fix: add --ignore-scripts to security-guard Claude Code install

[lpcox]

The security-guard.lock.yml was missing --ignore-scripts on the npm install command for Claude Code CLI, causing the workflow-engine-install-security test to fail on main.

This was the root cause of the Test Coverage Reporter failure (#2959) — the coverage workflow runs npm test against main and this test was failing.

Closes #2959

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	87.92%	87.99%	📈 +0.07%
Statements	87.88%	87.95%	📈 +0.07%
Functions	83.36%	83.36%	➡️ +0.00%
Branches	79.84%	79.89%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/container-lifecycle.ts	87.3% → 88.4% (+1.09%)	87.7% → 88.7% (+1.06%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

• ❌ GitHub MCP: gh not authenticated (workflow limitation)
• ✅ Playwright: GitHub page title verified
• ✅ File Writing: Test file created and verified
• ✅ Bash Tools: Command execution confirmed

Status: PARTIAL (3/4 tests passed - gh auth expected in this context)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP	⚠️ Pre-step data unresolved (${{ steps.smoke-data.outputs.SMOKE_HTTP_CODE }})
File write/read	⚠️ Pre-step data unresolved (${{ steps.smoke-data.outputs.SMOKE_FILE_PATH }})
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: FAIL — template variables not resolved; pre-step data unavailable for verification.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results — PR #2963 (branch: fix/recompile-security-guard, author: @lpcox)

Test	Result
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP connectivity	⚠️ Pre-step data unavailable (template not expanded)
File write/read (/tmp/gh-aw/agent/smoke-test-copilot-25705487680.txt)	✅ File exists and readable

Overall: FAIL — GitHub MCP returned 401; pre-step smoke data template variables were not substituted.

📰 BREAKING: Report filed by Smoke Copilot

[Copilot]

Pull request overview

Updates the Security Guard locked workflow to install the Claude Code CLI with npm --ignore-scripts, aligning with the repository’s engine-install security test and unblocking the failing workflow-engine-install-security check that was breaking the Test Coverage Reporter on main.

Changes:

• Add --ignore-scripts to the global npm install command for @anthropic-ai/claude-code in security-guard.lock.yml.

Show a summary per file

File	Description
.github/workflows/security-guard.lock.yml	Adds --ignore-scripts to the Claude Code CLI install step in the Security Guard locked workflow.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 1

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2963 · ● 407.4K · ◷

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ timeout (no response)
PostgreSQL pg_isready	❌ no response
PostgreSQL SELECT 1	❌ timeout

host.docker.internal is not reachable from this runner environment — service containers may not be running or the hostname is not resolvable.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke Codex: FAIL
fix: add --ignore-scripts to security-guard Claude Code install
refactor: remove dead exports from export audit
✅ GitHub/PR review, Playwright, file/bash, discussion lookup, build
❌ safeinputs-gh unavailable, Tavily MCP tools unavailable, github-discussion-query unavailable
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex