test(openscore): prove non-yarn multi-ecosystem provider audit

[hammadtq]

Summary

• Proves explicit Open Score provider request identity and verdict/audit provenance for npm, pnpm, pip, cargo, and Go install flows.
• Covers ALLOW/ASK/DENY plus provider-unavailable behavior across supported non-Yarn package managers.
• Adds a raw-upstream-shape guard so audit/explain output preserves source refs without dumping raw source objects.

Checks

• go test ./...
• go vet ./...
• git diff --check origin/main...HEAD
• Added-content scan for secrets, live hosted calls, Socket-default drift, proprietary score claims, and raw upstream dump exposure
• Codex review: CLEAN, no critical/warning findings

Source/legal

• Local mocked Open Score provider only.
• No hosted Attach calls, no live registry/source fetching, no Socket behavior changes, no proprietary vendor data, no raw upstream dataset redistribution.
• Yarn runtime support is intentionally excluded and split to Kanban card t_fe92144b.

Do not merge without Hammad approval.

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews