chore: enforce supply chain age gating (#16)

Kevin-layerV · claude · justin-layerv · web-flow · commit 6f23382ddea8 · 2026-04-11T00:31:00.000-05:00
## Summary
- Adds `.npmrc` with `min-release-age=7` to reject npm packages
published less than 7 days ago
- Enables `ignore-scripts=true` to block arbitrary install scripts from
packages

## Why
Newly published or hijacked packages are typically detected and removed
within days. A 7-day quarantine ensures compromised packages never enter
our dependency tree.

## Override for critical updates
```sh
npm install &lt;pkg&gt;@&lt;version&gt; --min-release-age=0
```

## Test plan
- [ ] `npm config get min-release-age --location=project` returns `7`
- [ ] `npm install` still resolves existing dependencies from lock file
- [ ] `npm install --min-release-age=0 &lt;pkg&gt;` bypasses the restriction

---------

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
Co-authored-by: Justin &lt;justin@layerv.ai&gt;
diff --git a/.npmrc b/.npmrc
@@ -0,0 +1,12 @@
+# Supply-chain hardening: reject packages published <7 days ago.
+# Requires npm 11+ (Node 22+). Silently ignored on older versions.
+# CI enforces this (Node 22); local dev on older Node is not gated.
+min-release-age=7
+
+# Block arbitrary install/lifecycle scripts from dependencies.
+# Note: this also suppresses prepublishOnly during local `npm publish`.
+# CI runs `npm run build` explicitly before publish, so this is safe.
+# If a dependency ever legitimately requires a postinstall hook (e.g. a
+# native module using node-gyp), re-enable per-package with
+# `npm install <pkg> --ignore-scripts=false`.
+ignore-scripts=true
diff --git a/.nvmrc b/.nvmrc
@@ -0,0 +1 @@
+22
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -40,6 +40,18 @@ Releases are automated via [Release Please](https://github.com/googleapis/releas
 - `fix:` → patch version bump
 - `feat!:` or `BREAKING CHANGE:` → major version bump
 
+### Always publish via CI
+
+**Do not run `npm publish` locally.** The project's `.npmrc` sets
+`ignore-scripts=true` as a supply-chain defense, which (as a side effect)
+suppresses the `prepublishOnly` lifecycle hook. A local publish would ship
+whatever is currently in `dist/` without re-running the build. The release
+workflow (`.github/workflows/release-please.yml`) explicitly runs
+`npm run build` before `npm publish`, so publishing via CI is safe.
+
+If you need to verify a build artifact locally, run `npm run build` directly
+rather than invoking `npm publish` with `--dry-run`.
+
 ## License
 
 By contributing, you agree that your contributions will be licensed under the MIT License.
