In particular, the @slack/bolt dependency does a huge amount of our security legwork. Is there more we can do to verify that we have the genuine article from NPM, and not something that has been compromised?

One possibility might be cloning the Bolt repo and pulling into Charlie from that. Then we could update Bolt periodically from upstream, but since we'd be taking NPM out of the equation, we wouldn't have that to worry about.