From f0fe58df9378331ea6ca5e5132499598beaa87ea Mon Sep 17 00:00:00 2001
From: Sentinel-Bluebuilder <Sentinel-Bluebuilder@users.noreply.github.com>
Date: Sat, 2 May 2026 13:57:38 -0700
Subject: [PATCH] fix(packaging): include auth/ and operator/ in published
 tarball (2.7.2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

2.7.1 shipped broken: package.json "files" omitted auth/ and operator/, so
every `npm install blue-js-sdk@2.7.1` failed with ERR_MODULE_NOT_FOUND on
auth/adr36.js (and operator/auto-lease.js once auth was patched). Local CI
passed because every relative import resolved on disk — only a tarball
install would have caught it.

Changes:
- package.json: add "auth/" and "operator/" to "files"; bump to 2.7.2.
- .github/workflows/ci.yml: add "Verify published tarball imports cleanly"
  step. npm pack → install tarball in temp dir → import blue-js-sdk. This
  is the only test that exercises the actual published surface; the
  existing import checks all run against the source tree.
- CHANGELOG.md: document the regression and the new rule (every directory
  imported by index.js must appear in "files"; the tarball-install CI
  step is the gate).

Surfaced by: Plan Manager 2.7.0 → 2.7.1 upgrade attempt threw
`ERR_MODULE_NOT_FOUND: ...blue-js-sdk/auth/adr36.js`. Plan Manager
remained pinned to 2.7.0 with a runtime RPC patch as a workaround.

Verified: clean-room `npm pack` + temp-dir install + `import('blue-js-sdk')`
returns 401 exports.
---
 .github/workflows/ci.yml | 32 ++++++++++++++++++++++++++++++++
 CHANGELOG.md             | 24 ++++++++++++++++++++++++
 package.json             |  4 +++-
 3 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 28d6e23..070e85d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -170,6 +170,38 @@ jobs:
           }
           SCRIPT
 
+      - name: Verify published tarball imports cleanly
+        # Catches packaging regressions where a directory is imported by index.js
+        # but missing from package.json "files" — the regression that broke 2.7.1
+        # (auth/ + operator/ unpublished, npm install → ERR_MODULE_NOT_FOUND).
+        run: |
+          set -e
+          npm pack --silent
+          TARBALL=$(ls blue-js-sdk-*.tgz | head -1)
+          VERIFY_DIR=$(mktemp -d)
+          cp "$TARBALL" "$VERIFY_DIR/"
+          cd "$VERIFY_DIR"
+          npm init -y >/dev/null
+          npm install "./$TARBALL" --no-audit --no-fund --ignore-scripts --silent
+          node --input-type=module <<'SCRIPT'
+          try {
+            const m = await import('blue-js-sdk');
+            const count = Object.keys(m).length;
+            if (count < 100) {
+              console.error(`Expected 100+ exports from published tarball, got ${count}`);
+              process.exit(1);
+            }
+            console.log(`Published tarball imports cleanly: ${count} exports`);
+          } catch (e) {
+            console.error('FAILED to import published tarball:', e.message);
+            if (e.code === 'ERR_MODULE_NOT_FOUND') {
+              console.error('A directory referenced by index.js is missing from package.json "files".');
+              console.error('Add it to the "files" array, then rerun npm pack to verify.');
+            }
+            process.exit(1);
+          }
+          SCRIPT
+
       - name: Verify submodule imports resolve
         run: |
           node --input-type=module <<'SCRIPT'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 243d3dd..4dfeaaf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,30 @@
 
 Every fix made during SDK creation, why it matters, and what happens if you use upstream Sentinel code directly without these fixes.
 
+## v2.7.2 — Packaging Fix: include `auth/` and `operator/` in tarball (2026-05-02)
+
+**2.7.1 shipped without `auth/` and `operator/` directories.** `index.js` imports
+from both (`./auth/adr36.js`, `./operator/auto-lease.js`, etc.), but they were
+absent from the `files` array in `package.json`. Local CI passed because every
+relative import resolved on disk — but `npm install blue-js-sdk@2.7.1` threw
+`ERR_MODULE_NOT_FOUND: ...auth/adr36.js` for every consumer. Plan Manager's
+attempt to upgrade to 2.7.1 surfaced the regression.
+
+### Fix
+- `package.json` `files`: added `auth/` and `operator/` so they ship in the tarball.
+- `.github/workflows/ci.yml`: added a "Verify published tarball imports cleanly"
+  step that runs `npm pack`, installs the resulting tarball into a temp directory,
+  and imports `blue-js-sdk` — the only test that exercises the actual published
+  surface. Local-import checks (which 2.7.1's CI relied on) cannot catch
+  packaging drift; only a tarball install can.
+
+### Rule
+**Every directory imported by `index.js` MUST appear in `package.json` "files".**
+The tarball-install CI step is now the gate that enforces this. Adding a new
+top-level directory? It must also be added to `files` in the same diff.
+
+---
+
 ## v2.3.0 — RPC-First Migration (2026-04-14)
 
 **100% of chain queries now use RPC-first with LCD fallback.** Protobuf/ABCI queries via Tendermint37Client are ~912x faster than LCD REST. If RPC fails, every query automatically falls back to LCD.
diff --git a/package.json b/package.json
index 1e7b228..9180b31 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "blue-js-sdk",
-  "version": "2.7.1",
+  "version": "2.7.2",
   "description": "Decentralized VPN SDK for the Sentinel P2P bandwidth network. WireGuard + V2Ray tunnels, Cosmos blockchain, 900+ nodes. Tested on Windows. macOS/Linux support included but untested.",
   "type": "module",
   "main": "index.js",
@@ -33,6 +33,7 @@
   "files": [
     "*.js",
     "types/",
+    "auth/",
     "chain/",
     "connection/",
     "protocol/",
@@ -42,6 +43,7 @@
     "speedtest/",
     "state/",
     "client/",
+    "operator/",
     "cli/",
     "config/",
     "errors/",