refactor(audience): move demo to sibling sdk-sample-app package

Addresses review feedback on #2837 from @nattb8: the interactive demo
should live in its own workspace package (matching the repo convention
used by passport/sdk-sample-app, checkout/sdk-sample-app, dex/sdk-sample-app,
bridge/bridge-sample-app) rather than inside the published @imtbl/audience
package directory.

Why this matters beyond aesthetics:

- @imtbl/audience is a published npm package with a dedicated build
  pipeline (#2838): local tsup.config.js, prepack/postpack scripts that
  strip workspace deps from package.json, rollup-plugin-dts to inline
  type re-exports. The sdk package directory should stay focused on
  shipping artifacts; a demo harness is not one.
- The demo was vanilla ES2020 (no TS, no modules, loaded via a script
  tag) while the sdk package is pure TypeScript. Co-locating them forced
  sdk/.eslintignore + an .eslintrc.cjs override block just to keep
  lint-staged from trying to parse demo/*.js with the TS parser. Both
  pieces of config disappear with this move.
- The existing repo-wide root .eslintignore already has a
  `**sample-app**/` glob (for passport/sdk-sample-app and friends), so
  the new directory is automatically excluded from root lint with zero
  local config.

Addresses the reviewer's secondary concern — "this is included in the
CDN bundle too" — at the structural level. For the record, verified
the demo was never literally bundled into dist/cdn/imtbl-audience.global.js:
src/cdn.ts imports only ./sdk, ./config, and @imtbl/audience-core, and
`files: ["dist"]` in package.json already excluded demo/ from the npm
tarball. Confirmed by packing the sdk and inspecting the tarball — it
only contains dist/browser, dist/cdn, dist/node, dist/types, plus
README.md, LICENSE.md, and package.json.

Changes:

New package — packages/audience/sdk-sample-app/
- package.json: private, @imtbl/audience as a workspace:* devDep,
  engines node >= 20.11, `pnpm dev` builds @imtbl/audience then runs
  the local serve script
- serve.mjs: ~90-line Node static server using only the stdlib.
  Serves the sample-app's own files from ./, and routes /vendor/
  to ../sdk/dist/cdn/ so the HTML can load the CDN bundle via a
  same-origin URL (keeps the demo's CSP happy). Blocks serve.mjs,
  package.json, and node_modules from being served, plus path
  traversal attempts via decodeURIComponent + a resolve/startsWith
  guard. Verified with curl: 200 for /, /demo.css, /demo.js and
  /vendor/imtbl-audience.global.js(.map); 403 for /package.json,
  /serve.mjs, /vendor/../../package.json, /%2e%2e/secret; 404 for
  /nonexistent.html.
- index.html, demo.js, demo.css, README.md: git-renamed from
  packages/audience/sdk/demo/. The only content change is in
  index.html — the <script src> moved from ../dist/cdn/... to
  vendor/... — plus README.md was updated with the new run
  instructions and a layout diagram for the new location.

Package cleanup — packages/audience/sdk/
- Remove the `demo` script from package.json (its entry point is
  gone now).
- Revert .eslintrc.cjs to main's 6-line baseline by dropping the
  22-line `demo/**/*.js` overrides block that the PR had added.
- Delete .eslintignore entirely (its only line was `demo/`).
- Update README.md's two `demo/` references to point at
  `../sdk-sample-app/README.md` instead.

Repo-level
- Drop the `packages/audience/sdk/demo/` line from root .eslintignore
  (the existing `**sample-app**/` glob covers the new location).
- Register `packages/audience/sdk-sample-app` in pnpm-workspace.yaml.
- pnpm-lock.yaml picks up a 6-line importer entry for the new package
  (just the workspace:* link to ../sdk, no external deps).

Verification:
- `pnpm --filter @imtbl/audience-core --filter @imtbl/audience run
  lint typecheck test` — 113 core + 51 sdk tests pass, lint/typecheck
  clean on both packages.
- `pnpm --filter @imtbl/audience run build` — ESM (browser+node),
  CDN IIFE (52.04 KB), and rolled-up .d.ts all build clean.
- `pnpm --filter @imtbl/audience-sdk-sample-app run dev` — builds
  the sdk, starts the local server, demo loads at http://localhost:3456/
  with the CDN bundle served from /vendor/.
- `pnpm pack --pack-destination /tmp/...` in the sdk — tarball
  contains only dist/{browser,cdn,node,types}, LICENSE.md, README.md,
  and package.json. No demo, no vendor, no sample-app, no scripts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ImmutableJeffrey

.eslintignore

@@ -23,4 +23,3 @@ packages/internal/generated-clients/src/
 packages/game-bridge/scripts/**/*.js
 packages/audience/sdk/rollup.dts.config.js
 packages/audience/sdk/tsup.config.js
-packages/audience/sdk/demo/

packages/audience/sdk/demo/README.md …ckages/audience/sdk-sample-app/README.mdpackages/audience/sdk/demo/README.md renamed to packages/audience/sdk-sample-app/README.md packages/audience/sdk/demo/README.md renamed to packages/audience/sdk-sample-app/README.md

@@ -1,19 +1,15 @@
-# @imtbl/audience — Demo
+# @imtbl/audience-sdk-sample-app
 
 Single-page interactive harness that exercises every public method on the `Audience` class against the real Immutable backend.
 
 ## Run
 
 ```sh
-cd packages/audience/sdk
-pnpm demo
+cd packages/audience/sdk-sample-app
+pnpm dev
 ```
 
-This runs `pnpm build` (ESM + CDN bundle + types) then serves the package root on `http://localhost:3456`. Open:
-
-```
-http://localhost:3456/demo/
-```
+This builds `@imtbl/audience` (ESM + CDN bundle + types) and then serves this sample app on `http://localhost:3456`. Open that URL directly — `index.html` is the entry point. The sample-app's local `serve.mjs` routes `/vendor/imtbl-audience.global.js` to the CDN bundle in `../sdk/dist/cdn/`, so the sdk's build output stays the single source of truth.
 
 Stop the server with `Ctrl+C`.
 
@@ -48,7 +44,7 @@ These are test-only keys registered for audience tracking. Safe to commit and sh
 
 ## Troubleshooting
 
-- **`window.ImmutableAudience is undefined`** in the demo page: the CDN bundle failed to load. Re-run `pnpm build` from `packages/audience/sdk` and confirm `dist/cdn/imtbl-audience.global.js` exists.
+- **`window.ImmutableAudience is undefined`** in the demo page: the CDN bundle failed to load. Re-run `pnpm dev` from `packages/audience/sdk-sample-app` and confirm `../sdk/dist/cdn/imtbl-audience.global.js` exists.
 - **`POST /v1/audience/messages` returns 400**: the publishable key format is wrong. Must start with `pk_imapik-`.
 - **`POST /v1/audience/messages` returns 403**: the key isn't registered for audience tracking on the backend. Use one of the keys in the table above.
 - **Identify button is a no-op**: consent is not `full`. Click **Set full** first.
@@ -57,10 +53,12 @@ These are test-only keys registered for audience tracking. Safe to commit and sh
 ## Files
 
 ```
-demo/
-  index.html   # single page, loads ../dist/cdn/imtbl-audience.global.js
+sdk-sample-app/
+  index.html   # single page, loads /vendor/imtbl-audience.global.js
   demo.js      # vanilla ES2020, no modules; reads window.ImmutableAudience
   demo.css     # light theme, hand-written CSS, no external deps
+  serve.mjs    # tiny Node static server; routes /vendor/ to ../sdk/dist/cdn/
+  package.json # private workspace package; @imtbl/audience as workspace dep
   README.md    # this file
 ```
 

packages/audience/sdk/demo/demo.css packages/audience/sdk-sample-app/demo.csspackages/audience/sdk/demo/demo.css renamed to packages/audience/sdk-sample-app/demo.css

@@ -169,7 +169,7 @@ <h2 class="panel-title">Event Log</h2>
   </footer>
 </main>
 
-<script src="../dist/cdn/imtbl-audience.global.js"></script>
+<script src="vendor/imtbl-audience.global.js"></script>
 <script src="demo.js"></script>
 </body>
 </html>

packages/audience/sdk/demo/demo.js packages/audience/sdk-sample-app/demo.jspackages/audience/sdk/demo/demo.js renamed to packages/audience/sdk-sample-app/demo.js

@@ -0,0 +1,17 @@
+{
+  "name": "@imtbl/audience-sdk-sample-app",
+  "description": "Interactive demo harness for @imtbl/audience. Exercises every public method on the Audience class against the real dev/sandbox backend.",
+  "version": "0.0.0",
+  "author": "Immutable",
+  "private": true,
+  "engines": {
+    "node": ">=20.11.0"
+  },
+  "devDependencies": {
+    "@imtbl/audience": "workspace:*"
+  },
+  "scripts": {
+    "dev": "pnpm --filter @imtbl/audience run build && node ./serve.mjs",
+    "start": "pnpm dev"
+  }
+}

packages/audience/sdk/demo/index.html …kages/audience/sdk-sample-app/index.htmlpackages/audience/sdk/demo/index.html renamed to packages/audience/sdk-sample-app/index.html packages/audience/sdk/demo/index.html renamed to packages/audience/sdk-sample-app/index.html

@@ -0,0 +1,94 @@
+#!/usr/bin/env node
+/*
+ * Static file server for the audience SDK sample app.
+ *
+ * Serves the sample-app's own files from this directory, and exposes the
+ * CDN bundle (built into ../sdk/dist/cdn/) under /vendor/. This keeps the
+ * sdk's dist/ as the single source of truth — no copy step, no gitignored
+ * artifacts — while letting the demo's <script> tag load the bundle from
+ * a same-origin URL (which keeps the CSP in index.html happy).
+ *
+ * Invoked by `pnpm dev`, after `pnpm --filter @imtbl/audience run build`
+ * has populated ../sdk/dist/cdn/.
+ */
+import { createServer } from 'node:http';
+import { readFile } from 'node:fs/promises';
+import { resolve, join, extname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const PORT = Number.parseInt(process.env.PORT ?? '3456', 10);
+// resolve() strips the trailing slash that fileURLToPath leaves on a dir URL,
+// so later `${HERE}/` concatenations yield clean paths, not `/foo//`.
+const HERE = resolve(fileURLToPath(new URL('.', import.meta.url)));
+const SDK_CDN = resolve(HERE, '..', 'sdk', 'dist', 'cdn');
+
+const MIME = {
+  '.html': 'text/html; charset=utf-8',
+  '.js': 'application/javascript; charset=utf-8',
+  '.mjs': 'application/javascript; charset=utf-8',
+  '.css': 'text/css; charset=utf-8',
+  '.map': 'application/json; charset=utf-8',
+  '.ico': 'image/x-icon',
+  '.svg': 'image/svg+xml',
+  '.png': 'image/png',
+  '.jpg': 'image/jpeg',
+  '.json': 'application/json; charset=utf-8',
+};
+
+/**
+ * Resolve a request path to a file path inside one of the allowed roots.
+ * Rejects paths that escape their root via .. segments.
+ */
+function resolveRequest(urlPath) {
+  const decoded = decodeURIComponent(urlPath.split('?')[0]);
+  const normalized = decoded === '/' ? '/index.html' : decoded;
+
+  if (normalized.startsWith('/vendor/')) {
+    const rel = normalized.slice('/vendor/'.length);
+    const filePath = resolve(SDK_CDN, rel);
+    if (!filePath.startsWith(`${SDK_CDN}/`) && filePath !== SDK_CDN) return null;
+    return filePath;
+  }
+
+  const filePath = resolve(HERE, `.${normalized}`);
+  if (!filePath.startsWith(`${HERE}/`) && filePath !== HERE) return null;
+  // Don't serve this file or package metadata.
+  const blocked = ['serve.mjs', 'package.json', 'node_modules'];
+  for (const name of blocked) {
+    if (filePath === join(HERE, name) || filePath.startsWith(`${join(HERE, name)}/`)) return null;
+  }
+  return filePath;
+}
+
+const server = createServer(async (req, res) => {
+  try {
+    const filePath = resolveRequest(req.url ?? '/');
+    if (!filePath) {
+      res.writeHead(403, { 'content-type': 'text/plain; charset=utf-8' });
+      res.end('403 forbidden');
+      return;
+    }
+    const body = await readFile(filePath);
+    const type = MIME[extname(filePath)] ?? 'application/octet-stream';
+    res.writeHead(200, {
+      'content-type': type,
+      'cache-control': 'no-store',
+    });
+    res.end(body);
+  } catch (err) {
+    if (err && err.code === 'ENOENT') {
+      res.writeHead(404, { 'content-type': 'text/plain; charset=utf-8' });
+      res.end(`404 not found: ${req.url}`);
+      return;
+    }
+    // eslint-disable-next-line no-console
+    console.error('[serve]', err);
+    res.writeHead(500, { 'content-type': 'text/plain; charset=utf-8' });
+    res.end('500 server error');
+  }
+});
+
+server.listen(PORT, () => {
+  // eslint-disable-next-line no-console
+  console.log(`audience sdk sample app: http://localhost:${PORT}/`);
+});

packages/audience/sdk-sample-app/package.json

@@ -4,26 +4,4 @@ module.exports = {
     project: './tsconfig.eslint.json',
     tsconfigRootDir: __dirname,
   },
-  overrides: [
-    {
-      // demo/ is vanilla ES2020 — not part of the TS compilation graph.
-      // Disable TypeScript-aware parser rules so lint-staged doesn't fail.
-      files: ['demo/**/*.js'],
-      parser: 'espree',
-      parserOptions: {
-        ecmaVersion: 2020,
-        sourceType: 'script',
-        project: null,
-      },
-      rules: {
-        '@typescript-eslint/no-var-requires': 'off',
-        '@typescript-eslint/no-unsafe-assignment': 'off',
-        '@typescript-eslint/no-unsafe-call': 'off',
-        '@typescript-eslint/no-unsafe-member-access': 'off',
-        '@typescript-eslint/no-unsafe-return': 'off',
-        '@typescript-eslint/no-explicit-any': 'off',
-        '@typescript-eslint/explicit-module-boundary-types': 'off',
-      },
-    },
-  ],
 };

packages/audience/sdk-sample-app/serve.mjs

@@ -28,7 +28,7 @@ Once published to npm, you'll be able to load the package via CDN (no bundler re
 </script>
 ```
 
-Until the first npm release, you can build the CDN bundle locally from this repo: `cd packages/audience/sdk && pnpm build`. The output is at `dist/cdn/imtbl-audience.global.js`. See `demo/README.md` for the interactive demo that loads it.
+Until the first npm release, you can build the CDN bundle locally from this repo: `pnpm --filter @imtbl/audience run build`. The output is at `dist/cdn/imtbl-audience.global.js`. See `../sdk-sample-app/README.md` for the interactive demo that loads it.
 
 ## Quickstart
 
@@ -138,7 +138,7 @@ Errors are delivered asynchronously (after the failing flush completes). Throwin
 
 ## Demo
 
-There's an interactive demo under `demo/` that exercises every public method against the real backend. See `demo/README.md` for instructions.
+There's an interactive demo in the sibling workspace package `@imtbl/audience-sdk-sample-app` that exercises every public method against the real backend. See `../sdk-sample-app/README.md` for instructions.
 
 ## License