@seoagent-official/seoagent 1.12.0 → 1.13.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seoagent-official/seoagent",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "description": "Scaffolder for Claude Code's SEOAgent skill. Run once: `npx -y @seoagent-official/seoagent init`. Sets up .seoagent/ for persistent audits, keyword strategy, content planning, and optimized writing. Not a runtime dependency.",
   "type": "module",
   "bin": {
@@ -10,7 +10,8 @@
     "index.js",
     "skills",
     "assets",
-    "postinstall-hint.cjs"
+    "postinstall-hint.cjs",
+    "postinstall-lib.cjs"
   ],
   "dependencies": {
     "@clack/prompts": "^0.9.0",

package/postinstall-hint.cjs

@@ -19,6 +19,7 @@
 const fs = require('fs');
 const path = require('path');
 const { spawnSync } = require('child_process');
+const { isDirectInstall } = require('./postinstall-lib.cjs');
 
 // -----------------------------------------------------------------------------
 // Guards — skip auto-init when it would be wrong or annoying.
@@ -53,8 +54,20 @@ if (!projectRoot || !fs.existsSync(projectRoot)) {
 // Don't auto-init when the package is being installed inside another
 // package's `node_modules` (a transitive dep). INIT_CWD would be the
 // transitive consumer's project root, not ours — we'd scaffold their repo.
-// Detect: INIT_CWD's package.json doesn't list us in its (dev)dependencies.
-if (!projectDeclaresUs(projectRoot)) {
+//
+// Detecting "transitive" reliably is harder than it looks: when a user runs
+// `npm install @seoagent-official/seoagent` in a fresh project, npm 7+ runs
+// THIS postinstall BEFORE writing the new dep to INIT_CWD/package.json. So
+// "is our package name in INIT_CWD/package.json" is false-negative-prone and
+// silently kills the captive install moment on every fresh install — which
+// is exactly the case we most need it to fire on.
+//
+// Instead: look at sibling node_modules entries. If ANY of them declares us
+// as a dependency, we're being dragged in transitively → bail. Otherwise
+// we're a direct install (or no one else needs us yet) → proceed.
+// We still consult package.json as a positive signal (e.g. for repeat installs
+// where the dep is already saved), since it strengthens the "direct" conclusion.
+if (!isDirectInstall(projectRoot)) {
   // Most likely transitive — bail silently.
   process.exit(0);
 }
@@ -94,25 +107,11 @@ if (result.status === 0) {
 }
 
 // -----------------------------------------------------------------------------
-// Helpers
+// Helpers — direct-install detection lives in ./postinstall-lib.cjs so it can
+// be unit-tested without firing the side effects above. The print functions
+// stay inline because they don't have meaningful behavior to test.
 // -----------------------------------------------------------------------------
 
-function projectDeclaresUs(root) {
-  try {
-    const pkgPath = path.join(root, 'package.json');
-    if (!fs.existsSync(pkgPath)) {
-      // No package.json — user ran `npm install <pkg>` in an empty dir or
-      // outside a project. That's unusual but valid for scaffolding.
-      return true;
-    }
-    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
-    const all = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
-    return '@seoagent-official/seoagent' in all;
-  } catch {
-    return true; // On error, fail open — better to scaffold than not.
-  }
-}
-
 function printPreInitBanner() {
   process.stdout.write(
     '\n' +

package/postinstall-lib.cjs

@@ -0,0 +1,117 @@
+'use strict';
+
+// =============================================================================
+// postinstall-lib — pure helpers used by postinstall-hint.cjs
+//
+// Lives in its own file (instead of inline in postinstall-hint.cjs) for two
+// reasons:
+//   1. Unit-testable. The main script has top-level side effects
+//      (process.exit, spawnSync) that fire on require — splitting the pure
+//      logic out means vitest can require THIS file safely.
+//   2. The regression we're guarding against is subtle: npm 7+ writes the
+//      newly-installed package to the parent's package.json AFTER running
+//      the package's postinstall script. So the old "is our name in
+//      INIT_CWD/package.json" check returned false on every fresh install,
+//      silently killing the captive moment we built the package around.
+//      Tests for THIS file pin the corrected behavior in place.
+// =============================================================================
+
+const fs = require('fs');
+const path = require('path');
+
+const PKG_NAME = '@seoagent-official/seoagent';
+
+/**
+ * Decide whether this postinstall is firing for a DIRECT install (user/agent
+ * explicitly added us) vs a TRANSITIVE install (we're a dep of someone else's
+ * dep). Returns true ⇒ scaffold; false ⇒ silent bail.
+ *
+ * Strategy is two-step because both signals alone are unreliable:
+ *   1. POSITIVE — INIT_CWD/package.json already lists us. Confirms direct
+ *      (but is FALSE on the most common case: first-time `npm install <us>`,
+ *      because npm 7+ writes package.json AFTER lifecycle scripts).
+ *   2. NEGATIVE — Look at every sibling under INIT_CWD/node_modules and check
+ *      if any of THEIR package.json lists us as a dep. If yes → transitive.
+ *      If no → direct (or top-level install with no other consumer yet).
+ *
+ * If both are inconclusive (e.g. no package.json at all because the user ran
+ * `npm install <us>` in an empty dir), default to "direct" — scaffolding is
+ * the whole point of the package and the existing `.seoagent/project.md`
+ * idempotency guard prevents double-scaffolding on subsequent runs.
+ */
+function isDirectInstall(root) {
+  if (!root) return true; // No INIT_CWD: nothing else we can check; scaffold.
+  if (declaredInProjectJson(root)) return true;
+  if (anySiblingDependsOnUs(root)) return false;
+  return true;
+}
+
+function declaredInProjectJson(root) {
+  try {
+    const pkgPath = path.join(root, 'package.json');
+    if (!fs.existsSync(pkgPath)) return false;
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+    const all = mergeAllDepKinds(pkg);
+    return PKG_NAME in all;
+  } catch {
+    return false;
+  }
+}
+
+function anySiblingDependsOnUs(root) {
+  try {
+    const nm = path.join(root, 'node_modules');
+    if (!fs.existsSync(nm)) return false;
+    for (const entry of fs.readdirSync(nm, { withFileTypes: true })) {
+      if (!entry.isDirectory() || entry.name.startsWith('.')) continue;
+      // Scoped packages: recurse one level.
+      if (entry.name.startsWith('@')) {
+        const scopeDir = path.join(nm, entry.name);
+        let scoped;
+        try {
+          scoped = fs.readdirSync(scopeDir, { withFileTypes: true });
+        } catch {
+          continue;
+        }
+        for (const inner of scoped) {
+          if (!inner.isDirectory()) continue;
+          // Skip ourselves.
+          if (entry.name === '@seoagent-official' && inner.name === 'seoagent') continue;
+          if (pkgListsUs(path.join(scopeDir, inner.name, 'package.json'))) return true;
+        }
+        continue;
+      }
+      if (pkgListsUs(path.join(nm, entry.name, 'package.json'))) return true;
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+
+function pkgListsUs(pkgJsonPath) {
+  try {
+    if (!fs.existsSync(pkgJsonPath)) return false;
+    const pkg = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf-8'));
+    return PKG_NAME in mergeAllDepKinds(pkg);
+  } catch {
+    return false;
+  }
+}
+
+function mergeAllDepKinds(pkg) {
+  return {
+    ...(pkg.dependencies || {}),
+    ...(pkg.devDependencies || {}),
+    ...(pkg.optionalDependencies || {}),
+    ...(pkg.peerDependencies || {}),
+  };
+}
+
+module.exports = {
+  PKG_NAME,
+  isDirectInstall,
+  declaredInProjectJson,
+  anySiblingDependsOnUs,
+  pkgListsUs,
+};