chore: pre-publish hardening

[Apetuezekiel]

Gate audit

• Gate 1 — Error class boundary behavior: Implementation correct (Object.setPrototypeOf(this, new.target.prototype) present in both constructors; toJSON() present; instanceof chain intact). Finding: tests covered instanceof, name, and err.toJSON() round-trip, but no test called JSON.stringify(err) directly — the spec requires verifying the error instance itself serializes correctly via toJSON, not just the result of calling toJSON() manually. Action: added two tests (one per class) that call JSON.parse(JSON.stringify(err)) directly and assert all metadata fields are present.

• Gate 2 — prepublishOnly ordering: "prepublishOnly": "npm run typecheck && npm run test && npm run build" — typecheck → test → build. Finding: correct. No change needed.

• Gate 3 — README "What the library does not do" section: Section present at line 290 with all 7 required items (no usage tracking, no period reset enforcement, no persistence, no remote config fetching, no auth beyond feature gating, no billing integration, no framework bindings). Finding: complete and correct. No change needed.

• Gate 4 — Sourcemap trade-off documented: Finding: missing — no mention of sourcemaps in README or CHANGELOG. Action: added a "Package notes" block to CHANGELOG.md under [0.1.0] stating that sourcemaps are excluded and how to get them.

• Gate 5 — Type tests run in CI: vitest.config.ts has test.typecheck.enabled: true and include: ['tests/**/*.test-d.ts']. CI runs npm run test which invokes vitest run --coverage. Prior test runs confirm ✓ TS tests/types.test-d.ts (3 tests) appears in output. Finding: type tests are exercised in CI. No change needed.

• Gate 6 — Package size budget: Running npm pack --dry-run after all changes: 33.6 KB unpacked. Exceeds 30 KB. Going with option (b): documented explicitly in CHANGELOG.md under [0.1.0] Package notes. Rationale: README sections required by v1 spec cannot be trimmed without removing required content; CHANGELOG.md inclusion (gate 7) adds 2.9 KB; total reflects all required content.

• Gate 7 — npm pack content audit: Pre-fix tarball contents were LICENSE, README.md, dist/index.{js,cjs,d.ts,d.cts}, schema/config.schema.json, package.json. Finding: CHANGELOG.md was present in the repo but absent from the tarball — the spec says "include if present." No other leakage (no src/, tests/, tsup.config.ts, vitest.config.ts, biome.json, tsconfig.json, .github/). Action: added "CHANGELOG.md" to the files field in package.json. Post-fix tarball: 9 files, 8.9 kB packed / 33.6 kB unpacked.

  Final tarball contents:

  CHANGELOG.md       2.9kB
  LICENSE            1.1kB
  README.md         11.0kB
  dist/index.cjs     5.6kB
  dist/index.d.cts   2.3kB
  dist/index.d.ts    2.3kB
  dist/index.js      5.5kB
  package.json       1.5kB  (auto-added by npm)
  schema/config.schema.json  1.4kB
  

• Gate 8 — Branch protection on main: Finding: not configured (missing). Action: configured via gh api before opening this PR. Settings applied: required_status_checks with strict: true and contexts ["CI (Node 18)", "CI (Node 20)"] (matched from gh api repos/.../commits/main/check-runs), allow_force_pushes: false, allow_deletions: false, enforce_admins: false. API call succeeded.

---

Tests

76 tests pass (up from 74), 100% coverage maintained on all runtime files.

---

User-side TODOs before npm publish

1. Enable 2FA on npm: npm profile enable-2fa auth-and-writes — required for publishing scoped or high-value packages and strongly recommended for any package.
2. Dry-run publish first: From the local clone on main after this PR merges, run npm publish --dry-run and inspect the output. Confirm the tarball contents match the gate 7 list above before running the real publish.