diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..fcb4c98
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,4 @@
+# Supply-chain quarantine: refuse to install any npm package published < 7 days ago.
+# Organization-wide policy; critical after 2026-05-12 Mini Shai-Hulud wave
+# (@mistralai/mistralai 2.2.2-2.2.4, 169 packages total).
+min-release-age=7