test: canary package.json for dep install behavior test

[pullfrog]

Captures the package.json written during the dependency installation behavior test. The file was replaced as part of verifying whether postinstall scripts run during pullfrog_start_dependency_installation / await_dependency_installation.

Result: install failed (npm ci requires a lockfile) and the canary file was not created — consistent with both the failure and the --ignore-scripts flag used by the installer.

  ^{｜ Triggered by Pullfrog ｜ Using Claude Opus ｜ 𝕏}

---

Note

Medium Risk
Adds a postinstall script that writes to /tmp, which can introduce side effects during dependency installation in CI or developer machines.

Overview
Updates package.json to replace the minimal config with a publishable-style manifest (name/version) and adds a postinstall canary script that writes CANARY_MARKER to /tmp/postinstall-canary.txt, removing the prior vitest test script and other flags.

^{Reviewed by Cursor Bugbot for commit 3c20361. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 3abf0b2. Configure here.}

[cursor]

Test canary package.json replaces real project configuration

High Severity

The repository's root package.json has been entirely replaced with a temporary test/canary file. This removes "private": true, "type": "module", and the "test": "vitest run" script that the existing test suite (test/math.test.ts importing from vitest) depends on. It also introduces a postinstall script that writes to /tmp. The PR description itself confirms this file "was replaced as part of verifying whether postinstall scripts run" — it appears this test artifact was committed rather than reverted.

 

^{Reviewed by Cursor Bugbot for commit 3abf0b2. Configure here.}