[codey] Clarify Action dependency install docs

README.md

@@ -100,7 +100,7 @@ jobs:
 
 The action uploads nothing by default. It reads local git state from the checked-out repository, writes a Markdown report to the GitHub Actions step summary, and emits PR-visible warning annotations for each finding. Findings point at exact config lines when ScopeTrail can resolve them.
 
-The Action runs the committed `dist/` runtime from the release tag. It does not run `npm ci` or `npm run build` in your repository's workflow.
+The Action runs the committed `dist/` runtime from the release tag, runs `npm ci --omit=dev` inside the ScopeTrail Action directory to install runtime dependencies, and does not run `npm run build` in your repository's workflow.
 
 Start with `fail-on: none` so ScopeTrail is advisory while you tune policy. Raise it to `high` or `critical` once the findings are trusted.
 

docs/TRUST.md

@@ -20,7 +20,7 @@ ScopeTrail uploads nothing by default. It does not send repository contents, fin
 
 ## Runtime Dependencies
 
-The GitHub Action runs the committed `dist/` runtime from the ScopeTrail release tag. It does not run `npm ci` or `npm run build` in the installing repository, so pilot repositories do not need to download ScopeTrail development dependencies during their PR checks.
+The GitHub Action runs the committed `dist/` runtime from the ScopeTrail release tag, runs `npm ci --omit=dev` inside the ScopeTrail Action directory to install runtime dependencies, and does not run `npm run build` in the installing repository. Pilot repositories do not need to download ScopeTrail development dependencies during their PR checks.
 
 ## Required GitHub Permissions
 

test/public-docs.test.mjs

@@ -19,7 +19,8 @@ test('README links trust, adoption, and team validation docs from the public Act
   assert.match(readme, /\[Team-layer validation\]\(docs\/TEAM_VALIDATION\.md\)/);
   assert.match(readme, /install with `fail-on: none`/i);
   assert.match(readme, /runs the committed `dist\/` runtime/i);
-  assert.match(readme, /does not run `npm ci` or `npm run build`/i);
+  assert.match(readme, /runs `npm ci --omit=dev` inside the ScopeTrail Action directory/i);
+  assert.match(readme, /does not run `npm run build`/i);
 });
 
 test('trust doc describes local-only advisory GitHub Action behavior', async () => {
@@ -28,7 +29,8 @@ test('trust doc describes local-only advisory GitHub Action behavior', async ()
   assert.match(trust, /reads the checked-out repository/i);
   assert.match(trust, /uploads nothing by default/i);
   assert.match(trust, /runs the committed `dist\/` runtime/i);
-  assert.match(trust, /does not run `npm ci` or `npm run build` in the installing repository/i);
+  assert.match(trust, /runs `npm ci --omit=dev` inside the ScopeTrail Action directory/i);
+  assert.match(trust, /does not run `npm run build` in the installing repository/i);
   assert.match(trust, /permissions:\s*`contents: read`/i);
   assert.match(trust, /`fetch-depth: 0`/);
   assert.match(trust, /`fail-on: none`/);