fix(security): Package hygiene & pre-publish gate hardening [L-03, L-12]

[riaworks]

Summary

• L-03: Synced package-lock.json version from 1.1.1 to 1.3.0 to match package.json
• L-12: Changed pre-publish gate layer validation catch block from warn-only to fail-closed, consistent with the file's stated design principle

Security Impact

• L-03 prevents version confusion during npm ci installs
• L-12 closes a bypass vector where a missing Python runtime would silently skip L1 layer validation, allowing non-L1 content to be published

Files Changed

File	Change
package-lock.json	Version synced 1.1.1 → 1.3.0
bin/pre-publish-gate.js	Layer validation catch: warn → fail-closed

Test Plan

• Verify npm ci succeeds without warnings
• Verify npm pack --dry-run output unchanged
• Verify node bin/pre-publish-gate.js blocks when Python unavailable
• Verify normal publish flow still works when all deps present

Frameworks

• OWASP LLM09 (Supply Chain Vulnerabilities)
• MITRE ATLAS AML.T0010 (ML Supply Chain Compromise)

🤖 Generated with Claude Code