chore: bump Yarn to 4.15.0 and harden install config (#965)

* chore: bump Yarn to 4.15.0 and harden install config

- Bump Yarn from 4.3.1 to 4.15.0 (latest v4 stable)
- Add enableScripts: false to skip dependency lifecycle scripts
- Add npmMinimalAgeGate: "1d" to require packages be at least 1 day old

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: regenerate lockfile for Yarn 4.15

- Bumps lockfile cacheKey 8 -> 10 (required because `yarn install
  --immutable` in CI refuses to migrate the lockfile on its own).
- Yarn 4.15 also auto-added `approvedGitRepositories: ["**"]` to
  .yarnrc.yml as part of its hardened-mode safelist for git deps;
  `["**"]` preserves existing behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: drop yarn-auto-added approvedGitRepositories

Yarn 4.15 auto-injected approvedGitRepositories: ["**"] during install,
but the repo has no git: protocol deps. Removing keeps the hardened
default (no arbitrary git URL installs allowed).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: layershifter

.yarn/releases/yarn-4.15.0.cjs

@@ -2,6 +2,10 @@ compressionLevel: mixed
 
 enableGlobalCache: false
 
+enableScripts: false
+
 nodeLinker: node-modules
 
-yarnPath: .yarn/releases/yarn-4.3.1.cjs
+npmMinimalAgeGate: 1d
+
+yarnPath: .yarn/releases/yarn-4.15.0.cjs

.yarn/releases/yarn-4.3.1.cjs

@@ -12,7 +12,7 @@
     "packages/*",
     "tools/*"
   ],
-  "packageManager": "yarn@4.3.1",
+  "packageManager": "yarn@4.15.0",
   "engines": {
     "node": ">=24"
   },

.yarnrc.yml

@@ -2,7 +2,7 @@
 # Manual changes might be lost - proceed with caution!
 
 __metadata:
-  version: 8
+  version: 10
   cacheKey: 10
 
 "@-xun/debug@npm:^2.0.2":
@@ -24842,11 +24842,11 @@ __metadata:
 
 "typescript@patch:typescript@npm%3A5.9.3#optional!builtin<compat/typescript>, typescript@patch:typescript@npm%3A~5.9.2#optional!builtin<compat/typescript>":
   version: 5.9.3
-  resolution: "typescript@patch:typescript@npm%3A5.9.3#optional!builtin<compat/typescript>::version=5.9.3&hash=379a07"
+  resolution: "typescript@patch:typescript@npm%3A5.9.3#optional!builtin<compat/typescript>::version=5.9.3&hash=5786d5"
   bin:
     tsc: bin/tsc
     tsserver: bin/tsserver
-  checksum: 10/5d416ad4f2ea564f515a3f919e901edbfa4b497cc17dd325c5726046c3eef7ed22d1f59c787267d478311f6f0a265ff790f8a6c7e9df3ea3471458f5ec81e8b7
+  checksum: 10/696e1b017bc2635f4e0c94eb4435357701008e2f272f553d06e35b494b8ddc60aa221145e286c28ace0c89ee32827a28c2040e3a69bdc108b1a5dc8fb40b72e3
   languageName: node
   linkType: hard