chore(deps): migrate to pnpm 11.5.0 via official pnpm-v10-to-v11 codemod

Relocates supply-chain hardening (overrides, minimumReleaseAge, allowBuilds, resolutionMode, verifyStoreIntegrity) into pnpm-workspace.yaml; strictDepBuilds=false keeps the pnpm-10 build posture. CI is the merge gate.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: JCBauza

.npmrc

@@ -1,29 +1,12 @@
 
 # ---- pnpm supply-chain hardening (org-wide standard, Apr 2026 migration) ----
-auto-install-peers=true
-public-hoist-pattern[]=*@types*
-public-hoist-pattern[]=*eslint*
-public-hoist-pattern[]=*prettier*
 # Supply-chain hardening: onlyBuiltDependencies is an explicit allowlist —
 # EVERYTHING ELSE is blocked from running lifecycle scripts (postinstall, etc.),
 # which is the #1 npm malware vector. Audited per-repo during migration.
 # pnpm docs: https://pnpm.io/settings#onlybuiltdependencies
-onlyBuiltDependencies[]=esbuild
-onlyBuiltDependencies[]=@swc/core
-onlyBuiltDependencies[]=sharp
-onlyBuiltDependencies[]=better-sqlite3
 # Deterministic cross-platform installs; closes npm#4828 structurally.
-resolution-mode=time-based
 # Verify npm registry signatures at install.
-audit-signatures=true
 # Blocks packages published <72h ago — catches typo-squat / compromised-publish
 # in the window before the community flags them.
-minimum-release-age=3
-minimum-release-age-exclude[]=@cloudingenium/*
-minimum-release-age-exclude[]=@cloudflare/*
-minimum-release-age-exclude[]=wrangler
-minimum-release-age-exclude[]=workerd
 # SHA-check every dep on access — detects store tampering.
-verify-store-integrity=true
 # Install fails if package.json / pnpm-lock.yaml out of sync.
-lockfile-check=true

package.json

@@ -65,13 +65,5 @@
   "publishConfig": {
     "@cloudingenium:registry": "https://npm.pkg.github.com"
   },
-  "packageManager": "pnpm@10.33.0",
-  "pnpm": {
-    "onlyBuiltDependencies": [
-      "esbuild",
-      "sharp",
-      "@swc/core",
-      "better-sqlite3"
-    ]
-  }
-}
+  "packageManager": "pnpm@11.5.0"
+}

pnpm-workspace.yaml

@@ -0,0 +1,21 @@
+autoInstallPeers: true
+publicHoistPattern:
+  - '*@types*'
+  - '*eslint*'
+  - '*prettier*'
+resolutionMode: time-based
+auditSignatures: true
+minimumReleaseAge: 3
+minimumReleaseAgeExclude:
+  - '@cloudingenium/*'
+  - '@cloudflare/*'
+  - wrangler
+  - workerd
+verifyStoreIntegrity: true
+lockfileCheck: true
+allowBuilds:
+  esbuild: true
+  sharp: true
+  '@swc/core': true
+  better-sqlite3: true
+strictDepBuilds: false