Add dependency scanning provenance and lockfile gates

[bozicovichsantiago20-oss]

/claim #1536

Summary

• contextualizes dependency depth so deep-but-well-provenanced trees are not escalated on depth alone
• adds structured output sections for lockfile integrity/bisectability, provenance chain propagation, dependency-confusion routing evidence, and per-package supply-chain risk scoring
• adds defensive fixtures covering deep tree context, weak lockfile bisectability, transitive provenance degradation, private registry routing, and risky non-typosquat package signals
• adds npm lockfile and Sigstore references for reviewer traceability

Validation

• git diff --cached --check before commit
• marker check for depth contextualization, lockfile integrity, provenance chain propagation, dependency confusion routing, supply-chain risk score, defensive fixtures, and Not Evaluable handling
• markdown fence count balanced
• fixture key check for all five defensive scenarios
• new npm docs and Sigstore links returned HTTP 200

[bozicovichsantiago20-oss]

Follow-up pushed: commit 241eb39 adds an ecosystem evidence source matrix for npm/pnpm/Yarn, Python, Go, Rust, and Maven/Gradle so reviewers can reproduce where pins, hashes, registry routing, and provenance signals came from. It also adds a Python --extra-index-url fixture where public fallback remains possible, covering the dependency-confusion routing edge case.\n\nValidation rerun:\n- git diff --check\n- Markdown fence balance check\n- marker checks for Ecosystem Evidence Sources, --extra-index-url, Not Evaluable, and python_extra_index_fallback