feat(parser): add safe Yarn Open Score support

[hammadtq]

Summary

• Adds safe opt-in Yarn add parsing for Open Score with public npm-coordinate validation.
• Defers custom/private Yarn source cues before provider requests: registry flags, Yarn env/config state, protocol/path/alias specs, owner/repo-like names, wrappers, workspace/global add forms, and mixed shell flows.
• Keeps default Socket/non-open-score behavior unchanged.

Checks

• go test ./...
• go vet ./...
• git diff --check origin/main...HEAD
• Added-content scan for secrets, live hosted calls, Socket-default drift, proprietary score claims, and raw upstream dump exposure
• Codex review loop: fixed wrapper, invalid-coordinate, env/config propagation, workspace/global, pipeline, and wrapped config-state findings; final focused review CLEAN

Source/legal

• Local parser/evaluator behavior and tests only.
• No hosted Attach calls.
• No live registry/source/network fetching.
• No Socket behavior changes.
• No proprietary vendor data or raw upstream redistribution.
• Private/custom Yarn coordinates are ASK/deferred before Open Score requests.

Do not merge without Hammad approval.

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews