chore(pnpm): declare defaults in pnpm-workspace.yaml; drop dead .npmrc trust-policy

[John-David Dalton (jdalton)]

Summary

Two config hygiene fixes grouped into one PR.

1. Declare pnpm defaults in pnpm-workspace.yaml

pnpm v11 reads settings from pnpm-workspace.yaml (and the npm-compat subset from .npmrc), not from .pnpmrc. My earlier version of this PR added a .pnpmrc file; that file would have been silently ignored.

Instead, declare the two relevant pnpm defaults explicitly in pnpm-workspace.yaml:

• autoInstallPeers: true — pnpm default, declared explicitly so a silent default flip can't change install behavior.
• enablePrePostScripts: true — pnpm default, declared explicitly so a silent flip can't quietly disable husky's prepare hook.

2. Drop dead trust-policy lines from .npmrc

socket-cli's .npmrc carried:

trust-policy=no-downgrade
trust-policy-exclude[]=undici@6.21.3

These are not npm settings — the npm v11 config reference has no trust-policy key, and pnpm reads trustPolicy from pnpm-workspace.yaml, not from .npmrc. The entries were silent no-ops. socket-cli already has the correct pnpm-side values:

trustPolicy: no-downgrade
trustPolicyExclude:
  - undici@6.21.3

so the real policy was being applied the whole time. Removing the dead duplicates.

No behavioral change

Install/resolve/build work identically. This just puts each setting in the file the relevant tool actually reads.

Test plan

• pnpm install succeeds locally.
• CI green.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: New .pnpmrc is a no-op under pnpm v11
  • Deleted the no-op .pnpmrc file since pnpm v11 reads all settings from pnpm-workspace.yaml, where the equivalent settings already exist (and with correct values, unlike the contradictory strict-peer-dependencies=false).

Or push these changes by commenting:

@cursor push 3281bdf601

Preview (3281bdf601)

diff --git a/.pnpmrc b/.pnpmrc
deleted file mode 100644
--- a/.pnpmrc
+++ /dev/null
@@ -1,27 +1,0 @@
-# Block install scripts unconditionally. Native deps that must run
-# install scripts (esbuild, etc.) are allowlisted in
-# pnpm-workspace.yaml under allowBuilds.
-ignore-scripts=true
-
-# Run pre/post lifecycle scripts on the workspace root (e.g.
-# prepare -> husky). This is the pnpm default; declared explicitly
-# so a future default flip can't silently disable husky setup.
-enable-pre-post-scripts=true
-
-# Wait 7 days (10080 minutes) before installing newly published
-# versions. Provides a quarantine buffer to detect compromised
-# packages before install.
-# Allowlist via pnpm-workspace.yaml minimumReleaseAgeExclude.
-minimumReleaseAge=10080
-
-# Auto-install missing peer dependencies (pnpm default). Declared
-# explicitly to harden against future default flips.
-auto-install-peers=true
-
-# Don't fail install on peer-dependency conflicts (pnpm default).
-# Declared explicitly to harden against future default flips.
-strict-peer-dependencies=false
-
-# Pin exact versions on `pnpm add`. Catalog and overrides should
-# also be exact pins (5.24.0, not ^5.24.0).
-save-exact=true
\ No newline at end of file

_{You can send follow-ups to the cloud agent here.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit f3d0911. Configure here.}