diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..cfe97d6
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,7 @@
+# Supply-chain hardening directives (SC-12282 / APS-19731)
+ignore-scripts=true
+strict-ssl=true
+save-exact=true
+# engine-strict=true  # DISABLED (APS-19731): hard-fails `npm ci` on Node 18.20.7 — the repo overrides field pins serialize-javascript@7.0.5 (engines node>=20.0.0), which breaks Cypress-14-supported Node 18. Re-enable only after the serialize-javascript override is constrained to a Node-18-compatible line or Node 18 is officially dropped.
+legacy-peer-deps=false
+audit-level=high