diff --git a/.github/workflows/update-claude-code.yml b/.github/workflows/update-claude-code.yml
index 99dbbf2c..92d6b0fa 100644
--- a/.github/workflows/update-claude-code.yml
+++ b/.github/workflows/update-claude-code.yml
@@ -5,6 +5,10 @@ on:
     # Run daily at 6 AM UTC
     - cron: '0 6 * * *'
   workflow_dispatch: # Allow manual trigger
+  pull_request:
+    paths:
+      - 'nix/claude-code/**'
+      - '.github/workflows/update-claude-code.yml'
 
 jobs:
   update:
@@ -24,7 +28,21 @@ jobs:
           extra_nix_config: |
             experimental-features = nix-command flakes
 
-      - name: Update claude-code package
+      - name: Update claude-code package (test)
+        if: github.event_name == 'pull_request'
+        run: |
+          # On PRs, run the update script to test it works
+          # but don't commit or create PRs with the changes
+          set +e
+          ./nix/claude-code/update.sh
+          status=$?
+          if [ "$status" -ne 0 ]; then
+            echo "::warning::Update script execution test failed (exit code: $status)"
+            exit "$status"
+          fi
+
+      - name: Update claude-code package (production)
+        if: github.event_name != 'pull_request'
         id: update
         run: |
           # Script exits 0 if already at latest (no changes to commit)
@@ -35,12 +53,14 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
 
       - name: Update flake.lock
+        if: github.event_name != 'pull_request'
         run: nix flake update
 
       - name: Verify build
         run: nix develop --command claude --version
 
       - name: Create Pull Request
+        if: github.event_name != 'pull_request'
         uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/nix/claude-code/update.sh b/nix/claude-code/update.sh
index cfc648bc..0dc7ddf8 100755
--- a/nix/claude-code/update.sh
+++ b/nix/claude-code/update.sh
@@ -28,12 +28,32 @@ mkdir -p "$TMPDIR/src"
 tar -xzf "$TMPDIR/claude-code.tgz" -C "$TMPDIR/src" --strip-components=1
 SRC_HASH=$(nix hash path "$TMPDIR/src")
 
-# Get package-lock.json from tarball
+# Get package-lock.json from tarball, or generate it if not present
 if [[ -f "$TMPDIR/src/package-lock.json" ]]; then
     cp "$TMPDIR/src/package-lock.json" package-lock.json
 else
-    echo "Error: No package-lock.json in tarball"
-    exit 1
+    echo "No package-lock.json in tarball, generating from package.json"
+    # Verify package.json exists
+    if [[ ! -f "$TMPDIR/src/package.json" ]]; then
+        echo "Error: No package.json in tarball"
+        exit 1
+    fi
+    # Generate package-lock.json from package.json
+    cp "$TMPDIR/src/package.json" "$TMPDIR/package.json"
+    # Preserve any npm configuration from the tarball when generating the lockfile
+    if [[ -f "$TMPDIR/src/.npmrc" ]]; then
+        cp "$TMPDIR/src/.npmrc" "$TMPDIR/.npmrc"
+    fi
+    (cd "$TMPDIR" && npm install --package-lock-only --ignore-scripts) || {
+        echo "Error: Failed to generate package-lock.json"
+        exit 1
+    }
+    # Verify package-lock.json was generated
+    if [[ ! -f "$TMPDIR/package-lock.json" ]]; then
+        echo "Error: package-lock.json was not generated"
+        exit 1
+    fi
+    cp "$TMPDIR/package-lock.json" package-lock.json
 fi
 
 # Compute npmDepsHash using prefetch-npm-deps