diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 28d6e23..070e85d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -170,6 +170,38 @@ jobs: } SCRIPT + - name: Verify published tarball imports cleanly + # Catches packaging regressions where a directory is imported by index.js + # but missing from package.json "files" — the regression that broke 2.7.1 + # (auth/ + operator/ unpublished, npm install → ERR_MODULE_NOT_FOUND). + run: | + set -e + npm pack --silent + TARBALL=$(ls blue-js-sdk-*.tgz | head -1) + VERIFY_DIR=$(mktemp -d) + cp "$TARBALL" "$VERIFY_DIR/" + cd "$VERIFY_DIR" + npm init -y >/dev/null + npm install "./$TARBALL" --no-audit --no-fund --ignore-scripts --silent + node --input-type=module <<'SCRIPT' + try { + const m = await import('blue-js-sdk'); + const count = Object.keys(m).length; + if (count < 100) { + console.error(`Expected 100+ exports from published tarball, got ${count}`); + process.exit(1); + } + console.log(`Published tarball imports cleanly: ${count} exports`); + } catch (e) { + console.error('FAILED to import published tarball:', e.message); + if (e.code === 'ERR_MODULE_NOT_FOUND') { + console.error('A directory referenced by index.js is missing from package.json "files".'); + console.error('Add it to the "files" array, then rerun npm pack to verify.'); + } + process.exit(1); + } + SCRIPT + - name: Verify submodule imports resolve run: | node --input-type=module <<'SCRIPT' diff --git a/CHANGELOG.md b/CHANGELOG.md index 243d3dd..4dfeaaf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,30 @@ Every fix made during SDK creation, why it matters, and what happens if you use upstream Sentinel code directly without these fixes. +## v2.7.2 — Packaging Fix: include `auth/` and `operator/` in tarball (2026-05-02) + +**2.7.1 shipped without `auth/` and `operator/` directories.** `index.js` imports +from both (`./auth/adr36.js`, `./operator/auto-lease.js`, etc.), but they were +absent from the `files` array in `package.json`. Local CI passed because every +relative import resolved on disk — but `npm install blue-js-sdk@2.7.1` threw +`ERR_MODULE_NOT_FOUND: ...auth/adr36.js` for every consumer. Plan Manager's +attempt to upgrade to 2.7.1 surfaced the regression. + +### Fix +- `package.json` `files`: added `auth/` and `operator/` so they ship in the tarball. +- `.github/workflows/ci.yml`: added a "Verify published tarball imports cleanly" + step that runs `npm pack`, installs the resulting tarball into a temp directory, + and imports `blue-js-sdk` — the only test that exercises the actual published + surface. Local-import checks (which 2.7.1's CI relied on) cannot catch + packaging drift; only a tarball install can. + +### Rule +**Every directory imported by `index.js` MUST appear in `package.json` "files".** +The tarball-install CI step is now the gate that enforces this. Adding a new +top-level directory? It must also be added to `files` in the same diff. + +--- + ## v2.3.0 — RPC-First Migration (2026-04-14) **100% of chain queries now use RPC-first with LCD fallback.** Protobuf/ABCI queries via Tendermint37Client are ~912x faster than LCD REST. If RPC fails, every query automatically falls back to LCD. diff --git a/package.json b/package.json index 1e7b228..9180b31 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "blue-js-sdk", - "version": "2.7.1", + "version": "2.7.2", "description": "Decentralized VPN SDK for the Sentinel P2P bandwidth network. WireGuard + V2Ray tunnels, Cosmos blockchain, 900+ nodes. Tested on Windows. macOS/Linux support included but untested.", "type": "module", "main": "index.js", @@ -33,6 +33,7 @@ "files": [ "*.js", "types/", + "auth/", "chain/", "connection/", "protocol/", @@ -42,6 +43,7 @@ "speedtest/", "state/", "client/", + "operator/", "cli/", "config/", "errors/",