docs: document npm overrides + standardize npm registry

[Wenjix]

What

Documents the npm overrides introduced in #2 (security pins for @cursor/sdk's transitive deps) and standardizes the npm registry — so the rationale survives for both humans and future coding agents instead of living only in a review comment.

Changes

• AGENTS.md (new) — operational guardrails read by Cursor/Devin/Codex/Claude: use the npmjs registry, and don't remove/loosen the overrides or regenerate the lockfile against npmmirror.
• docs/dependencies.md (new) — per-override rationale + consumer chains + remove-when conditions, the empirical verification (clean npm ci on Node 26 builds sqlite3 with tar@7; npm audit → 0), and the analysis that undici 5→6 is runtime-inert on Node ≥18.
• .npmrc (new) — pins registry=https://registry.npmjs.org/. registry.npmmirror.com's advisory endpoint returns NOT_IMPLEMENTED, so npm audit silently can't run there; pinning also prevents the mixed-registry lockfile drift seen in chore: reduce npm audit vulnerabilities #2.
• CLAUDE.md — symlink to AGENTS.md.

Notes

• Complements chore: reduce npm audit vulnerabilities #2 (the overrides themselves) — ideally merges alongside/after it. The matching one-line overridesNote in package.json is best added to chore: reduce npm audit vulnerabilities #2 to avoid a conflict here.
• Registry assumption: npmjs is treated as intended (no committed .npmrc, and the overrides already resolve from npmjs). If npmmirror was deliberate (network/geo), the .npmrc should instead be dropped and the --registry workaround documented.
• Removal of the overrides is tracked in Remove npm overrides once @cursor/sdk bumps vulnerable transitive deps #5.

🤖 Generated with Claude Code

---

Note

Low Risk
Docs and registry/lockfile hygiene only; no application runtime code changes, though install-time native builds still depend on the existing override pins.

Overview
Standardizes npm installs on registry.npmjs.org via a new .npmrc, and rewrites package-lock.json so tarball URLs no longer mix in registry.npmmirror.com (which breaks npm audit).

Adds docs/dependencies.md and AGENTS.md explaining the intentional package.json overrides (tar, undici, @tootallnate/once) for @cursor/sdk transitive audit findings, plus guardrails not to loosen them or regenerate the lockfile against npmmirror. CLAUDE.md now points agents at AGENTS.md, and overridesNote in package.json links to that doc (#5 for removal).

^{Reviewed by Cursor Bugbot for commit f2d8a15. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_94e49344-6813-4e75-9401-36f110aaaf73)