.npmignore. ork's existing packaging test checked file names; this adds the missing size dimension.test-packaging-leaks.sh runs in test:security on every PR. The genuine gap was that Tests 1-4 check names/extensions, never size — exactly the leak's root cause.| Check | Status |
|---|---|
Test 1 — secrets / .env | already covered |
| Test 2 — OS / editor / node_modules | already covered |
Test 3 — stray .map (allowlist dist + mcp-server) | already covered |
| Test 4 — extension allowlist | already covered |
| Test 5 — file size cap (the leak's actual cause) | NEW |
test:packaging standalone script | NEW (issue ask) |
$ npm run test:packaging # default cap 3MB
✓ No files exceed 3MB
Results: 5 passed, 0 failed
$ MAX_FILE_MB=1 bash tests/security/test-packaging-leaks.sh # negative proof
✗ Found oversized file(s) — possible source/blob leak:
→ plugins/ork/mcp-server/server.mjs.map (1826KB)
Results: 4 passed, 1 failed # the guard actually fires
[[ cond ]] && printf — false on the common (not-oversized) case. Under the script's set -euo pipefail, that made the $() subshell exit 1 and abort the whole test before the summary. Fixed with if/fi + || true. (Caught by running it, not by reading it.)