# Workspace npmrc — supply-chain hardening notes.
#
# DO NOT set `ignore-scripts=true` here. That would block ALL lifecycle
# scripts including the ones in our own workspace packages (e.g.
# `packages/cli` runs a `postinstall` to bundle the MarkItDown binary).
# pnpm 10's default already refuses to execute dependency install scripts
# unless the package is on the `onlyBuiltDependencies` allowlist in the
# repo-root `package.json`'s `pnpm` block — that's the right control.
# Audit `onlyBuiltDependencies` whenever a new native dep lands.
#
# `verify-store-integrity=true` guards against a poisoned local pnpm
# cache (e.g. tampered tarballs after a CanisterWorm-style npm publisher
# compromise hits a dep we've already cached). It defaults to true in
# pnpm 10; we set it explicitly so a future config drift can't silently
# disable it.

access=public
verify-store-integrity=true
