Correct - just putting the files. The file method allowed me to check the latest version into our get repo, and then the composer process would just "overlay" on the folder. This way, no one ever had an issue, and they could just clone, run composer install, and start coding.
As it stands, I have now spent many hours preparing a development VM that I will now have to distribute to many developers around the world, simply because we do not have a way of creating a repository that can both a) be automatically deployed to the cloud and b) be deployed to a local development machine without involving logging in and pushing the "button". I.e. our devs can't just clone from our main git repo anymore and expect to be able to set up the application with "composer install", even though I have the koolreport files in the vendor directory checked into the repo explicitly. This has created a significant headache for us, right as I'm trying to spin up 5 new devs onto our project.