security: stricter pnpm config blockExoticSubdeps & trustPolicy

[Sheraff]

Enables pnpm's no-downgrade trust policy.

Blocks exotic transitive dependencies with blockExoticSubdeps.

Removes the redundant provenance-action downgrade CI job from the PR workflow.

Summary by CodeRabbit

• Chores
  • Updated internal workflow and workspace configurations for improved stability and consistency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2e54749f-369e-456f-a08d-b538504a0810

📥 Commits

Reviewing files that changed from the base of the PR and between efb411e and a8dc95d.

📒 Files selected for processing (2)

• .github/workflows/pr.yml
• pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• .github/workflows/pr.yml

---

📝 Walkthrough

Walkthrough

This PR removes the provenance-checking step from the CI workflow and adds two dependency policy configurations to the pnpm workspace. The workflow change streamlines validation by eliminating the provenance check, while the workspace configuration enforces stricter dependency resolution rules.

Changes

Configuration and Workflow Updates

Layer / File(s)	Summary
Remove provenance checking from CI workflow .github/workflows/pr.yml	The danielroe/provenance-action step is deleted from the workflow, allowing the test-e2e job to run directly after test-unit completes without the intermediate provenance check.
Add workspace dependency policies pnpm-workspace.yaml	Two new root-level pnpm configuration options are added: blockExoticSubdeps: true restricts unusual dependency patterns, and trustPolicy: 'no-downgrade' enforces that dependency versions are never downgraded.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 The workflow hops faster, no provenance delay,
While pnpm stands guard with strict rules in place—
Exotic deps blocked, versions never retreat,
A tidy config hop makes this PR complete! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'security: stricter pnpm config blockExoticSubdeps & trustPolicy' accurately and specifically summarizes the main changes: adding stricter security configurations to pnpm workspace settings.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}