add package.json with postinstall canary script

[pullfrog]

Adds package.json written during the dependency installation behavior test. The postinstall script writes a canary marker to /tmp/postinstall-canary.txt.

  ^{｜ View workflow run ｜ via Pullfrog ｜ Using Claude Sonnet ｜ 𝕏}

---

Note

Medium Risk
Any npm install runs arbitrary shell via postinstall and writes to /tmp, which is intentional for canary tests but risky if this package is installed outside a controlled test environment.

Overview
Introduces a new package.json for dependency-installation behavior testing, replacing the prior minimal test-repo Vitest setup with test-pkg at version 1.0.0.

The notable change is a postinstall script that writes CANARY_MARKER to /tmp/postinstall-canary.txt, so installs can be verified without running tests. dependencies is an empty object and the old test script is removed.

^{Reviewed by Cursor Bugbot for commit 64cae7b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0ddf13a. Configure here.}

[cursor]

Test fixture overwrites project's real package.json configuration

High Severity

This change replaces the repository's real package.json (which had "private": true, "type": "module", and a "test": "vitest run" script) with a postinstall canary test fixture. The existing test/math.test.ts still imports from vitest, so tests can no longer run. Removing "type": "module" breaks ESM resolution for the TypeScript sources, and removing "private": true risks accidental npm publication. This looks like test fixture content that belongs in a subdirectory rather than at the project root.

 

^{Reviewed by Cursor Bugbot for commit 0ddf13a. Configure here.}