fix(ci): allowBuilds.puppeteer:true and drop dead pnpm.onlyBuiltDependencies

CI on main has been failing across all three workflows (CI, Tour GH Pages, Val Town deploy) since the puppeteer/mermaid feature landed in b34ba09. The error was always:

  ERR_PNPM_IGNORED_BUILDS  Ignored build scripts: puppeteer@24.41.0
  Run "pnpm approve-builds" to pick which dependencies should be allowed to run scripts.

Root cause: pnpm v11.0.0-rc.5 reads build-script approvals from
pnpm-workspace.yaml's `allowBuilds:` map, NOT from package.json's
`pnpm.onlyBuiltDependencies` array. The package.json field was added
alongside the puppeteer dep but had no effect under rc.5. Lockfile state
in CI runners always tripped the missing approval.

Fix:
- Declare `puppeteer: true` under `allowBuilds:` in pnpm-workspace.yaml.
  Tour (GH Pages) requires Chromium for mermaid rendering, so allowing
  the postinstall is the correct stance. CI + Val Town pay the ~300MB
  download cost as the uniform-install tradeoff.
- Drop the dead `pnpm.onlyBuiltDependencies` entry from package.json
  per CLAUDE.md "actively remove backward-compat" rule.

Side effects:
- pnpm run update bumped @socketsecurity/lib in .claude/hooks/check-new-deps
  from 5.20.1 -> 5.24.0 (matches root manifest pin).
- oxfmt normalized markdown italics in CLAUDE.md (*order* -> _order_).

Author: jdalton

.claude/hooks/check-new-deps/package.json

@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@socketregistry/packageurl-js": "1.4.2",
-    "@socketsecurity/lib": "5.20.1",
+    "@socketsecurity/lib": "5.24.0",
     "@socketsecurity/sdk": "4.0.1"
   },
   "devDependencies": {

CLAUDE.md

@@ -155,7 +155,7 @@ Sort lists alphanumerically (literal byte order, ASCII before letters). Apply th
 
 - **Config lists** — `permissions.allow` / `permissions.deny` in `.claude/settings.json`, `external-tools.json` checksum keys, allowlists in workflow YAML.
 - **Object key entries** — sort keys in plain JSON config + return-shape literals + internal-state objects. (Exception: `__proto__: null` always comes first, ahead of any data keys.)
-- **Import specifiers** — sort named imports inside a single statement: `import { encrypt, randomDataKey, wrapKey } from './crypto.mts'`. Imports that say `import type` follow the same rule. Statement *order* is the project's existing convention (`node:` → external → local → types) — that's separate from specifier order *within* a statement.
+- **Import specifiers** — sort named imports inside a single statement: `import { encrypt, randomDataKey, wrapKey } from './crypto.mts'`. Imports that say `import type` follow the same rule. Statement _order_ is the project's existing convention (`node:` → external → local → types) — that's separate from specifier order _within_ a statement.
 - **Method / function source placement** — within a module, sort top-level functions alphabetically. Convention: private functions (lowercase / un-exported) sort first, exported functions second. The first-line `export` keyword is the divider.
 - **Array literals** — when the array is a config list, allowlist, or set-like collection. Position-bearing arrays (e.g. argv, anything where index matters semantically) keep their meaningful order.
 

package.json

@@ -122,10 +122,5 @@
     "ignore-type-assertion": true,
     "ignore-files": "test/*",
     "strict": true
-  },
-  "pnpm": {
-    "onlyBuiltDependencies": [
-      "puppeteer"
-    ]
   }
 }

pnpm-lock.yaml

@@ -8,6 +8,12 @@ packages:
 
 allowBuilds:
   esbuild: true
+  # puppeteer ships a postinstall that downloads Chromium (~300MB).
+  # Required because `pnpm tour:build` (the GH Pages workflow) renders
+  # mermaid diagrams via puppeteer/Chromium. Disabling it would break
+  # the Tour pipeline. CI + Val Town pay the download cost as the
+  # uniform-install tradeoff for keeping all workflows symmetric.
+  puppeteer: true
 
 # Refuse to run if the pnpm version on PATH differs from the packageManager
 # field in package.json. Our setup action pins pnpm via external-tools.json;