diff --git a/plugins/reporting-governance/package.json b/plugins/reporting-governance/package.json
index b721441..1989ef4 100644
--- a/plugins/reporting-governance/package.json
+++ b/plugins/reporting-governance/package.json
@@ -16,6 +16,16 @@
   "bin": {
     "reporting-governance-package-smoke": "./scripts/package-smoke.mjs"
   },
+  "files": [
+    "README.md",
+    "capabilities/",
+    "examples/",
+    "profiles/",
+    "profiles-src/",
+    "schemas/",
+    "scripts/",
+    "src/"
+  ],
   "scripts": {
     "test": "node --test test/package-structure.test.mjs test/policy-evaluator.test.mjs test/compatibility-preflight.test.mjs test/profile-artifact.test.mjs test/profile-generator.test.mjs test/decision-runner.test.mjs test/decision-store.test.mjs test/decision-store-runtime.integration.test.mjs test/governance-contract.integration.test.mjs test/watchdog-chain.integration.test.mjs test/runtime-integrated.integration.test.mjs test/exports-boundary.integration.test.mjs test/packed-consumer-install.smoke.test.mjs",
     "smoke": "node ./scripts/package-smoke.mjs --compact"
diff --git a/plugins/reporting-governance/test/packed-consumer-install.smoke.test.mjs b/plugins/reporting-governance/test/packed-consumer-install.smoke.test.mjs
index 3cc139e..524af6b 100644
--- a/plugins/reporting-governance/test/packed-consumer-install.smoke.test.mjs
+++ b/plugins/reporting-governance/test/packed-consumer-install.smoke.test.mjs
@@ -6,6 +6,12 @@ import path from 'node:path';
 import { spawnSync } from 'node:child_process';
 
 const packageRoot = path.resolve(import.meta.dirname, '..');
+const unexpectedPackedPathMatchers = [
+  /\.tgz$/,
+  /^state\//,
+  /^docs\//,
+  /^node_modules\//,
+];
 
 function run(command, args, { cwd, env = {} } = {}) {
   const result = spawnSync(command, args, {
@@ -31,6 +37,24 @@ function run(command, args, { cwd, env = {} } = {}) {
   return result;
 }
 
+test('packed tarball excludes nested tarballs and obvious repo junk', () => {
+  const packResult = run('npm', ['pack', '--json', '--dry-run'], { cwd: packageRoot });
+  const packPayload = JSON.parse(packResult.stdout.trim());
+  const files = packPayload.at(-1)?.files?.map((entry) => entry.path) ?? [];
+
+  assert.ok(files.length > 0, 'npm pack --dry-run should report packed files');
+
+  for (const packedPath of files) {
+    for (const matcher of unexpectedPackedPathMatchers) {
+      assert.equal(
+        matcher.test(packedPath),
+        false,
+        `packed tarball should not include ${packedPath}`
+      );
+    }
+  }
+});
+
 test('packed tarball installs into clean consumer and works via public exports/bin only', () => {
   const root = fs.mkdtempSync(path.join(os.tmpdir(), 'reporting-governance-packed-consumer-'));