# pnpm configuration for the skill-map monorepo.
#
# Authority order on settings: this file > each workspace's own .npmrc
# (none today) > pnpm built-in defaults. Keep the file short and only
# pin values where the default would surprise a contributor or weaken
# the supply-chain posture documented in AGENTS.md.

# AGENTS.md pinning policy: every dependency declared in any
# package.json under this repo is pinned to an exact version. Any
# `pnpm add <pkg>` (with or without a range) writes the exact resolved
# version into the manifest, no caret or tilde prefix.
save-exact=true

# Auto-install missing peers so workspaces that depend on Angular,
# Hono, or Vitest do not need to redeclare every transitive peer
# requirement. Combined with strict-peer-dependencies=false because
# Angular's peer matrix is too tangled to enforce strictly without
# constant churn; the lockfile pins the actual resolution.
auto-install-peers=true
strict-peer-dependencies=false

# Supply-chain hardening, the reason we migrated off npm in the first
# place (see ROADMAP / changeset for the Shai-Hulud / Qix / s1ngularity
# context). pnpm 11 ships these defaults; pinning them in .npmrc means
# a future `pnpm config set` cannot silently weaken the posture.

# Block postinstall / preinstall / install scripts for every dependency
# unless the package is explicitly allowlisted in package.json under
# `pnpm.onlyBuiltDependencies`. The allowlist starts empty; legitimate
# native-build packages (better-sqlite3, esbuild, etc.) are added with
# a one-line justification when pnpm reports them as skipped.
strict-dep-builds=true

# 72-hour cooldown on freshly published versions. A maintainer
# compromise discovered within the first three days cannot reach this
# repo because pnpm refuses to install a version newer than 4320
# minutes. Three days is the sweet spot identified in the post-Qix /
# post-Shai-Hulud postmortems (Wiz, Datadog Security Labs, AWS): long
# enough to catch the typical detection-and-unpublish window, short
# enough that Dependabot can still land legitimate security patches
# the same week. Drop back to 1440 (24h) if a real fix gets blocked,
# raise to 10080 (7 days) for stricter postures.
minimum-release-age=4320

# Block git+ssh, tarball URLs, and file: protocols as TRANSITIVE
# dependency sources. Direct deps in our own package.json files can
# still use them (rare; we don't today). The block is for the case
# where some npm dep silently swaps to a git URL on a patch bump.
block-exotic-subdeps=true

# Frozen lockfile is enforced in CI via `pnpm install --frozen-lockfile`.
# Locally we want pnpm to update the lockfile when a contributor runs
# `pnpm add`, so frozen-lockfile is left at its default (false locally,
# true under CI=true via pnpm's automatic detection).
