#13169: security: add --ignore-scripts to npm install during plugin/hook installation

## Summary - Add `--ignore-scripts` to all `npm install` invocations during plugin, hook pack, and extension dependency installation - Update security docs (EN + zh-CN) to reflect that lifecycle scripts are now blocked by default ## Problem When installing plugins or hook packs with npm dependencies, `npm install` runs without `--ignore-scripts`. This means a malicious package's `postinstall` (or `preinstall`, `install`) lifecycle scripts execute arbitrary code on the host machine *before* any code safety review. ## Fix Added `--ignore-scripts` to the npm install argument array in all three locations: 1. `src/plugins/install.ts` — plugin dependency installation 2. `src/hooks/install.ts` — hook pack dependency installation 3. `extensions/matrix/src/matrix/deps.ts` — Matrix extension on-demand dependency installation Also updated the security documentation in both English and Chinese to reflect that npm lifecycle scripts are now blocked by default. ## Files Changed - `src/plugins/install.ts` — Added `--ignore-scripts` flag - `src/hooks/install.ts` — Added `--ignore-scripts` flag - `extensions/matrix/src/matrix/deps.ts` — Added `--ignore-scripts` flag - `docs/gateway/security/index.md` — Updated docs - `docs/zh-CN/gateway/security/index.md` — Updated Chinese docs ## Test plan - [x] TypeScript compiles cleanly (no new errors) - [x] Lint passes - [x] No test changes needed — existing plugin/hook install tests don't exercise the npm install path (test plugins have no `dependencies`) - [x] Legitimate plugins should not rely on `postinstall` scripts; if a native addon needs compilation, users can manually run `npm rebuild` Closes #13132 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR hardens dependency installation paths by adding `--ignore-scripts` to `npm install` when installing plugin dependencies (`src/plugins/install.ts`), hook pack dependencies (`src/hooks/install.ts`), and Matrix extension on-demand deps (`extensions/matrix/src/matrix/deps.ts`). It also updates the Gateway security documentation (EN + zh-CN) to reflect that npm lifecycle scripts are now blocked by default during these installs. <h3>Confidence Score: 4/5</h3> - Mostly safe to merge, but one security hardening gap remains for pnpm installs in the Matrix extension path. - The npm install paths are consistently updated to block lifecycle scripts, aligning with the stated security goal. However, the Matrix dependency installer still runs `pnpm install` without an ignore-scripts equivalent when a pnpm lockfile is present, leaving an execution path for lifecycle scripts in that environment. - extensions/matrix/src/matrix/deps.ts <!-- greptile_other_comments_section --> <!-- /greptile_comment -->