fix(packaging): include auth/ and operator/ in published tarball (2.7.2)

.github/workflows/ci.yml

@@ -170,6 +170,38 @@ jobs:
           }
           SCRIPT
 
+      - name: Verify published tarball imports cleanly
+        # Catches packaging regressions where a directory is imported by index.js
+        # but missing from package.json "files" — the regression that broke 2.7.1
+        # (auth/ + operator/ unpublished, npm install → ERR_MODULE_NOT_FOUND).
+        run: |
+          set -e
+          npm pack --silent
+          TARBALL=$(ls blue-js-sdk-*.tgz | head -1)
+          VERIFY_DIR=$(mktemp -d)
+          cp "$TARBALL" "$VERIFY_DIR/"
+          cd "$VERIFY_DIR"
+          npm init -y >/dev/null
+          npm install "./$TARBALL" --no-audit --no-fund --ignore-scripts --silent
+          node --input-type=module <<'SCRIPT'
+          try {
+            const m = await import('blue-js-sdk');
+            const count = Object.keys(m).length;
+            if (count < 100) {
+              console.error(`Expected 100+ exports from published tarball, got ${count}`);
+              process.exit(1);
+            }
+            console.log(`Published tarball imports cleanly: ${count} exports`);
+          } catch (e) {
+            console.error('FAILED to import published tarball:', e.message);
+            if (e.code === 'ERR_MODULE_NOT_FOUND') {
+              console.error('A directory referenced by index.js is missing from package.json "files".');
+              console.error('Add it to the "files" array, then rerun npm pack to verify.');
+            }
+            process.exit(1);
+          }
+          SCRIPT
+
       - name: Verify submodule imports resolve
         run: |
           node --input-type=module <<'SCRIPT'

CHANGELOG.md

@@ -2,6 +2,30 @@
 
 Every fix made during SDK creation, why it matters, and what happens if you use upstream Sentinel code directly without these fixes.
 
+## v2.7.2 — Packaging Fix: include `auth/` and `operator/` in tarball (2026-05-02)
+
+**2.7.1 shipped without `auth/` and `operator/` directories.** `index.js` imports
+from both (`./auth/adr36.js`, `./operator/auto-lease.js`, etc.), but they were
+absent from the `files` array in `package.json`. Local CI passed because every
+relative import resolved on disk — but `npm install blue-js-sdk@2.7.1` threw
+`ERR_MODULE_NOT_FOUND: ...auth/adr36.js` for every consumer. Plan Manager's
+attempt to upgrade to 2.7.1 surfaced the regression.
+
+### Fix
+- `package.json` `files`: added `auth/` and `operator/` so they ship in the tarball.
+- `.github/workflows/ci.yml`: added a "Verify published tarball imports cleanly"
+  step that runs `npm pack`, installs the resulting tarball into a temp directory,
+  and imports `blue-js-sdk` — the only test that exercises the actual published
+  surface. Local-import checks (which 2.7.1's CI relied on) cannot catch
+  packaging drift; only a tarball install can.
+
+### Rule
+**Every directory imported by `index.js` MUST appear in `package.json` "files".**
+The tarball-install CI step is now the gate that enforces this. Adding a new
+top-level directory? It must also be added to `files` in the same diff.
+
+---
+
 ## v2.3.0 — RPC-First Migration (2026-04-14)
 
 **100% of chain queries now use RPC-first with LCD fallback.** Protobuf/ABCI queries via Tendermint37Client are ~912x faster than LCD REST. If RPC fails, every query automatically falls back to LCD.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "blue-js-sdk",
-  "version": "2.7.1",
+  "version": "2.7.2",
   "description": "Decentralized VPN SDK for the Sentinel P2P bandwidth network. WireGuard + V2Ray tunnels, Cosmos blockchain, 900+ nodes. Tested on Windows. macOS/Linux support included but untested.",
   "type": "module",
   "main": "index.js",
@@ -33,6 +33,7 @@
   "files": [
     "*.js",
     "types/",
+    "auth/",
     "chain/",
     "connection/",
     "protocol/",
@@ -42,6 +43,7 @@
     "speedtest/",
     "state/",
     "client/",
+    "operator/",
     "cli/",
     "config/",
     "errors/",