From 1be1fd8b19c12db502224b2f33d5df3ff0b5fe84 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Fri, 24 Apr 2026 22:22:10 -0400
Subject: [PATCH] chore(pnpm): drop dead .pnpmrc, declare pnpm defaults in
 pnpm-workspace.yaml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pnpm v11 reads settings from pnpm-workspace.yaml (and the npm-compat
subset from .npmrc), not from .pnpmrc. The .pnpmrc file previously
on main was silently ignored.

Changes:
- Delete .pnpmrc (dead file, pnpm does not read it).
- Add to pnpm-workspace.yaml:
  - autoInstallPeers: true     pnpm default, declared explicitly
  - enablePrePostScripts: true pnpm default, declared explicitly (husky)
  - saveExact: true            pin exact on `pnpm add`

No behavioral change — these match current pnpm defaults + existing
.npmrc settings. Declaring explicitly hardens against future pnpm
default flips silently diverging across the fleet.
---
 .pnpmrc             | 13 -------------
 pnpm-workspace.yaml | 13 +++++++++++++
 2 files changed, 13 insertions(+), 13 deletions(-)
 delete mode 100644 .pnpmrc

diff --git a/.pnpmrc b/.pnpmrc
deleted file mode 100644
index 3f88c68c..00000000
--- a/.pnpmrc
+++ /dev/null
@@ -1,13 +0,0 @@
-# Block all install scripts (no native dependencies)
-ignore-scripts=true
-
-# Enable pre/post scripts for the main project (e.g., prepare -> husky)
-enable-pre-post-scripts=true
-
-# Dependency management
-# Wait 7 days (10080 minutes) before installing newly published packages
-# This provides a security buffer to detect compromised packages before installation
-minimumReleaseAge=10080
-auto-install-peers=true
-strict-peer-dependencies=false
-save-exact=true
\ No newline at end of file
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index d230d82b..b8a1c8ba 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -10,6 +10,15 @@ packages:
 allowBuilds:
   esbuild: true
 
+# Auto-install missing peer deps (pnpm default). Declared explicitly
+# so a future default flip can't silently change install behavior.
+autoInstallPeers: true
+
+# Run pre/post lifecycle scripts on the workspace root (e.g.
+# prepare -> husky). This is the pnpm default; declared explicitly
+# so a future default flip can't silently disable husky setup.
+enablePrePostScripts: true
+
 # Refuse to run if the pnpm version on PATH differs from the packageManager
 # field in package.json. Our setup action pins pnpm via external-tools.json;
 # any drift should fail fast, not silently auto-download via @pnpm/exe
@@ -28,3 +37,7 @@ minimumReleaseAgeExclude:
   - '@socketbin/*'
   - '@socketregistry/*'
   - '@socketsecurity/*'
+
+# Pin exact versions on `pnpm add`. Catalog and overrides should
+# also be exact pins (5.24.0, not ^5.24.0).
+saveExact: true