Root cause: npm publish reads package.json metadata before running prepack,
so the prepack-based workspace:* replacement never takes effect.
Fix:
- Use pnpm publish for CLI (pnpm handles workspace: protocol natively)
- Add post-replacement verification in prepack script as safety net
- Standalone verify script for CI usage
- Remove broken prepublishOnly hook (runs before prepack, not after)
The prepack script can be skipped (--ignore-scripts, wrong cwd, etc.),
allowing workspace:* to leak into the published tarball. This guard
runs after prepack but before upload, aborting if any workspace:
references remain.
- Move CLI-local scripts to shared scripts/ at repo root
- Add prepack/postpack to core package.json as safety net
- Add CI verify-pack job that checks both tarballs on every push
- Add root `pnpm release` script as canonical publish entry point
Closes the workspace:* protocol bug that broke npm/pnpm install
for @actalk/inkos@0.3.4.
