fix: add missing "files" entries to package.json

[ymc9]

Summary by CodeRabbit

• Chores
  • Updated distribution settings for multiple packages (CLI, client helpers, and Zod) so compiled build output is included when those packages are published, ensuring consumers receive the packaged artifacts and reducing publish-time omissions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Three package.json files were updated to add a top-level files field that controls which paths are included when publishing: packages/cli lists ["dist","bin"], while packages/clients/client-helpers and packages/zod list ["dist"]. No other fields or logic changed.

Changes

Cohort / File(s)	Summary
CLI package packages/cli/package.json	Added "files": ["dist", "bin"] to declare published contents include dist and bin.
Library packages packages/clients/client-helpers/package.json, packages/zod/package.json	Added "files": ["dist"] to declare published contents include only dist.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I hopped through JSON late at night,
Marked which folders should take flight,
dist for most, bin for one—
Packages tidy, job well done! ✨

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding missing 'files' entries to package.json files across three packages (cli, client-helpers, and zod).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 57f2bf4 and 90bcc91.

📒 Files selected for processing (1)

• packages/cli/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/cli/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-test (22.x, sqlite)
• GitHub Check: build-test (22.x, postgresql)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @ymc9's task —— View job

---

PR Review: Missing "files" entries in package.json

Todo List:

• Read modified package.json files to understand changes
• Verify files entries match actual directory structure
• Check for consistency across packages
• Analyze impact on package publishing
• Provide comprehensive review feedback

Review Summary

This PR correctly adds missing "files": ["dist"] entries to three packages, ensuring only built artifacts are published to npm. However, there's one critical issue that needs immediate attention.

✅ Positive Changes

• Consistency: Brings cli, client-helpers, and zod packages in line with other monorepo packages
• Publishing Safety: Prevents accidental inclusion of source files, tests, and dev configs in published packages
• Performance: Reduces package size by excluding unnecessary files

🚨 Critical Issue: CLI Package Missing Binary

The @zenstackhq/cli package has a bin field pointing to "bin/cli" but the files array only includes "dist". This will break the CLI installation because the binary file won't be published.

Required Fix:

"files": [
    "dist",
    "bin"
],

Evidence:

• packages/cli/package.json:20-23 defines "zen" and "zenstack" binaries pointing to "bin/cli"
• The bin/cli file exists and imports from ../dist/index.js
• Without including "bin" in files, npm install will fail to create executable commands

🔍 Other Observations

• client-helpers: ✅ Correctly includes only "dist" - has proper exports pointing to dist files
• zod: ✅ Correctly includes only "dist" - is a private package but follows good practices
• Directory Structure: All packages have consistent build output to dist/ folders
• Build Process: Uses tsup-node for compilation, outputs to dist as expected

📋 Recommendations

1. CRITICAL: Add "bin" to the files array in packages/cli/package.json
2. Test: Verify with pnpm pack that the binary is included in the tarball
3. Future: Consider adding .npmignore as an alternative if files arrays become complex

🔒 Security & Performance

• ✅ No security concerns - properly excludes source and test files
• ✅ Performance improvement - smaller package sizes
• ✅ No breaking changes for client-helpers and zod packages

[Copilot]

Pull request overview

This PR adds the "files" field to three package.json files to explicitly specify which files should be included when the packages are published to npm. Without this field, npm may include unwanted files or rely on default inclusion rules.

• Adds "files" array containing "dist" to @zenstackhq/zod
• Adds "files" array containing "dist" to @zenstackhq/client-helpers
• Adds "files" array containing "dist" to @zenstackhq/cli

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
packages/zod/package.json	Adds "files" field with "dist" directory to control package contents
packages/clients/client-helpers/package.json	Adds "files" field with "dist" directory to control package contents
packages/cli/package.json	Adds "files" field with "dist" directory, but missing required "bin" directory

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI Agents

In @packages/cli/package.json:
- Around line 24-26: The package.json "files" array excludes the CLI executable,
so the bin/cli file (which provides the zen and zenstack commands and imports
../dist/index.js) won't be published; update the "files" array in package.json
to include "bin" in addition to "dist" (e.g., change "files": ["dist"] to
include "bin") so the bin/cli executable is packaged and the zen/zenstack
commands work for users.

🧹 Nitpick comments (1)

packages/zod/package.json (1)

13-15: Unnecessary "files" field for private package.

This package is marked as "private": true (line 7), meaning it will never be published to npm. The "files" field only affects published packages, so adding it here has no effect and may cause confusion.

Consider removing this field from private packages.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4b79d0 and 57f2bf4.

📒 Files selected for processing (3)

• packages/cli/package.json
• packages/clients/client-helpers/package.json
• packages/zod/package.json

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-11-26T01:55:04.540Z

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Applies to **/*.zmodel : ZModel schema files should define database structure and policies that compile to TypeScript via `zenstack generate`

Applied to files:

• packages/clients/client-helpers/package.json

📚 Learning: 2025-12-30T15:07:10.092Z

Learnt from: mwillbanks
Repo: zenstackhq/zenstack-v3 PR: 550
File: packages/orm/src/client/crud/operations/base.ts:158-159
Timestamp: 2025-12-30T15:07:10.092Z
Learning: In the zenstackhq/zenstack-v3 codebase, ts-expect-error should be heavily avoided in production code (packages/*). It is acceptable in test files but production code should use proper type annotations, type assertions, or refactoring to resolve type errors instead.

Applied to files:

• packages/clients/client-helpers/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Agent
• GitHub Check: claude-review
• GitHub Check: build-test (22.x, sqlite)
• GitHub Check: build-test (22.x, postgresql)

🔇 Additional comments (1)

packages/clients/client-helpers/package.json (1)

16-18: LGTM! Files field correctly includes the dist directory.

The "files" field appropriately restricts the published package to the dist directory, which aligns with all the package exports. Standard files like package.json, README, and LICENSE are automatically included by npm.

[claude]

Claude finished @ymc9's task —— View job

---

PR Review: Missing "files" entries in package.json

Todo List:

• Read all modified package.json files to understand current state
• Verify CLI binary issue resolution in latest commit
• Check directory structures and build outputs
• Analyze package publishing strategy and consistency
• Review for code quality, bugs, performance, and security issues
• Provide comprehensive review feedback

---

✅ Overall Assessment

This PR correctly addresses missing "files" entries in package.json files and the critical CLI binary issue has been resolved in the latest commit (90bcc91). The changes improve package publishing safety and consistency across the monorepo.

Code Quality & Best Practices

✅ Positive Changes:

• CLI Package Fixed: The @zenstackhq/cli package now correctly includes both "dist" and "bin" in the files array (lines 24-27), ensuring the CLI executables will be published
• Consistency: All three packages now follow the monorepo pattern of explicitly declaring published files
• Publishing Safety: Prevents accidental inclusion of source files, tests, and development configurations in published packages
• Performance: Reduces package size by excluding unnecessary files

⚠️ Minor Issues:

1. Unnecessary "files" field in private package (packages/zod/package.json:13-15):
   • The zod package is marked as "private": true (line 7)
   • Private packages are never published to npm, making the "files" field redundant
   • Impact: No functional impact, but may cause developer confusion
   • Recommendation: Consider removing for clarity, though this is a minor nitpick

Potential Bugs & Issues

🚨 Critical Issue Found Outside This PR:
While reviewing for consistency, I discovered that packages/create-zenstack/package.json has the same binary issue that was just fixed in the CLI package:

• Has "bin": {"create-zenstack": "bin/cli"} but "files": ["dist"] (missing "bin")
• This will break the create-zenstack command installation
• Not part of this PR but should be addressed separately

✅ No Other Issues Found:

• All exports correctly point to dist files
• Directory structures match the files declarations
• Build configurations are consistent

Performance Considerations

✅ Improvements:

• Smaller package sizes due to exclusion of unnecessary files
• Faster npm installs due to reduced download sizes
• No runtime performance impact

Security Concerns

✅ Security Improvements:

• Prevents accidental exposure of:
  • Source code and development files
  • Test files that might contain sensitive test data
  • Configuration files with potential secrets
  • Build artifacts not intended for distribution

✅ No Security Issues Found:

• No secrets or sensitive data in the modified files
• Proper file restrictions improve security posture

Test Coverage

ℹ️ Test Considerations:

• These changes are configuration-only and don't require unit tests
• Recommended verification: Run pnpm pack on each modified package to verify the tarball contents
• The binary functionality should be tested after publishing to ensure CLI commands work correctly

Architecture & Consistency

✅ Excellent Consistency:

• Follows established patterns from other packages like @zenstackhq/orm, @zenstackhq/sdk, @zenstackhq/common-helpers
• The @zenstackhq/language package correctly includes both "dist" and "res" for its resource files
• CLI package now correctly handles both compiled code and binary files

Summary

This is a high-quality fix that addresses an important packaging issue. The critical CLI binary problem has been properly resolved, and the changes follow monorepo best practices. The only suggestion is to consider removing the unnecessary "files" field from the private zod package for clarity.

Recommendation: ✅ Approve and merge after verifying package contents with pnpm pack.

---