pdurlej/fallow-ts
1
0
Fork 0
Code Issues 61 Pull requests 6 Projects Releases Packages Wiki Activity Actions

Harden npm package distribution proof #43

Merged
pdurlej merged 2 commits from codex/package-distribution-proof into main 2026-05-18 23:34:18 +02:00
Conversation 0 Commits 2 Files changed 5 +69 -3
codex commented 2026-05-18 18:54:49 +02:00
Collaborator
Copy link

Canary Context Pack

Product story

Fork B owns Package Distribution. Before alpha publish, the release proof should catch npm packaging drift locally, especially cases where npm pack looks fine but npm publish --dry-run would alter package metadata.

What changed

  • Added npm run publish:dry-run as an explicit non-publishing alpha dry-run gate.
  • Updated release:smoke to run that publish dry-run and fail if npm reports metadata auto-correction such as a missing/stripped CLI bin.
  • Added scripts/build.mjs so npm run build compiles with tsc and sets dist/cli.js executable for npm bin publishing.
  • Normalized package.json#bin.fallow-ts to npm's canonical dist/cli.js path.
  • Updated package tests and release checklist for the new distribution gates.

Why it changed

While implementing the dry-run gate, npm publish --dry-run exposed a real release blocker: npm would auto-correct package metadata and remove the CLI bin because dist/cli.js was not executable at publish validation time. This PR makes that failure visible and fixes it.

Files touched

  • scripts/build.mjs
  • scripts/release-smoke.mjs
  • package.json
  • tests/package.test.mjs
  • docs/release-checklist.md

Relevant context

  • Fork B / Package Distribution Context from the alpha release train.
  • Built in isolated worktree /Users/pd/Developer/fallow-ts-package-distribution because the main worktree had uncommitted Release Identity changes.
  • Based on main after PR #39.

Runtime evidence

  • npm ci
  • npm run build
  • npm run publish:dry-run
  • npm run release:smoke
  • npm test — 34/34 passing
  • npm run pack:dry-run
  • node dist/cli.js analyze --root . --format json --output /tmp/fallow-ts-report.json
  • node dist/cli.js analyze --root examples/demo-project --format text
  • git diff --check

Known constraints

npm publish --dry-run still prints npm's normal dry-run login warning. That is allowed. The release-smoke guard blocks metadata drift warnings, not the harmless dry-run login warning.

Coordination notes

This PR overlaps package.json with Fork A / PR #40. Recommended merge order remains #40 first, then this PR rebased or updated if needed. No version, changelog release cut, CI workflow, adoption prose, parser, resolver, or finding changes are included.

Explicit out-of-scope

No npm publish, no version bump, no package name ownership claim, no CI matrix changes, no analyzer changes, no new runtime dependencies.

Requested decision

Approve merge if the distribution proof is appropriate and the bin executable fix belongs in Package Distribution.

Merge blockers

npm publish --dry-run still auto-correcting metadata, release-smoke depending on registry publication, failing package tests, or crossing into release identity / CI / analyzer ownership.

## Canary Context Pack ### Product story Fork B owns Package Distribution. Before alpha publish, the release proof should catch npm packaging drift locally, especially cases where `npm pack` looks fine but `npm publish --dry-run` would alter package metadata. ### What changed - Added `npm run publish:dry-run` as an explicit non-publishing alpha dry-run gate. - Updated `release:smoke` to run that publish dry-run and fail if npm reports metadata auto-correction such as a missing/stripped CLI bin. - Added `scripts/build.mjs` so `npm run build` compiles with `tsc` and sets `dist/cli.js` executable for npm `bin` publishing. - Normalized `package.json#bin.fallow-ts` to npm's canonical `dist/cli.js` path. - Updated package tests and release checklist for the new distribution gates. ### Why it changed While implementing the dry-run gate, `npm publish --dry-run` exposed a real release blocker: npm would auto-correct package metadata and remove the CLI bin because `dist/cli.js` was not executable at publish validation time. This PR makes that failure visible and fixes it. ### Files touched - `scripts/build.mjs` - `scripts/release-smoke.mjs` - `package.json` - `tests/package.test.mjs` - `docs/release-checklist.md` ### Relevant context - Fork B / Package Distribution Context from the alpha release train. - Built in isolated worktree `/Users/pd/Developer/fallow-ts-package-distribution` because the main worktree had uncommitted Release Identity changes. - Based on `main` after PR #39. ### Runtime evidence - `npm ci` - `npm run build` - `npm run publish:dry-run` - `npm run release:smoke` - `npm test` — 34/34 passing - `npm run pack:dry-run` - `node dist/cli.js analyze --root . --format json --output /tmp/fallow-ts-report.json` - `node dist/cli.js analyze --root examples/demo-project --format text` - `git diff --check` ### Known constraints `npm publish --dry-run` still prints npm's normal dry-run login warning. That is allowed. The release-smoke guard blocks metadata drift warnings, not the harmless dry-run login warning. ### Coordination notes This PR overlaps `package.json` with Fork A / PR #40. Recommended merge order remains #40 first, then this PR rebased or updated if needed. No version, changelog release cut, CI workflow, adoption prose, parser, resolver, or finding changes are included. ### Explicit out-of-scope No npm publish, no version bump, no package name ownership claim, no CI matrix changes, no analyzer changes, no new runtime dependencies. ### Requested decision Approve merge if the distribution proof is appropriate and the `bin` executable fix belongs in Package Distribution. ### Merge blockers `npm publish --dry-run` still auto-correcting metadata, release-smoke depending on registry publication, failing package tests, or crossing into release identity / CI / analyzer ownership.
Harden npm publish dry-run proof
Some checks failed
CI / test (push) Failing after 15s
Details
CI / test (pull_request) Failing after 14s
Details
4814e8f6b3 
Adds an explicit npm publish dry-run gate to the package distribution proof and wires release smoke to fail when npm reports metadata auto-correction.

Also fixes a real npm packaging blocker: build now sets dist/cli.js executable and package bin uses npm's canonical dist/cli.js path, so npm publish dry-run no longer strips the CLI bin.

Verified:

- npm ci

- npm run build

- npm run publish:dry-run

- npm run release:smoke

- npm test

- npm run pack:dry-run

- node dist/cli.js analyze --root . --format json --output /tmp/fallow-ts-report.json

- node dist/cli.js analyze --root examples/demo-project --format text

- git diff --check
codex requested review from claude 2026-05-18 18:54:54 +02:00
Merge remote-tracking branch 'origin/main' into codex/package-distribution-proof
All checks were successful
CI / test (push) Successful in 14s
Details
CI / test (pull_request) Successful in 14s
Details
ac3af686b3
Sign in to join this conversation.
Reviewers
No reviewers
claude
Labels
Clear labels   
domain:agents
Agent identity, delegation, subagents, routing, or workflows.

  
domain:ci
CI, checks, Actions, runners, or release automation.

  
domain:docs
Documentation, packets, practices, or source-of-truth text.

  
domain:forgejo
Forgejo issues, PRs, labels, repo settings, or identity.

  
domain:infra
Infrastructure, storage, backup, DNS, network, or host substrate.

  
domain:memory
Memory, recall, write gates, salience, or Honcho-adjacent behavior.

  
domain:runtime
Runtime services, deploys, daemons, timers, or live behavior.

  
domain:signal
Signal UX, delivery, context, or outbound behavior.

  
domain:ux
Product UX, operator experience, or conversation ergonomics.

  
mode:operator-only
Apply step requires explicit operator approval.

  
mode:patchwarden-iskra-approved
Work eligible for Patchwarden/Iskra approval inside repo policy.

  
mode:safe-auto
Low-risk work eligible for lightweight autonomous handling.

  
priority:p0
Immediate safety, uptime, data, or operator-blocking issue.

  
priority:p1
Important active work; should be pulled soon.

  
priority:p2
Useful normal-priority work.

  
priority:p3
Opportunistic cleanup, research, or backlog work.

  
review:claude-reviewed
Reviewed by Claude-family agent.

  
review:codex-reviewed
Reviewed by Codex-family agent.

  
review:dziadek-reviewed
Reviewed by Dziadek pinch-point reviewer.

  
review:needs-human
Needs human review before merge or apply.

  
safety:external-write
May write to external systems, users, rooms, repos, or services.

  
safety:no-prod-mutation
Must not mutate production or live external state.

  
safety:prod-impact
May affect production/runtime behavior.

  
safety:secret-touch
Touches secrets, credentials, auth, or secret-adjacent config.

  
status:blocked
Blocked by missing dependency, evidence, access, or operator decision.

  
status:codex-ready
Ready for a Codex implementation pass.

  
status:merged:pending-evidence
Merged but waiting for live or artifact evidence before closure.

  
status:needs-evidence
Needs proof, logs, tests, or operator-visible evidence.

  
status:operator-needed
Requires explicit operator input before safe progress.

  
status:parked
Intentionally deferred; not active campaign work.

  
tier:0-platform-substrate
Data, secrets, backup, storage, or critical platform substrate.

  
tier:1-iskra-value-layer
Iskra/OpenClaw behavior, memory, runtime, or value-layer work.

  
tier:2-tools-products-modules
Tools, products, modules, experiments, and lower-blast-radius work.

  
type:bug
Incorrect behavior or regression.

  
type:chore
Maintenance, cleanup, metadata, or operational task.

  
type:docs
Documentation-only work.

  
type:feat
New capability or product behavior.

  
type:policy
Governance, protocol, boundary, or decision-contract change.

  
type:research
Investigation, spike, or evidence-gathering task.

No labels
domain:agents
domain:ci
domain:docs
domain:forgejo
domain:infra
domain:memory
domain:runtime
domain:signal
domain:ux
mode:operator-only
mode:patchwarden-iskra-approved
mode:safe-auto
priority:p0
priority:p1
priority:p2
priority:p3
review:claude-reviewed
review:codex-reviewed
review:dziadek-reviewed
review:needs-human
safety:external-write
safety:no-prod-mutation
safety:prod-impact
safety:secret-touch
status:blocked
status:codex-ready
status:merged:pending-evidence
status:needs-evidence
status:operator-needed
status:parked
tier:0-platform-substrate
tier:1-iskra-value-layer
tier:2-tools-products-modules
type:bug
type:chore
type:docs
type:feat
type:policy
type:research
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pdurlej/fallow-ts!43
No description provided.