@anaclumos/taal 1.1.7 → 1.1.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anaclumos/taal",
-  "version": "1.1.7",
+  "version": "1.1.8",
   "description": "CLI tool to sync MCP server configs and Agent Skills across AI coding assistants",
   "type": "module",
   "bin": {

package/src/commands/diff.ts

@@ -2,6 +2,20 @@ import { homedir } from "node:os";
 import { loadTaalConfig } from "../config/loader.js";
 import { initializeProviders, registry } from "../providers/index.js";
 
+function sortObjectKeys(obj: unknown): unknown {
+  if (obj === null || typeof obj !== "object") {
+    return obj;
+  }
+  if (Array.isArray(obj)) {
+    return obj.map(sortObjectKeys);
+  }
+  const sorted: Record<string, unknown> = {};
+  for (const key of Object.keys(obj).sort()) {
+    sorted[key] = sortObjectKeys((obj as Record<string, unknown>)[key]);
+  }
+  return sorted;
+}
+
 export interface DiffChange {
   type: "add" | "remove" | "modify";
   serverName: string;
@@ -73,9 +87,13 @@ export async function diff(
 
         for (const key of taalKeys) {
           if (currentKeys.has(key)) {
-            const currentValue = JSON.stringify(currentServers[key]);
+            const currentValue = JSON.stringify(
+              sortObjectKeys(currentServers[key])
+            );
             const newValue = JSON.stringify(
-              (transformedServers as Record<string, unknown>)[key]
+              sortObjectKeys(
+                (transformedServers as Record<string, unknown>)[key]
+              )
             );
 
             if (currentValue !== newValue) {

package/DIAGNOSTIC.md

@@ -1,75 +0,0 @@
-# Trusted Publishing Diagnostic
-
-## Current Error
-
-The v1.1.6 workflow failed with:
-```
-npm notice Access token expired or revoked. Please try logging in again.
-npm error 404 Not Found - PUT https://registry.npmjs.org/@anaclumos%2ftaal - Not found
-```
-
-This means OIDC authentication is NOT working. The issue is likely in the npmjs.com configuration.
-
-## Verification Checklist
-
-### 1. Verify Trusted Publisher Configuration
-
-Go to: https://www.npmjs.com/package/@anaclumos/taal/access
-
-Under "Trusted Publisher", you should see:
-- ✅ **Provider**: GitHub Actions
-- ✅ **Organization or user**: `anaclumos` (EXACTLY - case sensitive)
-- ✅ **Repository**: `taal` (EXACTLY - case sensitive)
-- ✅ **Workflow filename**: `publish.yml` (EXACTLY - must include .yml extension)
-- ✅ **Environment name**: (leave EMPTY unless you use GitHub environments)
-
-**CRITICAL**: All fields are case-sensitive and must match EXACTLY.
-
-### 2. Verify Publishing Access Settings
-
-Still on the same page, under "Publishing Access":
-
-You should have selected: **"Require two-factor authentication and disallow tokens"**
-
-NOT:
-- ❌ "Require two-factor authentication or automation tokens"  
-- ❌ "No restrictions"
-
-### 3. Verify You Saved
-
-Make sure you clicked **"Update Package Settings"** at the bottom of the page.
-
-### 4. Screenshot
-
-Can you take a screenshot of your npmjs.com package settings and show me?
-
-## Common Mistakes
-
-1. **Workflow filename without .yml extension**: Must be `publish.yml` not just `publish`
-2. **Case mismatch**: Repository name must match exactly (`taal` not `Taal` or `TAAL`)
-3. **Organization vs user**: Make sure it's your username `anaclumos`, not an organization
-4. **Didn't save**: Settings won't take effect until you click "Update Package Settings"
-5. **Wrong publishing access setting**: Must select "disallow tokens" to allow OIDC
-
-## Next Steps
-
-1. Double-check ALL settings above
-2. Make sure you clicked "Update Package Settings"
-3. If everything looks correct, try again:
-   ```bash
-   npm version patch
-   git push --follow-tags
-   ```
-
-## Alternative: Use Token (Temporary)
-
-If you want to publish NOW while we debug trusted publishing:
-
-1. Create a Granular Access Token on npmjs.com (Read and write access)
-2. Add it as NPM_TOKEN secret:
-   ```bash
-   gh secret set NPM_TOKEN --body "npm_YOUR_TOKEN_HERE"
-   ```
-3. Re-run workflow
-
-But trusted publishing is better - let's get it working!

package/FIX_2FA_ISSUE.md

@@ -1,81 +0,0 @@
-# FIX: 2FA Blocking Trusted Publishing
-
-## The Problem
-
-Your workflow is failing with:
-```
-npm error code EOTP
-npm error This operation requires a one-time password from your authenticator.
-```
-
-This happens because your NPM account requires 2FA for publishing, which blocks OIDC authentication.
-
-## The Solution
-
-You need to **configure your package** to allow trusted publishers to bypass 2FA:
-
-### Step 1: Go to Package Settings
-
-Visit: https://www.npmjs.com/package/@anaclumos/taal/access
-
-### Step 2: Configure Publishing Access
-
-Scroll down to **"Publishing Access"** section.
-
-Select: **"Require two-factor authentication and disallow tokens"**
-
-![Publishing Access Settings](https://docs.npmjs.com/packages-and-modules/securing-your-code/trusted-publisher-security.png)
-
-This option:
-- ✅ **Allows** trusted publishers (OIDC) to publish without OTP
-- ❌ **Blocks** token-based authentication
-- ✅ **Maintains** security through OIDC
-
-### Step 3: Save
-
-Click **"Update Package Settings"** at the bottom.
-
-### Step 4: Test
-
-Re-run the failed workflow:
-```bash
-cd /Users/cho/Developer/taal
-gh run rerun 21076753514
-```
-
-Or create a new version:
-```bash
-npm version patch
-git push --follow-tags
-```
-
-## Why This Works
-
-When you select "Require two-factor authentication and disallow tokens":
-- Traditional token-based publishing is **blocked**
-- Trusted publishing via OIDC is **allowed** (no OTP needed)
-- Security is **enhanced** (OIDC is more secure than tokens + OTP)
-
-## Alternative (Less Secure)
-
-If the above doesn't work, you can temporarily disable 2FA requirement:
-
-1. Go to: https://www.npmjs.com/package/@anaclumos/taal/access
-2. Select: "Require two-factor authentication or automation/integration tokens (recommended)"
-3. Save
-
-**Note**: This is less secure. The first option is better.
-
-## Verification
-
-After configuration, the workflow should:
-1. ✅ Authenticate via OIDC (no OTP needed)
-2. ✅ Generate provenance automatically
-3. ✅ Publish successfully
-
-## Troubleshooting
-
-If it still fails:
-1. Check that trusted publisher is configured correctly (anaclumos/taal/publish.yml)
-2. Verify you saved the "Publishing Access" settings
-3. Check workflow logs: `gh run view --log-failed`

package/TRUSTED_PUBLISHING_SETUP.md

@@ -1,87 +0,0 @@
-# NPM Trusted Publishing Setup
-
-This project uses **NPM Trusted Publishing** with OIDC authentication - no NPM tokens needed!
-
-## What is Trusted Publishing?
-
-Trusted publishing uses OpenID Connect (OIDC) to authenticate GitHub Actions workflows directly with npm, eliminating the need for long-lived access tokens. This is more secure because:
-
-- No secrets to manage or rotate
-- Short-lived, workflow-specific credentials
-- Cannot be extracted or reused
-- Automatic provenance generation
-
-## Setup Instructions
-
-### Step 1: Configure Trusted Publisher on npmjs.com
-
-1. **Go to your package settings**:
-   - Visit: https://www.npmjs.com/package/@anaclumos/taal/access
-   - Or navigate to: npmjs.com → Your package → Settings → Publishing Access
-
-2. **Find "Trusted Publisher" section**
-
-3. **Click "GitHub Actions" button**
-
-4. **Fill in the configuration**:
-   - **Organization or user**: `anaclumos`
-   - **Repository**: `taal`
-   - **Workflow filename**: `publish.yml`
-   - **Environment name**: (leave empty)
-
-5. **Save the configuration**
-
-### Step 2: Verify Workflow Configuration
-
-The workflow is already configured correctly in `.github/workflows/publish.yml`:
-
-```yaml
-permissions:
-  id-token: write  # Required for OIDC
-  contents: read
-
-- run: npm publish --access public  # No NODE_AUTH_TOKEN needed!
-```
-
-### Step 3: Test Publishing
-
-Once you've configured the trusted publisher on npmjs.com:
-
-1. Create a new version tag:
-   ```bash
-   npm version patch
-   git push --follow-tags
-   ```
-
-2. GitHub Actions will automatically:
-   - Run tests and linter
-   - Publish to npm using OIDC
-   - Generate provenance attestations
-
-## Troubleshooting
-
-### "Unable to authenticate" error
-
-- Verify the workflow filename matches exactly: `publish.yml`
-- Check that all fields are correct (case-sensitive)
-- Ensure you're using GitHub-hosted runners (not self-hosted)
-- Confirm `id-token: write` permission is set
-
-### Workflow still failing
-
-- Check that you saved the trusted publisher configuration on npmjs.com
-- Verify the repository and organization names match exactly
-- Review the workflow logs for specific error messages
-
-## Benefits
-
-✅ **No secrets management** - No NPM_TOKEN to rotate or secure  
-✅ **Automatic provenance** - Cryptographic proof of package origin  
-✅ **Enhanced security** - Short-lived, scoped credentials  
-✅ **Simpler workflow** - Less configuration, fewer moving parts  
-
-## Learn More
-
-- [NPM Trusted Publishing Docs](https://docs.npmjs.com/trusted-publishers)
-- [GitHub OIDC Documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
-- [NPM Provenance](https://docs.npmjs.com/generating-provenance-statements)