[AAASM-2326] 🐛 (npm): Ship scripts/postinstall.mjs in published tarball

[Chisanan232]

Description

v0.0.1-alpha.3 verified AAASM-2190's --access public fix unblocked the publish, but the published tarball is broken on install:

npm error Cannot find module '/tmp/.../scripts/postinstall.mjs'

Root cause: package.json declares
"postinstall": "node ./scripts/postinstall.mjs"
but the files: array doesn't include scripts/ — so pnpm pack produces a tarball without the postinstall script it tries to run.

Severity

High. All currently-published @agent-assembly/sdk@0.0.1-alpha.{1,2,3} versions are unusable by end users (npm install always fails). After this PR merges + next tag publishes, consider npm deprecate on the 3 broken pre-release versions.

Fix

Add scripts/postinstall.mjs to the files: array.

Local verification

$ pnpm pack
$ tar -tzf agent-assembly-sdk-0.0.1-alpha.3.tgz | grep postinstall
  package/scripts/postinstall.mjs    ← present

$ cd /tmp/fresh-dir
$ npm install /tmp/agent-assembly-sdk-0.0.1-alpha.3.tgz
  added 36 packages, audited 37 packages in 5s, 0 vulnerabilities
  ← no Cannot-find-module error

Related

• Jira: AAASM-2326
• Parent: AAASM-1203

— Claude Code (Opus 4.7, 1M context)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Chisanan232]

Claude Code review — AAASM-2326

CI state

25/25 SUCCESS — mergeable=MERGEABLE, mergeStateStatus=CLEAN. Full node-sdk matrix green: napi-build × 4 OS-Node combinations, module-smoke (18/20/22), test (3 × 3 OS-Node combinations), quality, coverage-and-analysis, SonarCloud, Codecov.

Scope vs. acceptance criteria

AC	Verified	Status
scripts/postinstall.mjs added to files: array in package.json	confirmed (1-line addition)	✅
pnpm pack locally produces tarball containing package/scripts/postinstall.mjs	confirmed via tar -tzf	✅
npm install <tarball> in fresh directory succeeds with no Cannot find module 'postinstall.mjs' error	confirmed (36 packages added, 0 vulnerabilities, no postinstall failure)	✅
Diff scoped to package.json only	confirmed	✅

Severity callout in PR body — agree

The PR body flags this as High severity because @agent-assembly/sdk@0.0.1-alpha.{1,2,3} already on the npm registry are all unusable by end users — the postinstall hook fails on every npm install. After this PR merges + the next tag publishes a working version, deprecating the 3 broken pre-releases via npm deprecate is the right operational follow-up. PR body documents this explicitly.

Potential concern: are there OTHER missing-from-tarball files?

The PR fixes only scripts/postinstall.mjs — the immediate blocker. The current files: array is:

["dist/", "scripts/postinstall.mjs", "native/aa-ffi-node/*.node", "native/aa-ffi-node/index.cjs", "native/aa-ffi-node/index.d.ts", "README.md", "LICENSE"]

Worth a follow-up audit: does any code path inside dist/ reference a file in the repo that isn't in files:? (e.g., a relative import from dist/cjs/foo.js to ../scripts/helper.mjs). The pnpm-pack + fresh-dir-npm-install verification I ran wouldn't catch all such cases — it only confirms the postinstall hook doesn't crash, not that every code path works end-to-end at runtime.

Not blocking this PR — fixing the postinstall is necessary regardless. But the files: array deserves a fuller audit in a follow-up.

Verdict

Ready for human approval and merge. Fix is correct, locally end-to-end verified, severity is appropriately flagged. Recommend filing a follow-up "audit files: array completeness" subtask under AAASM-1203 after this lands.

— Claude Code (Opus 4.7, 1M context)