Implement Bun lockfile parser, enhance scanner output, and update dependencies

[miccy]

This pull request introduces a major update across the codebase, focused on the 2.0.0 release of the project (now called wormsCTRL). The changes include a comprehensive rewrite of documentation, a new changelog, a new CLI packaging and build process, expanded threat catalog and scanning capabilities, and numerous bug fixes and security improvements. The update also introduces AI-assisted threat ingestion and validation, improved test coverage, and several developer experience enhancements.

Key highlights:

• Major version bump to 2.0.0 with breaking changes to threat schema and parser outputs.
• New AI ingestion pipeline for threat intelligence.
• Improved CLI packaging with bundled threat catalog and build script.
• Expanded and validated threat database.
• Numerous bug fixes, security enhancements, and documentation updates.

---

Breaking Changes & Threat Schema Improvements

• Enforced stricter threat schema validation: sha256 fields must be valid 64-character hex or null, and IOC/remediation arrays reject empty strings. Parser outputs for pnpm now separate resolved and integrity fields.
• Version bump from 1.5.2 to 2.0.0, with full details and migration notes in the new CHANGELOG.md.

CLI Packaging & Build Enhancements

• Added a new build script (apps/cli/build.mjs) to bundle the CLI and threat catalog for standalone distribution, and updated package.json to include the new build process and output files. [1] [2]
• Updated TypeScript config to include Node types for better compatibility.

Documentation & Branding

• Rebranded the project to wormsCTRL throughout all documentation and metadata, including repository links in AGENTS.md and SECURITY.md. [1] [2] [3]
• Completely rewrote the root README.md with new architecture diagrams, quick start, threat DB overview, AI ingestion explanation, and grant context.

Threat Catalog & AI Ingestion

• Expanded the threat catalog with new structured threat objects and fixture data for real-world incidents, and added validation and dynamic test discovery for threat files.
• Introduced an AI ingestion skeleton (packages/engine/src/ingest.ts and related files) for extracting structured threat objects from advisories using OpenAI and Zod validation.

Bug Fixes, Security, and DX Improvements

• Implemented SSRF protection, path traversal security, and centralized sensitive data redaction in reports.
• Improved parser resilience, CLI error handling, E2E test robustness, and Playwright configuration for better CI debugging and test coverage. [1] [2] [3] [4] [5] [6] [7] [8]

---

These changes collectively deliver a more robust, secure, and user-friendly supply chain audit tool, with a focus on automation, AI integration, and real-world threat coverage.

Summary by CodeRabbit

• New Features

  • AI-powered advisory ingestion and validation; expanded threat database with many incident records
  • CLI scan/threats commands with JSON/SARIF/text output and improved bundle of CLI tooling

• Bug Fixes

  • Stronger path validation and SSRF protections; more resilient lockfile parsing across formats
  • More accurate detection of malicious/phantom dependencies and severity handling

• Documentation

  • Rebranded to wormsCTRL; refreshed README, examples, and Czech docs; updated security reporting links

• Tests

  • Expanded unit, integration, and E2E coverage for ingestion, validation, parsers, and CLI behavior