NPM Package Audit

Allowlist-first static analysis. Detects typosquats, forbidden packages, deprecated dependencies, and suspicious naming patterns before installation.