agent: lumotia — supply-chain pre-flight (npm audit signatures + install discipline)

Adds defence-in-depth against npm-worm attacks (Shai-Hulud / mini-Shai-Hulud).

- run.sh: gates dev launch on `npm audit signatures` whenever package-lock.json
  is newer than .lumotia-last-audit. Fails loud on signature mismatch. Skip
  with LUMOTIA_SKIP_AUDIT=1 for offline dev.
- README: documents `npm ci --ignore-scripts` as the install discipline
  (blocks the postinstall vector worms exploit) and explains the audit hook.
- .gitignore: excludes the per-clone audit stamp.

Lumotia's current tree (192 packages) cross-references clean against the
mini-Shai-Hulud affected-package list — this is preventive, not remedial.
This commit is contained in:
2026-05-14 06:41:53 +01:00
parent 65abfa2ed9
commit e4d56b831f
3 changed files with 26 additions and 0 deletions

View File

@@ -269,6 +269,16 @@ choco install cmake llvm vulkan-sdk
See [`docs/dev-setup.md`](docs/dev-setup.md) for the authoritative per-platform dependency list and for how `LIBCLANG_PATH` should be set.
### Installing npm dependencies
Use `npm ci --ignore-scripts` rather than bare `npm install`. `--ignore-scripts` blocks the postinstall script vector that npm-worm attacks (Shai-Hulud, mini-Shai-Hulud) rely on. `ci` installs strictly from `package-lock.json`, refusing to mutate the lockfile silently.
```bash
npm ci --ignore-scripts
```
`run.sh` runs `npm audit signatures` automatically whenever `package-lock.json` is newer than the last successful audit, and refuses to launch on signature mismatch. Skip with `LUMOTIA_SKIP_AUDIT=1` for offline dev.
### Dev launch
Canonical full-stack dev launch — starts Vite, waits for port 1420, then launches Tauri: