feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.

src/__Libraries/StellaOps.AuditPack/Models/AuditBundleManifest.cs

@@ -0,0 +1,199 @@
+// -----------------------------------------------------------------------------
+// AuditBundleManifest.cs
+// Sprint: SPRINT_4300_0001_0002 (One-Command Audit Replay CLI)
+// Task: REPLAY-001 - Define audit bundle manifest schema
+// Description: Defines the manifest schema for self-contained audit bundles.
+// -----------------------------------------------------------------------------
+
+using System.Collections.Immutable;
+
+namespace StellaOps.AuditPack.Models;
+
+/// <summary>
+/// Manifest for a self-contained audit bundle that enables offline replay.
+/// Contains all input hashes required for deterministic verdict reproduction.
+/// </summary>
+public sealed record AuditBundleManifest
+{
+    /// <summary>
+    /// Unique identifier for this audit bundle.
+    /// </summary>
+    public required string BundleId { get; init; }
+
+    /// <summary>
+    /// Schema version for forward compatibility.
+    /// </summary>
+    public string SchemaVersion { get; init; } = "1.0.0";
+
+    /// <summary>
+    /// Human-readable name for this bundle.
+    /// </summary>
+    public required string Name { get; init; }
+
+    /// <summary>
+    /// UTC timestamp when bundle was created.
+    /// </summary>
+    public required DateTimeOffset CreatedAt { get; init; }
+
+    /// <summary>
+    /// Scan identifier this bundle was created from.
+    /// </summary>
+    public required string ScanId { get; init; }
+
+    /// <summary>
+    /// Image reference that was scanned.
+    /// </summary>
+    public required string ImageRef { get; init; }
+
+    /// <summary>
+    /// Image digest (sha256:...).
+    /// </summary>
+    public required string ImageDigest { get; init; }
+
+    /// <summary>
+    /// Merkle root of all bundle contents for integrity verification.
+    /// </summary>
+    public required string MerkleRoot { get; init; }
+
+    /// <summary>
+    /// Digest hashes for all inputs used in the scan.
+    /// </summary>
+    public required InputDigests Inputs { get; init; }
+
+    /// <summary>
+    /// Digest of the verdict produced by the scan.
+    /// </summary>
+    public required string VerdictDigest { get; init; }
+
+    /// <summary>
+    /// Decision from the verdict (pass, warn, block).
+    /// </summary>
+    public required string Decision { get; init; }
+
+    /// <summary>
+    /// Inventory of files in the bundle.
+    /// </summary>
+    public required ImmutableArray<BundleFileEntry> Files { get; init; }
+
+    /// <summary>
+    /// Total size of all files in bytes.
+    /// </summary>
+    public long TotalSizeBytes { get; init; }
+
+    /// <summary>
+    /// Time anchor for replay time context.
+    /// </summary>
+    public TimeAnchor? TimeAnchor { get; init; }
+
+    /// <summary>
+    /// Signature algorithm used for signing.
+    /// </summary>
+    public string? SignatureAlgorithm { get; init; }
+
+    /// <summary>
+    /// Key ID used for signing.
+    /// </summary>
+    public string? SigningKeyId { get; init; }
+}
+
+/// <summary>
+/// Input digest hashes for deterministic replay.
+/// These must match exactly for replay to succeed.
+/// </summary>
+public sealed record InputDigests
+{
+    /// <summary>
+    /// SHA-256 digest of the SBOM document.
+    /// </summary>
+    public required string SbomDigest { get; init; }
+
+    /// <summary>
+    /// SHA-256 digest of the advisory feeds snapshot.
+    /// </summary>
+    public required string FeedsDigest { get; init; }
+
+    /// <summary>
+    /// SHA-256 digest of the policy bundle.
+    /// </summary>
+    public required string PolicyDigest { get; init; }
+
+    /// <summary>
+    /// SHA-256 digest of the VEX statements.
+    /// </summary>
+    public string? VexDigest { get; init; }
+
+    /// <summary>
+    /// SHA-256 digest of the scoring rules.
+    /// </summary>
+    public string? ScoringDigest { get; init; }
+
+    /// <summary>
+    /// SHA-256 digest of the trust roots.
+    /// </summary>
+    public string? TrustRootsDigest { get; init; }
+}
+
+/// <summary>
+/// Entry for a file in the bundle.
+/// </summary>
+public sealed record BundleFileEntry
+{
+    /// <summary>
+    /// Relative path within the bundle.
+    /// </summary>
+    public required string RelativePath { get; init; }
+
+    /// <summary>
+    /// SHA-256 digest of the file.
+    /// </summary>
+    public required string Digest { get; init; }
+
+    /// <summary>
+    /// Size of the file in bytes.
+    /// </summary>
+    public required long SizeBytes { get; init; }
+
+    /// <summary>
+    /// Type of content.
+    /// </summary>
+    public required BundleContentType ContentType { get; init; }
+}
+
+/// <summary>
+/// Type of content in the bundle.
+/// </summary>
+public enum BundleContentType
+{
+    Manifest,
+    Signature,
+    Sbom,
+    Feeds,
+    Policy,
+    Vex,
+    Verdict,
+    ProofBundle,
+    TrustRoot,
+    TimeAnchor,
+    Other
+}
+
+/// <summary>
+/// Time anchor for establishing evaluation time.
+/// </summary>
+public sealed record TimeAnchor
+{
+    /// <summary>
+    /// Anchor timestamp.
+    /// </summary>
+    public required DateTimeOffset Timestamp { get; init; }
+
+    /// <summary>
+    /// Source of the time anchor (local, roughtime, rfc3161).
+    /// </summary>
+    public required string Source { get; init; }
+
+    /// <summary>
+    /// Digest of the time anchor token.
+    /// </summary>
+    public string? TokenDigest { get; init; }
+}