# Supply Chain Security (SEC-020 — see .claude/rules/security.md)
#
# Defense against Axios/PackageGate-class postinstall malware: no package
# runs install/postinstall/prepare scripts unless explicitly invoked.
# This plugin has no install-time native deps, so the global kill-switch
# is safe to keep on without an allowlist.
ignore-scripts=true

# CI hygiene
audit-level=high
fund=false
engine-strict=true

# pnpm-only SEC-020 directives (block-exotic-subdeps, minimum-release-age,
# trust-policy, only-built-dependencies-of) are intentionally omitted —
# this repo uses npm, not pnpm. SEC-020 in `.claude/rules/security.md`
# documents the pnpm form for consumer repos that use pnpm; the npm-side
# of the plugin relies on `ignore-scripts=true` plus `npm ci --ignore-scripts`
# in CI for equivalent protection.
