docs: add supply chain security rules for pnpm

Add agent-facing rules to CLAUDE.md covering minimumReleaseAgeExclude, onlyBuiltDependencies, and frozen lockfile requirements — all require human sign-off. Add comprehensive human-facing section to docs/SECURITY.md with rationale, exclusion procedure (exact version pin, approval, expiry), and build script allowlist documentation.
2026-06-04 10:14:47 +08:00 · 2026-04-14 00:43:57 -04:00
parent 163f5700a5
commit 994b323cfa
2 changed files with 45 additions and 0 deletions
@@ -123,6 +123,15 @@ systemctl --user start|stop|restart nanoclaw

 Host logs: `logs/nanoclaw.log` (normal) and `logs/nanoclaw.error.log` (errors only — some delivery/approval failures only show up here).

+## Supply Chain Security (pnpm)
+
+This project uses pnpm with `minimumReleaseAge: 4320` (3 days) in `pnpm-workspace.yaml`. New package versions must exist on the npm registry for 3 days before pnpm will resolve them.
+
+**Rules — do not bypass without explicit human approval:**
+- **`minimumReleaseAgeExclude`**: Never add entries without human sign-off. If a package must bypass the release age gate, the human must approve and the entry must pin the exact version being excluded (e.g. `package@1.2.3`), never a range.
+- **`onlyBuiltDependencies`**: Never add packages to this list without human approval — build scripts execute arbitrary code during install.
+- **`pnpm install --frozen-lockfile`** should be used in CI, automation, and container builds. Never run bare `pnpm install` in those contexts.
+
 ## v2 Docs Index

 | Doc | Purpose |