feat: read package manager configs to determine cooldown configuration

[anthonyscarfe]

There is growing consensus that package cooldowns are a strong and low cost mitigation for compromised dev packages in CI/CD and dev workstations. Achieving a specific configuration in centralised CI/CD is relatively straightforward, but difficult in distributed dev workstations.

A feature to audit the configuration of package managers and surface the effective cooldown in place on dev workstations would enable proactive management of a defensive posture alongside the response capabilities.

[Anuppaul]

This makes sense as a workstation posture-audit feature. I’d find it useful if Bumblebee could detect package-manager cooldown settings across common config locations and report both the configured value and the effective value, including when no cooldown is configured.

A good first version might cover the most common package managers/config files, emit a clear “cooldown: none / X minutes / unknown” result, and include the source of the setting so teams can remediate drift across developer machines. This would pair well with CI enforcement by showing whether local developer environments match the intended policy.