feat(enrichment): Vulnerable transitive-pin & lockfile-drift analyzer

[JSONbored]

Context

A REES (review-enrichment service) analyzer. Tier: high-value.

Detects: Lockfile (package-lock/yarn.lock/poetry.lock) changes that pin a TRANSITIVE dep to a CVE-carrying version, or downgrade/widen a previously-safe pin — vulns the top-level manifest diff never names.

Data source: Parse changed lockfile hunks for resolved transitive versions → OSV.dev batch query (free); deps.dev to confirm transitive-vs-direct. Extends shipped dependency-scan to the lockfile.

This is heavy/external/historical analysis the no-checkout headless claude --print reviewer cannot do; the REES returns it as a brief block the engine splices into the review (additive + fail-safe).

Implementation (established pattern, all inside review-enrichment/)

1. Finding type + BriefFindings key in src/types.ts
2. src/analyzers/<name>.ts — pure, inject fetch for tests
3. Register in src/brief.ts ANALYZERS registry
4. Render a public-safe block in src/render.ts
5. node:test units against dist/ + a live smoke against the real data source

Deliverables

• The analyzer + wiring + tests + a verifiable brief block (file:line or package@version)
• Clean PR off main (zero engine conflict; outside the engine tsc/vitest/codecov scope)

Parent: #1499