James Griffin
668397104a
Disables dependency lifecycle scripts by default via .npmrc (ignore-scripts=true) so arbitrary packages cannot execute code at install time. An explicit allowlist in web/package.json opts specific packages back in, and CI/Docker/Taskfile now run allow-scripts after npm install to apply it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>