,
+        [FromQuery] DateTimeOffset? to,
+        [FromQuery] string? tenant,
+        [FromServices] IKpiCollector collector,
+        CancellationToken ct)
+    {
+        var kpis = await collector.CollectAsync(
+            from ?? DateTimeOffset.UtcNow.AddDays(-7),
+            to ?? DateTimeOffset.UtcNow,
+            tenant,
+            ct);
+        return Results.Ok(kpis.Runtime);
+    }
+
+    private static async Task<IResult> GetReplayKpis(
+        [FromQuery] DateTimeOffset? from,
+        [FromQuery] DateTimeOffset? to,
+        [FromQuery] string? tenant,
+        [FromServices] IKpiCollector collector,
+        CancellationToken ct)
+    {
+        var kpis = await collector.CollectAsync(
+            from ?? DateTimeOffset.UtcNow.AddDays(-7),
+            to ?? DateTimeOffset.UtcNow,
+            tenant,
+            ct);
+        return Results.Ok(kpis.Replay);
+    }
+
+    private static async Task<IResult> GetKpiTrend(
+        [FromQuery] int days = 30,
+        [FromQuery] string? tenant = null,
+        [FromServices] IKpiTrendService trendService,
+        CancellationToken ct)
+    {
+        var trend = await trendService.GetTrendAsync(days, tenant, ct);
+        return Results.Ok(trend);
+    }
+}

src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.csproj

@@ -39,6 +39,7 @@
     <ProjectReference Include="..\..\..\__Libraries\StellaOps.Messaging.Transport.InMemory\StellaOps.Messaging.Transport.InMemory.csproj" />
     <ProjectReference Include="..\..\..\__Libraries\StellaOps.Messaging.Transport.Postgres\StellaOps.Messaging.Transport.Postgres.csproj" />
     <ProjectReference Include="..\..\..\__Libraries\StellaOps.Messaging.Transport.Valkey\StellaOps.Messaging.Transport.Valkey.csproj" />
+    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Metrics\StellaOps.Metrics.csproj" />
 
   </ItemGroup>