fix: narrow npm publish surface to the module graph

[affaan-m]

Summary\n- reduce the npm publish surface to the module-graph-backed runtime allowlist\n- add a dedicated publish-surface regression around package.json files and npm pack output\n- keep required runtime assets like scripts/catalog.js and shipped plugin manifests in the tarball\n\n## Testing\n- node tests/scripts/npm-publish-surface.test.js\n- node tests/scripts/build-opencode.test.js\n- node tests/scripts/ecc.test.js\n- npm test\n\nCloses #445

---

Summary by cubic

Narrows the npm package to the module-graph-backed runtime allowlist and required assets to prevent bloat and leaks. Adds a regression test to lock the publish surface via package.json and npm pack.

• Bug Fixes
  • Reduced package.json.files to the module graph plus an explicit runtime allowlist; keeps runtime schemas and assets (scripts like scripts/catalog.js, plugin manifests, .mcp.json, .gemini).
  • Added tests/scripts/npm-publish-surface.test.js to assert files matches the module graph and that npm pack --dry-run includes required paths (e.g., schemas/install-state.schema.json) and excludes non-runtime content.
  • Updated tests/scripts/build-opencode.test.js to expect .opencode/ in the publish list.

^{Written for commit c826305. Summary will update on new commits.}

Summary by CodeRabbit

• Chores

  • Updated package distribution whitelist to control which top-level plugin, config, scripts and skill resources are published, improving packaging consistency and included docs.

• Tests

  • Added a new publish-surface test that verifies the exact set of files included in package distributions.
  • Updated packaging tests to reflect revised publish layout and ensure required files are present.

[ecc-tools]

ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 682c9bde-fc10-4ca2-806a-690358545f25

📥 Commits

Reviewing files that changed from the base of the PR and between bd2aec4 and c826305.

📒 Files selected for processing (2)

• package.json
• tests/scripts/npm-publish-surface.test.js

🚧 Files skipped from review as they are similar to previous changes (2)

• tests/scripts/npm-publish-surface.test.js
• package.json

---

📝 Walkthrough

Walkthrough

Updates the npm package publish allowlist in package.json (replacing many legacy entries with top-level plugin/config inclusions and an explicit per-skill list) and adds a new test that computes and validates the publish surface against manifests/install-modules.json; also updates an existing publish-related test.

Changes

Cohort / File(s)	Summary
Package Configuration package.json	Rewrote the files whitelist: removed many legacy subpaths and root entries, added top-level plugin/config entries (e.g., .opencode/, .claude-plugin/, .codex-plugin/, .gemini/, agent.yaml, VERSION, install.*), expanded/reorganized scripts/ entries, and replaced broad skills/ include with an explicit per-skill directory list plus a root doc.
Existing Test Update tests/scripts/build-opencode.test.js	Adjusted assertion to expect .opencode/ directory in package.json.files (was .opencode/dist/) while keeping npm-pack payload assertions.
New Test tests/scripts/npm-publish-surface.test.js	Added comprehensive test that builds expected publish paths from manifests/install-modules.json (normalizes, dedups ancestor-covered paths), asserts exact package.json.files equality, and verifies npm pack --dry-run --json includes required files and excludes disallowed paths.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Reduce npm publish surface to module graph #445 — Implements narrowing of npm publish surface and CI validation tied to the module catalog.
• chore: reduce npm publish surface to module graph #441 — Related goal to align published payload with module graph and audit files entries.

Possibly related PRs

• fix: harden release surface version and packaging sync #1388 — Also modifies package.json files whitelist and updates npm-pack test expectations for opencode.
• feat(opencode): add changed-files tree with change indicators #815 — Adds .opencode modules/tools that necessitate package publish-surface updates.
• feat(codex): add Codex native plugin manifest and fix Claude plugin.json #960 — Adds plugin artifacts to the publish whitelist and adjusts tests for plugin files.

Poem

🐰
I hopped through manifests, trimmed the fluff away,
Packed only what matters for a sunnier day.
Tests guard the gate, tidy and spry—
A leaner bundle under the sky. 🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: narrowing the npm publish surface to align with the module graph, which is the core objective of this PR.
Linked Issues check	✅ Passed	The PR fully addresses issue #445 requirements: audits and adjusts package.json files field, aligns with module catalog via new validation test, limits published payload, and adds CI validation for package contents.
Out of Scope Changes check	✅ Passed	All changes directly support the PR objective to narrow npm publish surface: package.json files update, new regression test, and build test update are all in scope and necessary for the module-graph-backed allowlist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/npm-publish-surface

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bd2aec48ed

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Include schema assets in published package

The new files allowlist drops schemas/, but runtime code in scripts/lib/install/config.js, scripts/lib/install-state.js, and scripts/lib/state-store/schema.js reads JSON schemas from that directory during normal CLI flows (install planning/apply, install-state validation, and state-store validation). With this commit’s publish surface, npm tarballs omit those schema files, so users installing from npm will hit file-read failures at runtime when these paths execute. Please add schemas/ back to the publish surface.

Useful? React with 👍 / 👎.

[ecc-tools]

ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR.

[cubic-dev-ai]

No issues found across 3 files

[greptile-apps]

Greptile Summary

This PR narrows the package.json files allowlist to the module-graph-backed runtime paths from manifests/install-modules.json plus an explicit extra-assets list, preventing accidental bloat. A new regression test (npm-publish-surface.test.js) enforces strict equality between the published surface and the computed expected set, and build-opencode.test.js gains an assertion that .opencode/ is present in the files list.

Confidence Score: 5/5

Safe to merge — the publish surface narrowing is correct and the regression test logic is sound.

All findings are P2 style suggestions. No logic errors, missing assets, or correctness issues were identified in the module graph alignment or the isCoveredByAncestor deduplication logic.

tests/scripts/npm-publish-surface.test.js — extraPaths coupling comment and JSON parse guard

Important Files Changed

Filename	Overview
package.json	Files allowlist narrowed to module-graph paths + explicit runtime allowlist; all listed entries verified to match the module graph in install-modules.json.
tests/scripts/npm-publish-surface.test.js	New regression test that enforces strict equality between package.json files and module-graph-derived paths; extraPaths list introduces a third source of truth that must stay in sync manually.
tests/scripts/build-opencode.test.js	Adds assertion that .opencode/ is included in package.json files; test structure and assertions are correct.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[manifests/install-modules.json] -->|flatMap paths| B[module graph paths]
    C[extraPaths hardcoded in test] --> D[combined Set]
    B --> D
    D -->|filter isCoveredByAncestor| E[expectedPublishPaths sorted]
    F[package.json files] -->|normalizePublishPath + sort| G[actualPublishPaths]
    E -->|deepStrictEqual| H{Test 1: surface contract}
    H -->|pass| I[✓ files match module graph]
    H -->|fail| J[✗ drift detected]
    F -->|npm pack dry-run| K[packaged file list]
    K -->|assert includes| L{Test 2: required paths present}
    K -->|assert excludes| M{Test 3: excluded paths absent}
    L --> N[✓ runtime assets in tarball]
    M --> O[✓ dev-only content excluded]

Loading

_{Reviews (1): Last reviewed commit: "fix: keep runtime schemas in npm package" | Re-trigger Greptile}

[greptile-apps]

Third source of truth — coupling not surfaced in failure messages

extraPaths creates a third file developers must update (alongside package.json and manifests/install-modules.json) whenever a new standalone runtime script is added. When the deepStrictEqual on line 95 fails, the diff output lists path strings with no indication of where the fix belongs. A small comment here would make the coupling explicit for future contributors.

Suggested change

	const extraPaths = [
	"manifests",
	"scripts/ecc.js",
	"scripts/catalog.js",
	"scripts/claw.js",
	"scripts/doctor.js",
	"scripts/status.js",
	"scripts/sessions-cli.js",
	"scripts/install-apply.js",
	"scripts/install-plan.js",
	"scripts/list-installed.js",
	"scripts/skill-create-output.js",
	"scripts/repair.js",
	"scripts/harness-audit.js",
	"scripts/session-inspect.js",
	"scripts/uninstall.js",
	"scripts/gemini-adapt-agents.js",
	"scripts/codex/merge-codex-config.js",
	"scripts/codex/merge-mcp-config.js",
	".codex-plugin",
	".mcp.json",
	"install.sh",
	"install.ps1",
	"schemas",
	"agent.yaml",
	"VERSION",
	]
	// extraPaths: runtime assets that ship in the tarball but are not represented
	// in manifests/install-modules.json (e.g. top-level CLI entry-points, install
	// scripts, and config singletons). Keep this list in sync with package.json
	// "files" whenever a new standalone script is added.
	const extraPaths = [
	"manifests",
	"scripts/ecc.js",
	"scripts/catalog.js",
	"scripts/claw.js",
	"scripts/doctor.js",
	"scripts/status.js",
	"scripts/sessions-cli.js",
	"scripts/install-apply.js",
	"scripts/install-plan.js",
	"scripts/list-installed.js",
	"scripts/skill-create-output.js",
	"scripts/repair.js",
	"scripts/harness-audit.js",
	"scripts/session-inspect.js",
	"scripts/uninstall.js",
	"scripts/gemini-adapt-agents.js",
	"scripts/codex/merge-codex-config.js",
	"scripts/codex/merge-mcp-config.js",
	".codex-plugin",
	".mcp.json",
	"install.sh",
	"install.ps1",
	"schemas",
	"agent.yaml",
	"VERSION",
	]

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Opaque SyntaxError on unexpected npm stdout

JSON.parse(result.stdout) will throw an unguarded SyntaxError if npm emits anything non-JSON to stdout (e.g. a warning line in an older npm version, or output from prepack reaching stdout). The runTest wrapper will catch it, but the error message will be "Unexpected token …" with no clue that it is a parse failure. Wrapping the parse makes failures self-describing:

Suggested change

	const packOutput = JSON.parse(result.stdout)
	const packagedPaths = new Set(packOutput[0]?.files?.map((file) => file.path) ?? [])
	let packOutput
	try {
	packOutput = JSON.parse(result.stdout)
	} catch {
	assert.fail(`npm pack --dry-run did not produce valid JSON.\nstdout: ${result.stdout.slice(0, 500)}`)
	}