fix: prevent non-private packages from having private workspace production deps

[rekmarks]

Summary

• Add a yarn constraint that prevents published (@metamask/) packages from listing private (i.e., practically speaking, @ocap/) workspace packages in production dependencies (dependencies or peerDependencies) via the workspace: protocol
• No current violations exist; this is a guardrail against future mistakes

Test plan

• yarn constraints passes with no errors
• Temporarily add a private @ocap/ package to a public package's dependencies with workspace:^ and verify the constraint catches it: see DO NOT MERGE: #865 test #867

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk: adds a Yarn constraints guardrail only, and it triggers only on invalid dependency declarations for published packages.

Overview
Adds a new Yarn constraint that fails yarn constraints when a non-private (published) workspace declares a workspace: protocol dependency on a private workspace in production dependency sections (anything other than devDependencies, e.g. dependencies/peerDependencies).

Implements expectNoPrivateWorkspaceProductionDependencies and runs it for all non-private child workspaces, emitting a clear error message naming the offending package and dependency type.

^{Written by Cursor Bugbot for commit 782e72c. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	76.11% 🟰 ±0%	6639 / 8722
🔵	Statements	76% 🟰 ±0%	6745 / 8874
🔵	Functions	73.95% 🟰 ±0%	1653 / 2235
🔵	Branches	75.38% 🟰 ±0%	2472 / 3279

File Coverage

No changed files found.

Generated in workflow #3872 for commit 782e72c by the Vitest Coverage Report Action

[FUDCo]

Beeld eet.