@agentify/cli 0.2.8 → 0.2.9

package/README.md

@@ -17,13 +17,13 @@ The hosted setup flow at `https://chat.agentify.sh` can also install the CLI for
 
 ```bash
 agentify chat pair --pairing-ticket <ticket> --workspace "$PWD" --label "$(basename "$PWD")"
-agentify chat daemon --runner-command codex
+agentify chat daemon --runner codex
 agentify chat daemon --runner-command claude
 agentify chat daemon --runner-command gemini
 agentify doctor
 ```
 
-`agentify chat pair` registers this machine as the local decrypting device for a workspace. `agentify chat daemon --runner-command ...` keeps the selected local CLI open in the configured workspace and sends encrypted chat turns into that live session.
+`agentify chat pair` registers this machine as the local decrypting device for a workspace. `agentify chat daemon --runner codex` runs Codex through structured JSON events for reliable encrypted output streaming. `agentify chat daemon --runner-command ...` is available for other local CLIs and custom runner commands.
 
 ## Security Model
 
@@ -56,6 +56,60 @@ To verify release readiness:
 npm run release:check
 ```
 
+### Release automation
+
+For one-command release prep across all supported platforms:
+
+```bash
+npm run release:all
+```
+
+From the workspace root, you can run the same flow with:
+
+```bash
+bash ../scripts/release-agentify-cli.sh
+```
+
+The release pipeline is non-publishing by default and runs:
+
+- cross-platform Rust builds
+- multi-target npm wrapper staging
+- local version/release checks
+- package verification
+- release payload leak scan
+
+Use explicit flags to publish:
+
+```bash
+npm run release:all:publish -- --npm-tag latest
+```
+
+or:
+
+```bash
+bash ./scripts/release-all.sh --publish-npm --publish-git --auto-commit --create-tag --push-git
+```
+
+Useful options:
+
+```bash
+--targets darwin-arm64,linux-x64
+--publish-npm
+--publish-git
+--auto-commit
+--create-tag
+--push-git
+--skip-leak-scan
+--skip-cargo-test
+--skip-npm-tests
+--dry-run
+```
+
+Identity checks are enforced on publish:
+
+- npm account must be `agentify`
+- GitHub account must be `waml`
+
 During local incubation, when only some platform binaries are staged, use:
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentify/cli",
-  "version": "0.2.8",
+  "version": "0.2.9",
   "description": "Agentify CLI for secure local Agentify Chat runners",
   "license": "MPL-2.0",
   "homepage": "https://agentify.sh",
@@ -30,6 +30,8 @@
     "postinstall": "node ./scripts/postinstall.js",
     "prepublishOnly": "npm run release:check",
     "release:check": "node ./scripts/release-check.js",
+    "release:all": "bash ./scripts/release-all.sh",
+    "release:all:publish": "bash ./scripts/release-all.sh --publish-npm --publish-git --auto-commit --create-tag --push-git",
     "release:manifest": "node ./scripts/build-release-manifest.js",
     "stage:bin": "node ./scripts/stage-binary.js",
     "test:npm": "node --test ./test/npm/*.test.js",

package/scripts/release-all.sh

@@ -0,0 +1,614 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+NPM_PUBLISH=false
+GIT_PUBLISH=false
+AUTO_COMMIT=false
+CREATE_TAG=false
+PUSH_GIT=false
+ALLOW_MISSING_TARGETS=false
+ALLOW_MISSING_TOOLCHAIN=false
+AUTO_INSTALL_TARGETS=false
+SKIP_LEAK_SCAN=false
+SKIP_CARGO_TEST=false
+SKIP_NPM_TESTS=false
+SKIP_RELEASE_CHECK=false
+SKIP_VERIFY_PACKAGE=false
+SKIP_GIT=false
+DRY_RUN=false
+CHECK_IDENTITY=false
+REQUIRE_CLEAN_WORKTREE=false
+
+NPM_TAG="latest"
+GIT_REMOTE="origin"
+GIT_BRANCH=""
+COMMIT_MESSAGE=""
+TAG_NAME=""
+
+REQUIRED_NPM_ACCOUNT="agentify"
+REQUIRED_GH_ACCOUNT="waml"
+ALL_TARGETS="darwin-arm64,darwin-x64,linux-arm64,linux-x64,win32-arm64,win32-x64"
+FILTER_TARGETS=""
+
+declare -A TARGET_INFO=(
+  ["darwin-arm64"]="aarch64-apple-darwin:agentify"
+  ["darwin-x64"]="x86_64-apple-darwin:agentify"
+  ["linux-arm64"]="aarch64-unknown-linux-gnu:agentify"
+  ["linux-x64"]="x86_64-unknown-linux-gnu:agentify"
+  ["win32-arm64"]="aarch64-pc-windows-gnullvm:agentify.exe"
+  ["win32-x64"]="x86_64-pc-windows-gnu:agentify.exe"
+)
+
+log() {
+  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] $*"
+}
+
+abort() {
+  log "ERROR: $*"
+  exit 1
+}
+
+usage() {
+  cat <<'EOF'
+Usage:
+  bash scripts/release-all.sh [options]
+
+Release automation (safe by default: no publish unless explicitly enabled):
+  --publish-npm            Publish npm package (explicit opt-in)
+  --publish-git            Push release git changes/tags (explicit opt-in)
+  --auto-commit            Commit staged release artifacts before git push
+  --create-tag             Create an annotated git tag
+  --push-git               Push branch/tags (requires --publish-git)
+  --publish-all             Publish npm + git together (implies --publish-npm --publish-git)
+  --skip-missing-targets   Continue if a requested target cannot be built (strict by default)
+  --allow-missing-toolchain Continue if requested target is blocked by missing toolchain
+  --auto-install-targets   Install missing rust targets via rustup
+
+Build / checks:
+  --targets <list>         Comma-separated targets (default: all supported)
+  --skip-leak-scan         Skip leak scan
+  --skip-cargo-test        Skip cargo test
+  --skip-npm-tests         Skip npm wrapper tests
+  --skip-release-check     Skip npm run release:check -- --skip-cargo
+  --skip-verify-package     Skip npm run verify:package
+  --dry-run                Print actions only
+  --require-clean-worktree  Require clean worktree for git publish
+
+Git:
+  --git-remote <name>      Git remote (default: origin)
+  --git-branch <name>      Git branch for push (default: current branch)
+  --commit-message <text>   Commit message for auto commit
+  --tag <name>             Tag name (default: v<version>)
+  --skip-git               Skip all git publish checks
+
+Publish:
+  --npm-tag <tag>          npm tag (default: latest)
+  --check-identity         Verify npm + GitHub identities before publish
+  --help
+
+Examples:
+  bash scripts/release-all.sh
+  bash scripts/release-all.sh --targets darwin-arm64,linux-x64
+  bash scripts/release-all.sh --publish-npm --publish-git --auto-commit --create-tag --push-git
+EOF
+}
+
+run_cmd() {
+  if [[ "$DRY_RUN" == "true" ]]; then
+    log "DRY RUN: $*" >&2
+    return 0
+  fi
+  log "RUN: $*" >&2
+  "$@"
+}
+
+run_in_root() {
+  (cd "$ROOT_DIR" && "$@")
+}
+
+log_target_status() {
+  local target=$1
+  local status=$2
+  if [[ "$status" == "ok" ]]; then
+    log "Target ${target} built and staged."
+  elif [[ "$status" == "skipped" ]]; then
+    log "Target ${target} skipped."
+  fi
+}
+
+trim() {
+  local value=$1
+  value="${value#"${value%%[![:space:]]*}"}"
+  value="${value%"${value##*[![:space:]]}"}"
+  if [[ -z "$value" ]]; then
+    printf ''
+    return
+  fi
+  printf '%s' "$value"
+}
+
+is_installed_target() {
+  local rust_target=$1
+  if ! command -v rustup >/dev/null 2>&1; then
+    return 1
+  fi
+  rustup target list --installed | awk '{print $1}' | grep -Fxq "$rust_target"
+}
+
+ensure_target_toolchain() {
+  local rust_target=$1
+  if is_installed_target "$rust_target"; then
+    return 0
+  fi
+
+  if [[ "$AUTO_INSTALL_TARGETS" == "true" ]]; then
+    if ! command -v rustup >/dev/null 2>&1; then
+      log "WARN: rustup is required to install missing target ${rust_target}, but it is unavailable."
+      return 1
+    fi
+    log "Installing rust target ${rust_target}"
+    run_cmd rustup target add "$rust_target"
+    if is_installed_target "$rust_target"; then
+      return 0
+    fi
+    return 1
+  fi
+
+  if [[ "$ALLOW_MISSING_TOOLCHAIN" == "true" ]]; then
+    log "WARN: missing rust target ${rust_target}; skipping (allow-missing-toolchain=true)"
+    return 1
+  fi
+
+  return 1
+}
+
+cleanup_temp_dir() {
+  local dir=$1
+  if [[ -d "$dir" ]]; then
+    python3 - "$dir" <<'PY'
+import shutil
+import sys
+shutil.rmtree(sys.argv[1], ignore_errors=True)
+PY
+  fi
+}
+
+require_cmd() {
+  local cmd_name=$1
+  command -v "$cmd_name" >/dev/null 2>&1 || abort "${cmd_name} is required"
+}
+
+while [[ "${#}" -gt 0 ]]; do
+  case "$1" in
+    --publish-npm)
+      NPM_PUBLISH=true
+      ;;
+    --publish-git)
+      GIT_PUBLISH=true
+      ;;
+    --publish-all)
+      NPM_PUBLISH=true
+      GIT_PUBLISH=true
+      ;;
+    --auto-commit)
+      AUTO_COMMIT=true
+      ;;
+    --create-tag)
+      CREATE_TAG=true
+      ;;
+    --push-git)
+      PUSH_GIT=true
+      ;;
+    --skip-leak-scan)
+      SKIP_LEAK_SCAN=true
+      ;;
+    --allow-missing-toolchain)
+      ALLOW_MISSING_TOOLCHAIN=true
+      ;;
+    --auto-install-targets)
+      AUTO_INSTALL_TARGETS=true
+      ;;
+    --skip-cargo-test)
+      SKIP_CARGO_TEST=true
+      ;;
+    --skip-npm-tests)
+      SKIP_NPM_TESTS=true
+      ;;
+    --skip-missing-targets)
+      ALLOW_MISSING_TARGETS=true
+      ;;
+    --skip-release-check)
+      SKIP_RELEASE_CHECK=true
+      ;;
+    --skip-verify-package)
+      SKIP_VERIFY_PACKAGE=true
+      ;;
+    --skip-git)
+      SKIP_GIT=true
+      ;;
+    --require-clean-worktree)
+      REQUIRE_CLEAN_WORKTREE=true
+      ;;
+    --check-identity)
+      CHECK_IDENTITY=true
+      ;;
+    --dry-run)
+      DRY_RUN=true
+      ;;
+    --git-remote)
+      shift
+      GIT_REMOTE=${1:-}
+      [[ -n "$GIT_REMOTE" ]] || abort "--git-remote requires a value"
+      ;;
+    --git-branch)
+      shift
+      GIT_BRANCH=${1:-}
+      [[ -n "$GIT_BRANCH" ]] || abort "--git-branch requires a value"
+      ;;
+    --commit-message)
+      shift
+      COMMIT_MESSAGE=${1:-}
+      [[ -n "$COMMIT_MESSAGE" ]] || abort "--commit-message requires a value"
+      ;;
+    --tag)
+      shift
+      TAG_NAME=${1:-}
+      [[ -n "$TAG_NAME" ]] || abort "--tag requires a value"
+      ;;
+    --targets)
+      shift
+      FILTER_TARGETS=${1:-}
+      [[ -n "$FILTER_TARGETS" ]] || abort "--targets requires a value"
+      ;;
+    --npm-tag)
+      shift
+      NPM_TAG=${1:-}
+      [[ -n "$NPM_TAG" ]] || abort "--npm-tag requires a value"
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      abort "Unknown argument: $1"
+      ;;
+  esac
+  shift
+done
+
+if [[ "$NPM_PUBLISH" == "true" && "$SKIP_GIT" == "true" ]]; then
+  log "WARN: --skip-git only disables git publish checks, not npm publish"
+fi
+
+if [[ "$GIT_PUBLISH" == "true" && "$SKIP_GIT" == "true" ]]; then
+  abort "--publish-git requires git publish actions; remove --skip-git."
+fi
+
+require_cmd node
+require_cmd npm
+require_cmd cargo
+
+get_workspace_version() {
+  node -p "require('./package.json').version"
+}
+
+VERSION="$(cd "$ROOT_DIR" && get_workspace_version)"
+VERSION="${VERSION:-0.2.9}"
+COMMIT_MESSAGE="${COMMIT_MESSAGE:-chore(release): release Agentify CLI ${VERSION}}"
+TAG_NAME="${TAG_NAME:-v${VERSION}}"
+
+if [[ -z "$FILTER_TARGETS" ]]; then
+  FILTER_TARGETS="$ALL_TARGETS"
+fi
+
+declare -a TARGETS=()
+declare -a RAW_TARGETS=()
+declare -A SEEN_TARGETS=()
+IFS=',' read -r -a RAW_TARGETS <<< "$FILTER_TARGETS"
+
+for raw_target in "${RAW_TARGETS[@]}"; do
+  target="$(trim "$raw_target")"
+  [[ -z "$target" ]] && continue
+  if [[ -n "${SEEN_TARGETS[$target]+x}" ]]; then
+    continue
+  fi
+  SEEN_TARGETS["$target"]=1
+  TARGETS+=("$target")
+done
+
+if [[ "${#TARGETS[@]}" -eq 0 ]]; then
+  abort "No valid targets provided."
+fi
+
+validate_target() {
+  local target=$1
+  if [[ -z "${TARGET_INFO[$target]+x}" ]]; then
+    abort "Unsupported target: ${target}"
+  fi
+}
+
+for target in "${TARGETS[@]}"; do
+  validate_target "$target"
+done
+
+cargo_build_target() {
+  local rust_target=$1
+  if [[ "$rust_target" != *apple-darwin && -x "${HOME}/.cargo/bin/cargo-zigbuild" ]]; then
+    run_in_root run_cmd cargo zigbuild --locked --release --target "$rust_target"
+    return
+  fi
+  run_in_root run_cmd cargo build --locked --release --target "$rust_target"
+}
+
+run_build_and_stage() {
+  local target=$1
+  local info=${TARGET_INFO[$target]}
+  IFS=':' read -r rust_target binary_name <<< "$info"
+  local platform="${target%%-*}"
+  local arch="${target#*-}"
+  local source_path="${ROOT_DIR}/target/${rust_target}/release/${binary_name}"
+
+  log "Building ${target} -> ${rust_target}"
+
+  if [[ "$DRY_RUN" == "true" ]]; then
+    log "DRY RUN: skipping build + stage for ${target}"
+    return 0
+  fi
+
+  if ! ensure_target_toolchain "$rust_target"; then
+    return 1
+  fi
+
+  if ! cargo_build_target "$rust_target"; then
+    if [[ "$ALLOW_MISSING_TARGETS" == "true" ]]; then
+      log "WARN: failed to build ${target}; likely missing cross toolchain."
+      return 1
+    fi
+    return 1
+  fi
+
+  [[ -f "$source_path" ]] || abort "build output missing: ${source_path}"
+
+  log "Staging ${target} from ${source_path}"
+  (cd "$ROOT_DIR" && run_cmd npm run stage:bin -- --platform "$platform" --arch "$arch" --source "$source_path" --force)
+}
+
+parse_pack_name() {
+  local pack_json=$1
+  node -e "const input=require('fs').readFileSync(process.argv[1], 'utf8'); const data=JSON.parse(input); const first=Array.isArray(data) ? data[0] : data; process.stdout.write(first && first.filename ? first.filename : '');" "$pack_json"
+}
+
+run_leak_scan() {
+  if [[ "$DRY_RUN" == "true" ]]; then
+    log "Leak scan skipped in dry run."
+    return 0
+  fi
+
+  if [[ "$SKIP_LEAK_SCAN" == "true" ]]; then
+    log "Leak scan skipped."
+    return 0
+  fi
+
+  log "Running release leak scan"
+  local temp_dir
+  temp_dir="$(mktemp -d)"
+  local pack_json="${temp_dir}/pack.json"
+  local pack_name
+  local gitleaks_log="${temp_dir}/gitleaks.log"
+
+  (cd "$ROOT_DIR" &&
+    run_cmd npm pack --silent --json --pack-destination "$temp_dir" > "$pack_json")
+
+  pack_name="$(parse_pack_name "$pack_json")"
+  if [[ -z "$pack_name" ]]; then
+    cleanup_temp_dir "$temp_dir"
+    abort "Could not determine npm pack filename"
+  fi
+
+  local archive="${temp_dir}/${pack_name}"
+  if [[ ! -f "$archive" ]]; then
+    cleanup_temp_dir "$temp_dir"
+    abort "npm pack artifact not found: ${archive}"
+  fi
+
+  log "Unpacking ${archive}"
+  tar -xzf "$archive" -C "$temp_dir"
+  local package_payload="${temp_dir}/package"
+  if [[ ! -d "$package_payload" ]]; then
+    cleanup_temp_dir "$temp_dir"
+    abort "Expected package payload directory missing: ${package_payload}"
+  fi
+
+  if command -v gitleaks >/dev/null 2>&1; then
+    log "Running gitleaks on packed package"
+    local gitleaks_report="${temp_dir}/gitleaks-report.json"
+    set +e
+    gitleaks detect --no-git --redact --source "$package_payload" --report-format json --report-path "$gitleaks_report" >"$gitleaks_log" 2>&1
+    local gitleaks_code=$?
+    set -e
+    if [[ "$gitleaks_code" -ne 0 ]]; then
+      if [[ -s "$gitleaks_report" ]]; then
+        cleanup_temp_dir "$temp_dir"
+        abort "Gitleaks detected possible secrets in release payload. Report: $gitleaks_report"
+      fi
+      if rg -q "Found" "$gitleaks_log"; then
+        cleanup_temp_dir "$temp_dir"
+        abort "Gitleaks failed to complete for release payload"
+      fi
+    fi
+    cleanup_temp_dir "$temp_dir"
+    return 0
+  fi
+
+  log "Gitleaks unavailable; running fallback regex scan"
+  local pattern='(?i)-----BEGIN [A-Z ]+ PRIVATE KEY-----|(?i)AKIA[0-9A-Z]{16}|(?i)(?:ghp|gho|ghu|ghr)_[A-Za-z0-9]{36,}|(?i)github_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59}|(?i)BEGIN OPENSSH PRIVATE KEY|(?i)secret\\s*[:=]|(?i)api[_-]?key\\s*[:=]|(?i)password\\s*[:=]'
+  if rg -n --hidden --pcre2 -S "$pattern" "$package_payload"; then
+    cleanup_temp_dir "$temp_dir"
+    abort "Fallback leak scan found suspicious strings in packed package."
+  fi
+
+  log "Leak scan passed"
+  cleanup_temp_dir "$temp_dir"
+}
+
+maybe_check_npm_identity() {
+  local actual
+  actual="$(npm whoami 2>/dev/null || true)"
+  if [[ -z "$actual" ]]; then
+    abort "npm auth missing. Run npm login as ${REQUIRED_NPM_ACCOUNT}."
+  fi
+  if [[ "$actual" != "$REQUIRED_NPM_ACCOUNT" ]]; then
+    abort "npm identity mismatch. Expected ${REQUIRED_NPM_ACCOUNT}, got ${actual}."
+  fi
+  log "npm identity: ${actual}"
+}
+
+maybe_check_github_identity() {
+  if ! command -v gh >/dev/null 2>&1; then
+    abort "gh CLI required for GitHub identity checks."
+  fi
+  local user
+  user="$(gh api user --jq .login 2>/dev/null || true)"
+  if [[ -z "$user" ]]; then
+    abort "GitHub auth missing or gh not authorized."
+  fi
+  if [[ "$user" != "$REQUIRED_GH_ACCOUNT" ]]; then
+    abort "GitHub identity mismatch. Expected ${REQUIRED_GH_ACCOUNT}, got ${user}."
+  fi
+  log "GitHub identity: ${user}"
+}
+
+maybe_publish_npm() {
+  [[ "$NPM_PUBLISH" == "true" ]] || return 0
+
+  maybe_check_npm_identity
+  log "Publishing npm package @agentify/cli@${VERSION} (${NPM_TAG})"
+  (cd "$ROOT_DIR" && run_cmd npm publish --access public --tag "$NPM_TAG")
+}
+
+current_branch() {
+  (cd "$ROOT_DIR" && git rev-parse --abbrev-ref HEAD)
+}
+
+maybe_publish_git() {
+  [[ "$GIT_PUBLISH" == "true" ]] || return 0
+
+  if [[ "$REQUIRE_CLEAN_WORKTREE" == "true" ]]; then
+    if [[ -n "$(cd "$ROOT_DIR" && git status --porcelain)" ]]; then
+      abort "git publish requested with --require-clean-worktree, but workspace has changes."
+    fi
+  fi
+
+  maybe_check_github_identity
+  local branch
+  branch="$(current_branch)"
+  if [[ -z "$GIT_BRANCH" ]]; then
+    GIT_BRANCH="$branch"
+  fi
+  if [[ "$GIT_BRANCH" != "$branch" ]]; then
+    log "WARN: target push branch is ${GIT_BRANCH}; current branch is ${branch}"
+  fi
+
+  (cd "$ROOT_DIR" && git status --short)
+
+  if [[ "$AUTO_COMMIT" == "true" ]]; then
+    local commit_paths=(".")
+    local repo_root
+    repo_root="$(cd "$ROOT_DIR" && git rev-parse --show-toplevel)"
+    local wrapper_path="${repo_root}/scripts/release-agentify-cli.sh"
+    if [[ -f "$wrapper_path" ]]; then
+      commit_paths+=("$wrapper_path")
+    fi
+    (cd "$ROOT_DIR" && run_cmd git add "${commit_paths[@]}")
+    if (cd "$ROOT_DIR" && git diff --cached --quiet); then
+      log "No release artifacts changed; skipping commit."
+    else
+      (cd "$ROOT_DIR" && run_cmd git commit -m "$COMMIT_MESSAGE")
+    fi
+  fi
+
+  if [[ "$CREATE_TAG" == "true" ]]; then
+    if (cd "$ROOT_DIR" && git rev-parse "$TAG_NAME" >/dev/null 2>&1); then
+      log "Tag exists already: ${TAG_NAME}"
+    else
+      (cd "$ROOT_DIR" && run_cmd git tag -a "${TAG_NAME}" -m "${COMMIT_MESSAGE}")
+    fi
+  fi
+
+  if [[ "$PUSH_GIT" == "true" ]]; then
+    (cd "$ROOT_DIR" && run_cmd git push "$GIT_REMOTE" "$GIT_BRANCH")
+    if [[ "$CREATE_TAG" == "true" ]]; then
+      (cd "$ROOT_DIR" && run_cmd git push "$GIT_REMOTE" "${TAG_NAME}")
+    fi
+  fi
+}
+
+run_checks() {
+  if [[ "$SKIP_RELEASE_CHECK" != "true" ]]; then
+    log "Running release checks"
+    run_in_root run_cmd npm run check:versions
+
+    if [[ "$SKIP_CARGO_TEST" != "true" ]]; then
+      run_in_root run_cmd cargo test --locked
+    fi
+    if [[ "$SKIP_NPM_TESTS" != "true" ]]; then
+      run_in_root run_cmd npm run test:npm
+    fi
+    if [[ "$ALLOW_MISSING_TARGETS" == "true" ]]; then
+      run_in_root run_cmd npm run release:check -- --skip-cargo --allow-missing-targets
+    else
+      run_in_root run_cmd npm run release:check -- --skip-cargo
+    fi
+  fi
+
+  if [[ "$SKIP_VERIFY_PACKAGE" != "true" ]]; then
+    run_in_root run_cmd npm run verify:package
+  fi
+}
+
+if [[ "$CHECK_IDENTITY" == "true" ]]; then
+  maybe_check_npm_identity
+  maybe_check_github_identity
+fi
+
+log "Starting release pipeline"
+log "Version: ${VERSION}"
+log "Targets: ${TARGETS[*]}"
+log "Dry run: ${DRY_RUN}"
+
+declare -a COMPLETED_TARGETS=()
+declare -a FAILED_TARGETS=()
+
+for target in "${TARGETS[@]}"; do
+  if run_build_and_stage "$target"; then
+    COMPLETED_TARGETS+=("$target")
+    log_target_status "$target" "ok"
+  else
+    FAILED_TARGETS+=("$target")
+    log_target_status "$target" "skipped"
+    if [[ "$ALLOW_MISSING_TARGETS" != "true" ]]; then
+      abort "Build failed for requested target: ${target}"
+    fi
+  fi
+done
+
+if [[ "${#COMPLETED_TARGETS[@]}" -eq 0 ]]; then
+  if [[ "$DRY_RUN" == "true" ]]; then
+    log "No targets would be built in dry-run (check requested target list and allow-missing settings)."
+  else
+    abort "No targets were built successfully."
+  fi
+fi
+
+run_checks
+run_leak_scan
+maybe_publish_npm
+maybe_publish_git
+
+if [[ "${#FAILED_TARGETS[@]}" -gt 0 ]]; then
+  log "Skipped targets: ${FAILED_TARGETS[*]}"
+fi
+
+log "Release pipeline complete"