test(ci): smoke-test publishing via local Verdaccio

Adds scripts/smoketest-publishing.sh, which boots a disposable Verdaccio
registry via 'npx verdaccio', runs 'yarn release:npm' against it (so the
full pack-all + npm-publish loop is exercised end-to-end), then installs
a representative subset of the published tarballs into a fresh consumer
and imports them under SES lockdown. The pattern mirrors agoric-sdk's
scripts/packing/smoketest-publishing.sh but is much smaller: endo
publishes already-built tarballs from dist/ rather than running lerna
publish against the source tree, so there is no dev-version bump, no
lerna, and no git state dance.

Key design points:

  - A custom verdaccio.yaml disables the default npmjs.org uplink
    ('uplinks: {}'). Without this, Verdaccio proxies reads upstream and
    refuses to let us publish over versions that already exist on the
    public registry, since endo's tarballs carry real release numbers
    rather than dev prereleases.

  - A free TCP port is picked via Node's net.createServer() rather than
    hardcoding 4873, so a stray Verdaccio on the conventional port can't
    collide with us and we can't collide with it.

  - HOME is a per-run mktemp dir, so the script never touches the
    developer's ~/.npmrc or leaves auth tokens behind. A SIGTERM/SIGINT
    trap cleans up Verdaccio and the dir on exit.

  - 'npm_config_registry' is inlined on the yarn release:npm command
    only, not exported globally. Exporting it causes 'npx npm-cli-login'
    earlier in the script to try to fetch npm-cli-login itself from the
    empty local registry and 404.

  - The consumer install uses 'npm install <name>' (not '<path>') so
    npm has to resolve each package from the registry. That proves the
    rewritten 'workspace:' deps resolved to concrete versions that
    actually exist in the same registry, and that the cross-package
    type graph is self-consistent in tarball form.

Wired up as 'yarn smoketest:publish' and invoked from ci.yml's build
matrix, replacing the prior pair of steps:

  - 'yarn workspaces foreach --all --topological exec npm pack', which
    could not have worked after the ts-node-pack refactor: the .ts-using
    packages (exo, patterns, eventual-send) no longer have prepack
    hooks, so npm pack would have shipped raw .ts files.

  - 'yarn lerna run prepack' for cross-package type-resolution
    validation. That check is now subsumed by the consumer import step:
    if a package's declarations depend on a neighbor whose published
    form is missing or mis-resolved, the import will fail under SES.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: turadg

.github/workflows/ci.yml

@@ -318,16 +318,20 @@ jobs:
       - name: build
         run: yarn run build
 
-      - name: pack
-        run: yarn workspaces foreach --all --topological exec npm pack
-
-      # Prepack (without cleanup per package) to ensure that type resolution in
-      # dependent packages continues to work when the typedefs are generated by
-      # their upstream packages. This helps avoid a situation in which the types
-      # only resolve because of the state of the local filesystem, and fails
-      # when imported in an NPM node_modules tree.
-      - name: Prepack packages
-        run: yarn lerna run --reject-cycles --concurrency 1 prepack
+      # Smoke-test the publish flow end to end. Boots a disposable
+      # Verdaccio registry, runs `yarn release:npm` against it, then
+      # installs a representative subset of the published tarballs into
+      # a fresh consumer and exercises them under SES lockdown. This
+      # replaces the previous `yarn workspaces foreach exec npm pack`
+      # step (which could not have worked after the ts-node-pack
+      # refactor because the .ts-using packages no longer have prepack
+      # hooks to turn their sources into publishable JS) and also
+      # subsumes the "Prepack packages" type-resolution check: the
+      # consumer imports under SES prove that declarations resolve
+      # cross-package from their published tarball state, not from
+      # whatever source tree happens to be on disk.
+      - name: Smoke-test publish
+        run: yarn smoketest:publish
 
   test-xs:
     name: test-xs

package.json

@@ -59,6 +59,7 @@
     "lint:prettier": "prettier --check .github packages",
     "release:npm": "scripts/release-npm.mjs",
     "pack:all": "scripts/pack-all.mjs",
+    "smoketest:publish": "scripts/smoketest-publishing.sh",
     "test": "yarn workspaces foreach --all --exclude @endo/skel run test",
     "test:c8": "yarn workspaces foreach --all run test:c8",
     "test:xs": "yarn workspaces foreach --all run test:xs",

scripts/smoketest-publishing.sh

@@ -0,0 +1,153 @@
+#! /bin/bash
+# Smoke-test the ts-node-pack publish path against a local Verdaccio
+# registry. Runs the full `yarn release:npm` flow (which internally
+# calls `yarn pack:all` + `npm publish` per tarball) pointed at a
+# disposable Verdaccio instance, then installs a representative subset
+# of the published packages into a fresh consumer project and imports
+# them under SES lockdown.
+#
+# Usage: scripts/smoketest-publishing.sh
+#
+# Requires network access for the first `npx verdaccio` / `npx
+# npm-cli-login` fetch. The registry itself runs offline (no uplinks).
+
+set -ueo pipefail
+
+thisdir=$(cd -- "$(dirname "$0")" > /dev/null && pwd)
+ROOT=$(cd "$thisdir/.." && pwd)
+
+# Isolate npm / yarn state to a per-run HOME so the smoketest cannot
+# stomp on the developer's ~/.npmrc or leave auth tokens behind.
+REGISTRY_HOME=$(mktemp -d -t endo-smoketest-publishing.XXXXX)
+export HOME="$REGISTRY_HOME"
+# Pick a free TCP port so a stray Verdaccio on the conventional 4873 can't
+# collide with us (and vice versa — we never stomp on an unrelated instance).
+REGISTRY_PORT=$(node -e '
+  const s = require("net").createServer();
+  s.listen(0, () => { console.log(s.address().port); s.close(); });
+')
+REGISTRY_URL="http://localhost:$REGISTRY_PORT"
+
+cleanup() {
+  if [ -f "$REGISTRY_HOME/verdaccio.pid" ]; then
+    echo "smoketest-publishing: stopping Verdaccio"
+    kill "$(cat "$REGISTRY_HOME/verdaccio.pid")" 2>/dev/null || true
+  fi
+  rm -rf "$REGISTRY_HOME"
+}
+trap cleanup EXIT
+
+# Write a Verdaccio config that disables the default npmjs.org uplink.
+# We must publish real @endo versions that already exist upstream; with
+# the uplink enabled, Verdaccio proxies the read and rejects the publish
+# as "version already published" against the public registry's state.
+# Offline-only also guarantees that a misconfigured test cannot leak
+# a package to the real registry.
+cat > "$REGISTRY_HOME/verdaccio.yaml" <<EOF
+storage: $REGISTRY_HOME/storage
+auth:
+  htpasswd:
+    file: $REGISTRY_HOME/htpasswd
+    max_users: 1000
+uplinks: {}
+packages:
+  '**':
+    access: \$all
+    publish: \$authenticated
+    unpublish: \$authenticated
+log:
+  type: stdout
+  format: pretty
+  level: warn
+EOF
+
+echo "smoketest-publishing: starting Verdaccio (HOME=$REGISTRY_HOME)"
+(
+  cd "$REGISTRY_HOME"
+  : > verdaccio.log
+  nohup npx --yes verdaccio@^6 --config "$REGISTRY_HOME/verdaccio.yaml" \
+    --listen "$REGISTRY_PORT" &> verdaccio.log &
+  echo $! > verdaccio.pid
+  # Block until verdaccio prints its "http address" line to the log.
+  grep -q 'http address' <(tail -f verdaccio.log)
+)
+
+# We do NOT globally `export npm_config_registry`. That would redirect
+# the next `npx npm-cli-login` at our empty local registry and fail with
+# E404 trying to fetch `npm-cli-login` itself. Instead we scope the
+# override to just the publish command below, where we want it.
+
+# Create a disposable publish user. Verdaccio's default auth plugin
+# (htpasswd) accepts new users via npm's adduser endpoint, which
+# npm-cli-login automates non-interactively. `-r` pins it at our local
+# Verdaccio regardless of the ambient npm config.
+echo "smoketest-publishing: creating disposable publish user"
+npx --yes npm-cli-login@^1 \
+  -u smoketest -p smoketest -e smoketest@example.com \
+  -r "$REGISTRY_URL" --quotes
+
+# Sanity: confirm we are authenticated against the local registry.
+npm whoami --registry "$REGISTRY_URL"
+
+# Run the real release flow. `release:npm` calls `pack:all` (which
+# rebuilds dist/ via ts-node-pack) then `npm publish` for each .tgz;
+# inlining `npm_config_registry` redirects every publish inside this
+# one command to Verdaccio without leaking into the surrounding shell.
+echo "smoketest-publishing: running 'yarn release:npm'"
+(
+  cd "$ROOT"
+  npm_config_registry="$REGISTRY_URL" yarn release:npm
+)
+
+# Install a representative subset into a throwaway consumer and exercise
+# it at runtime. Using `npm install <name>` (not `<path>`) forces npm to
+# resolve each package from the registry, which is the true end-to-end
+# check: it proves the published manifests, `workspace:` dep resolution,
+# and dependency graph are self-consistent within the registry.
+CONSUMER="$REGISTRY_HOME/consumer"
+mkdir -p "$CONSUMER"
+cat > "$CONSUMER/package.json" <<'EOF'
+{
+  "name": "smoke-consumer",
+  "private": true,
+  "type": "module"
+}
+EOF
+echo "registry=$REGISTRY_URL" > "$CONSUMER/.npmrc"
+
+echo "smoketest-publishing: installing packages from local registry"
+(
+  cd "$CONSUMER"
+  npm install --no-audit --no-fund \
+    @endo/init \
+    @endo/patterns \
+    @endo/eventual-send \
+    @endo/exo \
+    @endo/pass-style \
+    @endo/marshal
+)
+
+echo "smoketest-publishing: running SES lockdown + runtime checks"
+cat > "$CONSUMER/smoke.mjs" <<'EOF'
+import '@endo/init';
+const p = await import('@endo/patterns');
+const x = await import('@endo/exo');
+const m = await import('@endo/marshal');
+const { M, matches } = p;
+const { makeExo } = x;
+const guard = M.interface('Foo', { greet: M.call().returns(M.string()) });
+const obj = makeExo('foo', guard, { greet: () => 'hi' });
+if (obj.greet() !== 'hi') {
+  throw new Error(`makeExo.greet returned ${obj.greet()}, expected 'hi'`);
+}
+if (matches(42, M.number()) !== true) {
+  throw new Error('matches(42, M.number()) was not true');
+}
+if (Object.keys(m).length === 0) {
+  throw new Error('@endo/marshal has no exports');
+}
+console.log('smoketest-publishing: runtime checks passed');
+EOF
+node "$CONSUMER/smoke.mjs"
+
+echo "smoketest-publishing: SUCCESS"