#14112: test(security): harden plugin install against script execution

## Problem Plugin installs should not execute dependency lifecycle scripts; issue #13132 asks for supply-chain hardening verification around `--ignore-scripts`. ## What changed - Added an archive-install flow test that uses a local dependency with a `postinstall` script. - Executed real install subprocesses in test via mocked command runner passthrough. - Asserted that the postinstall marker file is never created during plugin archive install. - Reset command mock state before existing dir-install test setup for isolation. ## Validation - `pnpm exec vitest run src/plugins/install.test.ts` - Result: pass (`12 passed`) Fixes #13132 <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Adds comprehensive security test to verify plugin archive installations don't execute dependency lifecycle scripts (addressing supply-chain hardening requirement from issue #13132). The test creates a local dependency with a `postinstall` script that writes a marker file via environment variable, executes real install subprocesses through mocked command runner passthrough, and asserts the marker file is never created. Also adds `mockReset()` to the existing directory install test for proper test isolation. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with no issues found - The test implementation is well-designed with proper isolation, environment cleanup, and directly verifies the security requirement. The addition of `mockReset()` to the existing test improves test reliability. No logical errors, security vulnerabilities, or syntax issues detected. - No files require special attention <!-- greptile_other_comments_section --> _{(5/5) You can turn off certain types of comments like style [here](https://app.greptile.com/review/github)!} <!-- /greptile_comment -->