Install as require-dev?

[rhoerr]

Should we advise people to install this as require-dev by default, and not to install it on production?

It will only be useful once, for the original install, right? At least for now.

Dev install can be defaulted (encouraged?) by adding a dev keyword, for example https://github.com/markshust/magento2-module-disabletwofactorauth/pull/28/files

    "keywords": [
        "dev", ...
    ]

[jakwinkler]

agreed

[jakwinkler]

Based on my research composer itself doesn’t have a strict mechanism to enforce that your package is used only in the require-dev section of another project. We can only add a note in README.md

[rhoerr]

A strict mechanism, no, but it can suggest: https://github.com/composer/composer/pull/10960