From a57302ec36b55dc9196273e5d581c176f05ba930 Mon Sep 17 00:00:00 2001
From: Hikari <hikari@nhcarrigan.com>
Date: Mon, 2 Mar 2026 16:28:06 -0800
Subject: [PATCH] chore: replace .npmrc with pnpm-workspace.yaml

---
 .npmrc              | 25 -------------------------
 pnpm-workspace.yaml | 21 +++++++++++++++++++++
 2 files changed, 21 insertions(+), 25 deletions(-)
 delete mode 100644 .npmrc
 create mode 100644 pnpm-workspace.yaml

diff --git a/.npmrc b/.npmrc
deleted file mode 100644
index 6bf91e2..0000000
--- a/.npmrc
+++ /dev/null
@@ -1,25 +0,0 @@
-# Package Manager Configuration
-# Force pnpm usage - breaks npm/yarn intentionally
-node-linker=pnpm
-
-# Security: Disable all lifecycle scripts
-ignore-scripts=true
-enable-pre-post-scripts=false
-
-# Security: Require packages to be 10+ days old before installation
-minimum-release-age=14400
-
-# Security: Verify package integrity hashes
-verify-store-integrity=true
-
-# Security: Enforce strict trust policies
-trust-policy=strict
-
-# Security: Strict peer dependency resolution
-strict-peer-dependencies=true
-
-# Performance: Use symlinks for node_modules
-symlink=true
-
-# Lockfile: Ensure lockfile is not modified during install
-frozen-lockfile=false
\ No newline at end of file
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
new file mode 100644
index 0000000..aebcab5
--- /dev/null
+++ b/pnpm-workspace.yaml
@@ -0,0 +1,21 @@
+# Security
+
+# Do not execute any scripts of installed packages (project scripts still run)
+ignoreDepScripts: true
+# Do not automatically run pre/post scripts (e.g. preinstall, postbuild)
+enablePrePostScripts: false
+# Only allow packages published at least 10 days ago (reduces risk of compromised packages)
+minimumReleaseAge: 14400
+# Fail if a package's trust level has decreased compared to previous releases
+trustPolicy: no-downgrade
+# Ignore trust policy for packages published more than 1 year ago (predates provenance signing)
+trustPolicyIgnoreAfter: 525960
+# Fail if there are missing or invalid peer dependencies
+strictPeerDependencies: true
+# Prevent transitive dependencies from using exotic sources (git repos, direct tarball URLs)
+blockExoticSubdeps: true
+
+# Lockfile
+
+# Allow the lockfile to be updated during install (set to true in CI for stricter reproducibility)
+preferFrozenLockfile: false