chore: harden npm install defaults

[sedge-bot]

Summary

• Adds root .npmrc defaults that reduce npm supply-chain blast radius.
• Disables implicit install lifecycle scripts by default (ignore-scripts=true).
• Pins newly saved dependency versions exactly (save-exact=true).
• Keeps npm audit enabled and disables funding noise.

Why

Recent npm worm/supply-chain campaigns abuse install/publish lifecycle hooks and ambient tokens. This makes the safe path the default; projects that truly need lifecycle scripts can still run reviewed scripts explicitly.

Verification

• git diff --check
• Static exposure scan of the PR diff for token/secret patterns

Generated by Sedge for Fielding's npm supply-chain hardening sweep.

[netlify]

✅ Deploy Preview for fielding ready!

Name	Link
🔨 Latest commit	b195b75
🔍 Latest deploy log	https://app.netlify.com/projects/fielding/deploys/6a0c10fb2a226200089bdb2f
😎 Deploy Preview	https://deploy-preview-5--fielding.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[sedge-bot]

Sedge re-verification 2026-05-22 06:30 CDT:\n\n- GitHub still reports OPEN / MERGEABLE / CLEAN at b195b75.\n- Local temp worktree verification passed: npm ci --ignore-scripts --audit=false --fund=false, npm run build, git diff --check origin/main..HEAD, and .npmrc marker smoke for ignore-scripts=true/save-exact=true/audit=true/fund=false.\n- npm run check still fails only on the known pre-existing site baseline outside this one-file .npmrc PR (Experience.svelte, Now.svelte, +layout.svelte, plus Projects.svelte a11y warning), same cleanup lane tracked separately by PR #4/site-68ed47.\n\nNo new blocker found for this npm hardening PR.