vendor dependencies to prevent supply chain attacks - Add vendor/ directory with golang.org/x/sys to version control - Enforce -mod=vendor in Makefile (build, test, install) - Update .gitignore: exclude .gocache/ and .gomodcache/ - Document vendor policy in AGENTS.md