Add artifact malware quarantine guard

[KoiosSG]

/claim #14

Summary

• Adds a self-contained artifact-malware-quarantine-guard/ slice for Scientific/Engineering Data & Code Hosting issue Scientific/Engineering Data & Code Hosting #14.
• Evaluates hosted uploads before preview, reproduce-run, API access, or export using synthetic scan evidence, checksums, archive shape, macro/model/notebook risk, and scan freshness.
• Emits deterministic JSON, Markdown, SVG, and MP4 reviewer artifacts with SHA-256 audit digests.

Scope

This focuses specifically on malware, archive-bomb, macro-enabled spreadsheet, unsafe model deserialization, embedded notebook script, denylisted checksum, and stale-scan gates before hosted artifacts are released.

It is distinct from the existing FAIR manifest/access, artifact package integrity, preview cache, raw/notebook preview, retention/tombstone, model-card lineage, license compatibility, sensitive-redaction, schema-evolution, data-dictionary, persistent-ID, SBOM, upload checkpoint, replica consistency, and column-sensitivity slices.

Validation

• cd artifact-malware-quarantine-guard && npm run check -> passed
• cd artifact-malware-quarantine-guard && npm test -> artifact-malware-quarantine-guard tests passed (3)
• cd artifact-malware-quarantine-guard && npm run demo -> generated JSON/Markdown/SVG artifacts
• cd artifact-malware-quarantine-guard && npm run demo:video -> generated reports/demo.mp4
• ffprobe confirmed reports/demo.mp4 is H.264, 1280x720, 7.5s, 24fps
• git diff --check -> passed
• rg -n "(password|secret|wallet|paypal|bank|passport|private key|api key)" artifact-malware-quarantine-guard -> no matches

Safety

Synthetic data only. No credentials, private research files, network calls, live malware scanner calls, storage mutations, payment processor calls, or private dashboard data are included.

AI-assisted with OpenAI Codex; I reviewed and locally verified the diff before submitting.