JS supply-chain guard

Copy/paste this into an agent session to add package age gates and pnpm exotic subdependency blocking. It tells the agent to verify current docs first and exempt your own workspace scopes.

Find my package manager: bun, pnpm, npm, yarn, or any mix of them. Configure a 3-day minimum-release-age / cooldown for installs to blunt fresh supply-chain attacks. If pnpm is used, also enable blockExoticSubdeps so transitive dependencies cannot sneak in remote GitHub/git/tarball-style references. Exempt my workspace scopes.

Before writing config, verify the exact current config key, units, supported version, and workspace-scope exemption syntax in the official/current docs for each detected package manager. Do not rely on stale memory.

Intent:
- npm: minimum release age should be 3 days.
- pnpm: minimum release age should be 3 days / 4320 minutes, plus blockExoticSubdeps enabled if supported.
- Bun: minimum release age should be 3 days / 259200 seconds.
- Yarn: minimum release age should be 72h / 3d.

Requirements:
1. Detect package managers from lockfiles, packageManager fields, installed commands, corepack shims, and fnm/asdf/nvm-style Node installs.
2. Preserve existing config and auth tokens. Do not delete unrelated settings.
3. Write the correct user-level/global config for each detected manager, creating files if needed.
4. If fnm is installed, update every installed Node version's global npm config too:
   - ~/.local/share/fnm/node-versions/v*/installation/etc/npmrc
5. If writable, also update common global npm configs:
   - /opt/homebrew/etc/npmrc
   - /usr/local/etc/npmrc
6. Exempt my own workspace/private scopes from the age gate. Discover them from package.json workspaces, package names, npm scopes in the repo, and configured private registries. Ask before exempting if unsure.
7. For pnpm, verify and enable blockExoticSubdeps if available. Then scan lockfiles/package manifests for existing exotic deps/subdeps: git, git+ssh, github:, http(s) tarballs, file URLs outside the workspace, and other non-registry specs. Report findings before changing those deps.
8. If a package manager supports only project-level exemptions, add them to the project config. If it supports user-level exemptions, prefer that when safe.
9. Verify by printing the relevant config lines, package manager versions, and the docs/source used for each key.
10. If any package manager is missing but clearly used by the repo, still write its config so future installs inherit the guard.
11. If I name remote hosts, SSH to each host and apply the same verified protection there too.

Sharp edges: npm's age gate is newer, so older npm may warn and ignore it. pnpm's blockExoticSubdeps is a different guard: it blocks remote/non-registry subdependency specs that age gates do not cover.