Add unit tests for AST parsing and security sink detection

- Created `StellaOps.AuditPack.Tests.csproj` for unit testing the AuditPack library.
- Implemented comprehensive unit tests in `index.test.js` for AST parsing, covering various JavaScript and TypeScript constructs including functions, classes, decorators, and JSX.
- Added `sink-detect.test.js` to test security sink detection patterns, validating command injection, SQL injection, file write, deserialization, SSRF, NoSQL injection, and more.
- Included tests for taint source detection in various contexts such as Express, Koa, and AWS Lambda.

docs/implplan/archived/SPRINT_4400_SUMMARY.md

@@ -0,0 +1,50 @@
+# SPRINT_4400 SUMMARY: Delta Verdicts & Reachability Attestations
+
+## Program Overview
+
+| Field | Value |
+|-------|-------|
+| **Program ID** | 4400 |
+| **Theme** | Attestable Change Control: Delta Verdicts & Reachability Proofs |
+| **Priority** | P2 (Medium) |
+| **Total Effort** | ~4 weeks |
+| **Advisory Source** | 19-Dec-2025 - Stella Ops candidate features mapped to moat strength |
+
+---
+
+## Strategic Context
+
+This program extends the attestation infrastructure to cover:
+1. **Smart-Diff semantic delta** — Changes in exploitable surface as signed artifacts
+2. **Reachability proofs** — Call-path subgraphs as portable evidence
+
+---
+
+## Sprint Breakdown
+
+| Sprint ID | Title | Effort | Moat |
+|-----------|-------|--------|------|
+| 4400_0001_0001 | Signed Delta Verdict Attestation | 2 weeks | 4 |
+| 4400_0001_0002 | Reachability Subgraph Attestation | 2 weeks | 4 |
+
+---
+
+## Dependencies
+
+- **Requires**: SPRINT_4300_0001_0001 (OCI Verdict Push)
+- **Requires**: MaterialRiskChangeDetector (exists)
+- **Requires**: PathWitnessBuilder (exists)
+
+---
+
+## Outcomes
+
+1. Delta verdicts become attestable change-control artifacts
+2. Reachability analysis produces portable proof subgraphs
+3. Both can be pushed to OCI registries as referrers
+
+---
+
+**Sprint Series Status:** DONE
+
+**Created:** 2025-12-22