Audit baseline: aa595438650cfbaa6db310792929c6219cc003b2 (origin/main at audit start).
Problem
Release checks run before version rewriting and vendoring, then publish the transformed directory without installing/loading that exact artifact. The packed artifact also exposes raw TypeScript subpaths that plain Node cannot import, includes test sources, and omits the MIT license text.
Pi's TypeScript loader works, so this is not a Pi-install blocker. Related packaging incidents #149 and #235/#236 show why the transformed artifact needs a durable gate.
Acceptance criteria
- Define the supported package surface: Pi loader only, or compiled JS/declaration exports for generic Node consumers.
- Add a deliberate pack allowlist and include
LICENSE.
- After transformation run
npm pack --json, install the exact tarball in a clean consumer, and assert required exports, skills, and six vendored leaves.
- Load through the supported Pi host before publish; if generic Node imports remain documented, test them too.
- Repeat a minimal fresh-cache registry install/load check after publish.
Audit baseline:
aa595438650cfbaa6db310792929c6219cc003b2(origin/mainat audit start).Problem
Release checks run before version rewriting and vendoring, then publish the transformed directory without installing/loading that exact artifact. The packed artifact also exposes raw TypeScript subpaths that plain Node cannot import, includes test sources, and omits the MIT license text.
Pi's TypeScript loader works, so this is not a Pi-install blocker. Related packaging incidents #149 and #235/#236 show why the transformed artifact needs a durable gate.
Acceptance criteria
LICENSE.npm pack --json, install the exact tarball in a clean consumer, and assert required exports, skills, and six vendored leaves.