fix(installer): Ship runtime libs in npm package

Include tools/lib in the published npm files whitelist so the npx installer can resolve symlink-safety at runtime. Add a regression test that checks npm pack --dry-run --json for the expected packaged files.

Fixes #315

Co-Authored-By: Claude <noreply@anthropic.com>

CHANGELOG.md

@@ -9,6 +9,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [7.9.2] - 2026-03-15 - "npm CLI Packaging Fix"
+
+> **Patch release to fix the published npm CLI bundle so `npx antigravity-awesome-skills` resolves its runtime helper modules correctly**
+
+This release fixes a packaging regression in the published npm artifact. Version `7.9.1` shipped `tools/bin/install.js` without the required `tools/lib` runtime helpers, causing `npx antigravity-awesome-skills` to fail with `MODULE_NOT_FOUND` for `../lib/symlink-safety`.
+
+## New Skills
+
+- **None in this release** — `7.9.2` is a focused patch release for the npm installer bundle.
+
+## Improvements
+
+- **npm package contents**: Expanded the published `files` whitelist to ship `tools/lib/*` alongside `tools/bin/*`, restoring the runtime dependency required by the installer entrypoint.
+- **Regression coverage**: Added a package-contents test that checks `npm pack --dry-run --json` and asserts the published tarball includes both `tools/bin/install.js` and `tools/lib/symlink-safety.js`.
+- **CLI verification**: Verified the extracted packaged entrypoint runs successfully with `--help`, confirming the published layout no longer reproduces the missing-module crash reported in issue `#315`.
+
+## Credits
+
+- **Issue #315 reporter** for isolating the npm packaging regression in the published CLI artifact.
+
 ## [7.9.1] - 2026-03-15 - "Security Hardening Follow-up"
 
 > **Follow-up release to 7.9.0: same security batch, additional hardening focused on mutating endpoints, markdown rendering, and doc-risk enforcement**

package.json

@@ -42,7 +42,8 @@
     "antigravity-awesome-skills": "tools/bin/install.js"
   },
   "files": [
-    "tools/bin"
+    "tools/bin",
+    "tools/lib"
   ],
   "keywords": [
     "claude-code",

tools/scripts/tests/npm_package_contents.test.js

@@ -0,0 +1,34 @@
+const assert = require("assert");
+const { spawnSync } = require("child_process");
+const path = require("path");
+
+const repoRoot = path.resolve(__dirname, "..", "..", "..");
+const npmCommand = process.platform === "win32" ? "npm.cmd" : "npm";
+
+function runNpmPackDryRunJson() {
+  const result = spawnSync(npmCommand, ["pack", "--dry-run", "--json"], {
+    cwd: repoRoot,
+    encoding: "utf8",
+  });
+
+  if (result.error) {
+    throw result.error;
+  }
+
+  if (typeof result.status !== "number" || result.status !== 0) {
+    throw new Error(result.stderr.trim() || "npm pack --dry-run --json failed");
+  }
+
+  return JSON.parse(result.stdout);
+}
+
+const packOutput = runNpmPackDryRunJson();
+assert.ok(Array.isArray(packOutput) && packOutput.length > 0, "npm pack should return package metadata");
+
+const packagedFiles = new Set(packOutput[0].files.map((file) => file.path));
+
+assert.ok(packagedFiles.has("tools/bin/install.js"), "published package must include tools/bin/install.js");
+assert.ok(
+  packagedFiles.has("tools/lib/symlink-safety.js"),
+  "published package must include tools/lib/symlink-safety.js",
+);

tools/scripts/tests/run-test-suite.js

@@ -9,6 +9,7 @@ const TOOL_SCRIPTS = path.join("tools", "scripts");
 const TOOL_TESTS = path.join(TOOL_SCRIPTS, "tests");
 const LOCAL_TEST_COMMANDS = [
   [path.join(TOOL_TESTS, "jetski_gemini_loader.test.js")],
+  [path.join(TOOL_TESTS, "npm_package_contents.test.js")],
   [path.join(TOOL_TESTS, "validate_skills_headings.test.js")],
   [path.join(TOOL_TESTS, "workflow_contracts.test.js")],
   [path.join(TOOL_TESTS, "docs_security_content.test.js")],