# engine-strict makes pnpm and npm honor the `engines` block in
# package.json. We pin `pnpm: ">=11"` so a too-old pnpm fails fast
# instead of producing a subtly different lockfile. The primary
# anti-npm/yarn defense is the `preinstall: npx only-allow pnpm`
# script in package.json — only-allow detects the running package
# manager via $npm_config_user_agent and exits non-zero if it isn't
# pnpm. This file is the second layer.
engine-strict=true
