Files
Lumotia/.gitignore
Jake e4d56b831f agent: lumotia — supply-chain pre-flight (npm audit signatures + install discipline)
Adds defence-in-depth against npm-worm attacks (Shai-Hulud / mini-Shai-Hulud).

- run.sh: gates dev launch on `npm audit signatures` whenever package-lock.json
  is newer than .lumotia-last-audit. Fails loud on signature mismatch. Skip
  with LUMOTIA_SKIP_AUDIT=1 for offline dev.
- README: documents `npm ci --ignore-scripts` as the install discipline
  (blocks the postinstall vector worms exploit) and explains the audit hook.
- .gitignore: excludes the per-clone audit stamp.

Lumotia's current tree (192 packages) cross-references clean against the
mini-Shai-Hulud affected-package list — this is preventive, not remedial.
2026-05-14 06:41:53 +01:00

10 lines
100 B
Plaintext

node_modules/
target/
build/
dist/
.svelte-kit/
.firecrawl/
.worktrees/
.cargo/
.lumotia-last-audit