Summary

• Adds stack-aware security guidance to Vigilante prompt assembly for JavaScript, TypeScript, and Node.js repositories
• Extends repository classification with TechStack detection and Node.js-specific ProcessHints (package managers, lockfiles, TypeScript configs)
• Creates internal/skill/security.go with curated, concise guidance covering dependency/supply-chain, package-manager hardening (npm/pnpm/yarn), runtime secure-coding, TypeScript safety, CI/CD secrets, static analysis, and monorepo concerns
• Non-JS repositories receive no JS-specific security guidance
• Guidance adapts to detected ecosystem signals (e.g., pnpm-only repos get pnpm hardening, monorepos get workspace boundary guidance)
• Existing prompt and skill policies (vigilante commit, issue comments, validation) remain intact

Validation

• go test ./... — all packages pass
• gofmt -l . — no formatting issues
• go vet ./... — no vet warnings
• go build ./... — builds cleanly
• New tests cover: Node.js detection for npm/pnpm/yarn, TypeScript detection, default fallback to npm, non-Node repos excluded, monorepo repos get monorepo guidance, traditional repos don't, prompt assembly integration for Node.js and non-Node repos

Test plan

• Verify JS/TS/Node repos receive security guidance in generated prompts
• Verify non-JS repos (Go, Gradle, etc.) do not receive JS-specific guidance
• Verify guidance adapts to detected package manager (npm, pnpm, yarn)
• Verify TypeScript guidance is conditional on tsconfig detection
• Verify monorepo security guidance is conditional on monorepo shape
• Verify repo classification JSON includes tech_stacks and node hints
• Verify existing prompt tests continue to pass unchanged

Closes #352