# Defense-in-depth against malicious postinstall hooks from typo-squatted or
# compromised transitive dependencies (CWE-1357). CI already passes
# --ignore-scripts explicitly in .github/workflows/ci.yml; this file extends
# the same default to local developer installs (npm install / npm ci).
#
# The published mandrel package ships a `postinstall` hook
# (bin/postinstall.js) that runs `mandrel sync` to materialize ./.agents/ on
# the *consumer's* machine. That hook is best-effort and exits 0 even when
# skipped, so this repo-local `ignore-scripts=true` (which suppresses lifecycle
# scripts for installs *in this repo*) is safe: dogfooding installs here keep
# the committed .agents/ source of truth and never need the materializer.
# Contributors who knowingly need scripts for a one-off install can run:
# npm install --ignore-scripts=false
ignore-scripts=true