chore: supply-chain hardening — lockfile enforcement + action SHA pins

[oz-sayari]

Supply Chain Hardening

Automated supply-chain security controls applied by supply-chain-pr.py.

Changes made

• .yarnrc.yml (Created): npmMinimalAgeGate: 10080 (7-day cooldown)
• ci.yml: Node version upgraded to 22 (node-version: 21 → 22) — required for npm 11.10+ cooldown support
• ci.yml: yarn install → yarn install --immutable (1×)
• ci.yml: SHA-pinned 2 actions to full commit hash

Why these controls

Control	Threat mitigated
Action SHA pins	Prevents tag-hijack (ref: aquasecurity/trivy-action, Mar 2026)
min-release-age / npmMinimalAgeGate	7-day cooldown prevents same-day version compromise
npm ci / --frozen-lockfile / --immutable	CI installs exact lockfile versions — no silent drift
Node 22+	Required for npm 11.10+ which enforces min-release-age cooldown

Testing checklist

• CI passes on this branch (green)
• Install step produces the same set of packages as before
• yarn install --immutable succeeds with the existing lockfile

---

Generated by supply-chain-pr.py — part of the dependency-security-policy rollout.

[oz-sayari]

📋 Follow-up checklist

Posted automatically by supply-chain-pr.py. The changes in this PR are complete and safe to merge. The items below are recommended follow-ups to reach a higher security baseline.

🧶 Verify yarn.lock is up to date before merging

--immutable was added to yarn install in CI. This flag fails the build if yarn.lock would change — which is exactly what we want for supply-chain safety, but it requires the lockfile to already be fresh.

Before merging, verify locally:

yarn install --immutable   # must succeed with no changes

If you see YN0028: The lockfile would have been modified, update it first:

yarn install               # refresh yarn.lock
git add yarn.lock && git commit -m "chore: refresh yarn.lock"