@cmetech/otto 1.2.6 → 1.3.1

package/node_modules/xlsx/xlsxworker.js

@@ -0,0 +1,14 @@
+/* xlsx.js (C) 2013-present SheetJS -- http://sheetjs.com */
+importScripts('dist/shim.min.js');
+/* uncomment the next line for encoding support */
+importScripts('dist/cpexcel.js');
+importScripts('xlsx.js');
+postMessage({t:"ready"});
+
+onmessage = function (evt) {
+  var v;
+  try {
+    v = XLSX.read(evt.data.d, {type: evt.data.b, codepage: evt.data.c});
+postMessage({t:"xlsx", d:JSON.stringify(v)});
+  } catch(e) { postMessage({t:"e",d:e.stack||e}); }
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cmetech/otto",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "Terminal-based developer chat assistant. Permanent hard fork of gsd-pi with LangFlow flow triggers, a flow builder, and optional gateway routing for compliance environments.",
   "keywords": [
     "ai",
@@ -30,10 +30,14 @@
   "bin": {
     "otto": "dist/loader.js"
   },
+  "bundleDependencies": [
+    "xlsx"
+  ],
   "files": [
     "dist",
     "packages",
     "pkg",
+    "vendor",
     "src/resources",
     "scripts/postinstall.js",
     "scripts/install.js",
@@ -123,6 +127,7 @@
     "sync-platform-versions": "node native/scripts/sync-platform-versions.cjs",
     "verify:native-platform-packages": "node scripts/verify-native-platform-packages.mjs",
     "verify:version-sync": "node scripts/verify-version-sync.cjs",
+    "verify:vendored-xlsx": "node scripts/verify-vendored-xlsx.mjs",
     "validate-pack": "node scripts/validate-pack.js",
     "typecheck:extensions": "tsc --noEmit --project tsconfig.extensions.json",
     "verify:fast": "bash scripts/ci-fast-gates.sh",
@@ -135,7 +140,7 @@
     "release:publish": "gh workflow run build-native.yml -f publish=true -f publish_auth=trusted",
     "docker:build-runtime": "docker build --target runtime -t ghcr.io/cmetech/otto .",
     "docker:build-builder": "docker build --target builder -t ghcr.io/open-gsd/otto-ci-builder .",
-    "prepublishOnly": "npm run sync-pkg-version && npm run verify:version-sync && npm run verify:piconfig-sync && npm run branding:check && node scripts/prepublish-check.mjs && npm run build && npm run typecheck:extensions && npm run verify:native-platform-packages && npm run validate-pack",
+    "prepublishOnly": "npm run sync-pkg-version && npm run verify:version-sync && npm run verify:vendored-xlsx && npm run verify:piconfig-sync && npm run branding:check && node scripts/prepublish-check.mjs && npm run build && npm run typecheck:extensions && npm run verify:native-platform-packages && npm run validate-pack",
     "test:live-regression": "node --experimental-strip-types tests/live-regression/run.ts",
     "test:e2e": "node --experimental-strip-types --test --test-concurrency=1 \"tests/e2e/*.e2e.test.ts\"",
     "test:e2e:windows-smoke": "node --experimental-strip-types --test tests/e2e/sanity.e2e.test.ts tests/e2e/migration.e2e.test.ts tests/e2e/native-abi.e2e.test.ts",
@@ -180,6 +185,7 @@
     "sql.js": "^1.14.1",
     "strip-ansi": "^7.1.0",
     "undici": "^7.24.2",
+    "xlsx": "file:vendor/xlsx-0.20.3.tgz",
     "yaml": "^2.8.2",
     "zod": "^4.4.3"
   },
@@ -196,11 +202,11 @@
   },
   "optionalDependencies": {
     "@anthropic-ai/claude-agent-sdk": "0.2.83",
-    "@cmetech/otto-engine-darwin-arm64": "1.2.6",
-    "@cmetech/otto-engine-darwin-x64": "1.2.6",
-    "@cmetech/otto-engine-linux-arm64-gnu": "1.2.6",
-    "@cmetech/otto-engine-linux-x64-gnu": "1.2.6",
-    "@cmetech/otto-engine-win32-x64-msvc": "1.2.6",
+    "@cmetech/otto-engine-darwin-arm64": "1.3.1",
+    "@cmetech/otto-engine-darwin-x64": "1.3.1",
+    "@cmetech/otto-engine-linux-arm64-gnu": "1.3.1",
+    "@cmetech/otto-engine-linux-x64-gnu": "1.3.1",
+    "@cmetech/otto-engine-win32-x64-msvc": "1.3.1",
     "fsevents": "~2.3.3",
     "koffi": "^2.9.0"
   },

package/packages/contracts/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@otto-build/contracts",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "Shared public contracts for OTTO workspace boundaries",
   "license": "MIT",
   "otto": {

package/packages/coworker-scratchpad/dist/kernel-bindings.d.ts

@@ -4,10 +4,8 @@ import { type AuditLog } from '@otto/coworker-utils';
  * The data libraries pre-bound into every scratchpad cell's vm sandbox.
  * DuckDB is bound as an in-memory-capable lib here; on-disk kernel.db wiring is 1d2.
  *
- * Note: ExcelJS was removed in 1.2.6 — its transitive deps (glob@7, inflight,
- * rimraf@2, fstream, lodash.isequal) are deprecated with known vulnerabilities
- * and exceljs is no longer maintained upstream. xlsx-populate is the candidate
- * replacement; tracked in docs/superpowers/notes/2026-06-01-coworker-roadmap.md.
+ * XLSX is SheetJS Community Edition (vendored — see vendor/README.md for the
+ * CE → Pro swap procedure).
  */
 export declare function buildDataLibBindings(): Record<string, unknown>;
 /** SQL column type string passed straight into CREATE TABLE (e.g. VARCHAR, BIGINT). */

package/packages/coworker-scratchpad/dist/kernel-bindings.js

@@ -1,4 +1,5 @@
 import pl from 'nodejs-polars';
+import XLSX from 'xlsx';
 import lodash from 'lodash';
 import axios from 'axios';
 import { z } from 'zod';
@@ -9,15 +10,14 @@ import { SecretScanner } from '@otto/coworker-utils';
  * The data libraries pre-bound into every scratchpad cell's vm sandbox.
  * DuckDB is bound as an in-memory-capable lib here; on-disk kernel.db wiring is 1d2.
  *
- * Note: ExcelJS was removed in 1.2.6 — its transitive deps (glob@7, inflight,
- * rimraf@2, fstream, lodash.isequal) are deprecated with known vulnerabilities
- * and exceljs is no longer maintained upstream. xlsx-populate is the candidate
- * replacement; tracked in docs/superpowers/notes/2026-06-01-coworker-roadmap.md.
+ * XLSX is SheetJS Community Edition (vendored — see vendor/README.md for the
+ * CE → Pro swap procedure).
  */
 export function buildDataLibBindings() {
     return {
         polars: pl,
         DuckDB,
+        XLSX,
         dateFns,
         lodash,
         zod: z,

package/packages/coworker-scratchpad/dist/kernel-entry.js

@@ -22,6 +22,7 @@ const KNOWN_BOUND_KEYS = new Set([
     'clearInterval',
     'polars',
     'DuckDB',
+    'XLSX',
     'dateFns',
     'lodash',
     'zod',

package/packages/coworker-scratchpad/src/child-process-runtime.test.ts

@@ -160,13 +160,20 @@ describe('data-lib bindings inside a live kernel', () => {
     await rm(ws, { recursive: true, force: true });
   });
 
-  it('polars / lodash / zod / date-fns / axios / DuckDB are bound', async () => {
+  it('polars / lodash / zod / date-fns / XLSX / axios / DuckDB are bound', async () => {
     rt = new ChildProcessRuntime({ workspace: ws, inactivityTimeoutMs: 20_000, cellTimeoutMs: 20_000 });
     await rt.start();
     assert.equal((await rt.runCell('return polars.DataFrame({ a: [1, 2, 3] }).height;')).value, 3);
     assert.equal((await rt.runCell('return lodash.chunk([1, 2, 3, 4], 2).length;')).value, 2);
     assert.equal((await rt.runCell('return zod.string().parse("hi");')).value, 'hi');
     assert.equal((await rt.runCell('return dateFns.format(new Date(1970, 0, 1), "yyyy");')).value, '1970');
+    assert.equal((await rt.runCell(
+      'const wb = XLSX.utils.book_new();' +
+      'const ws = XLSX.utils.aoa_to_sheet([[1,2,3]]);' +
+      'XLSX.utils.book_append_sheet(wb, ws, "s");' +
+      'const buf = XLSX.write(wb, {type:"buffer", bookType:"xlsx"});' +
+      'return buf.byteLength > 0;'
+    )).value, true);
     assert.equal((await rt.runCell('return typeof axios.get;')).value, 'function');
     assert.equal((await rt.runCell('return typeof DuckDB.DuckDBInstance;')).value, 'function');
   });

package/packages/coworker-scratchpad/src/kernel-bindings.test.ts

@@ -9,9 +9,9 @@ import { buildDataLibBindings, redactForJournal } from './kernel-bindings.js';
 import { ChildProcessRuntime } from './child-process-runtime.js';
 
 describe('kernel-bindings', () => {
-  it('exposes all six pre-bound data libraries', () => {
+  it('exposes all seven pre-bound data libraries', () => {
     const b = buildDataLibBindings();
-    for (const key of ['polars', 'DuckDB', 'dateFns', 'lodash', 'zod', 'axios']) {
+    for (const key of ['polars', 'DuckDB', 'XLSX', 'dateFns', 'lodash', 'zod', 'axios']) {
       assert.ok(key in b, `missing binding: ${key}`);
       assert.notEqual(b[key], undefined, `binding is undefined: ${key}`);
     }
@@ -24,6 +24,7 @@ describe('kernel-bindings', () => {
     assert.equal(typeof b.dateFns.format, 'function');
     assert.equal(typeof b.lodash.chunk, 'function');
     assert.equal(typeof b.axios.get, 'function');
+    assert.equal(typeof b.XLSX.utils.book_new, 'function');
   });
 });
 

package/packages/coworker-scratchpad/src/kernel-bindings.ts

@@ -1,4 +1,5 @@
 import pl from 'nodejs-polars';
+import XLSX from 'xlsx';
 import lodash from 'lodash';
 import axios from 'axios';
 import { z } from 'zod';
@@ -11,15 +12,14 @@ import { SecretScanner, type AuditLog, type AuditRecord } from '@otto/coworker-u
  * The data libraries pre-bound into every scratchpad cell's vm sandbox.
  * DuckDB is bound as an in-memory-capable lib here; on-disk kernel.db wiring is 1d2.
  *
- * Note: ExcelJS was removed in 1.2.6 — its transitive deps (glob@7, inflight,
- * rimraf@2, fstream, lodash.isequal) are deprecated with known vulnerabilities
- * and exceljs is no longer maintained upstream. xlsx-populate is the candidate
- * replacement; tracked in docs/superpowers/notes/2026-06-01-coworker-roadmap.md.
+ * XLSX is SheetJS Community Edition (vendored — see vendor/README.md for the
+ * CE → Pro swap procedure).
  */
 export function buildDataLibBindings(): Record<string, unknown> {
   return {
     polars: pl,
     DuckDB,
+    XLSX,
     dateFns,
     lodash,
     zod: z,

package/packages/coworker-scratchpad/src/kernel-entry.ts

@@ -38,6 +38,7 @@ const KNOWN_BOUND_KEYS = new Set([
   'clearInterval',
   'polars',
   'DuckDB',
+  'XLSX',
   'dateFns',
   'lodash',
   'zod',

package/packages/daemon/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@otto-build/daemon",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "OTTO daemon — background process for project monitoring and Discord integration",
   "license": "MIT",
   "repository": {
@@ -29,8 +29,8 @@
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.52.0",
-    "@otto-build/contracts": "^1.2.6",
-    "@otto-build/rpc-client": "^1.2.6",
+    "@otto-build/contracts": "^1.3.1",
+    "@otto-build/rpc-client": "^1.3.1",
     "discord.js": "^14.25.1",
     "yaml": "^2.8.0",
     "zod": "^3.24.0"

package/packages/mcp-server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@otto-build/mcp-server",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "MCP server exposing OTTO orchestration tools for compatible clients",
   "license": "MIT",
   "otto": {
@@ -34,8 +34,8 @@
     "test": "npm run build:test && node --test dist/mcp-server.test.js dist/remote-questions.test.js"
   },
   "dependencies": {
-    "@otto-build/contracts": "^1.2.6",
-    "@otto-build/rpc-client": "^1.2.6",
+    "@otto-build/contracts": "^1.3.1",
+    "@otto-build/rpc-client": "^1.3.1",
     "@modelcontextprotocol/sdk": "^1.27.1",
     "zod": "^4.0.0"
   },

package/packages/native/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@otto/native",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "Native Rust bindings for OTTO — high-performance native modules via N-API",
   "type": "commonjs",
   "otto": {

package/packages/pi-agent-core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@otto/pi-agent-core",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "General-purpose agent core (vendored from pi-mono)",
   "type": "module",
   "otto": {

package/packages/pi-ai/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@otto/pi-ai",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "Unified LLM API (vendored from pi-mono)",
   "type": "module",
   "otto": {

package/packages/pi-coding-agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@otto/pi-coding-agent",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "Coding agent CLI (vendored from pi-mono)",
   "type": "module",
   "otto": {
@@ -28,7 +28,7 @@
     "copy-assets": "node scripts/copy-assets.cjs"
   },
   "dependencies": {
-    "@otto-build/contracts": "^1.2.6",
+    "@otto-build/contracts": "^1.3.1",
     "@mariozechner/jiti": "^2.6.2",
     "@silvia-odwyer/photon-node": "^0.3.4",
     "chalk": "^5.5.0",

package/packages/pi-tui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@otto/pi-tui",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "Terminal User Interface library (vendored from pi-mono)",
   "type": "module",
   "otto": {

package/packages/rpc-client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@otto-build/rpc-client",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "description": "Standalone RPC client SDK for OTTO — zero internal dependencies",
   "license": "MIT",
   "otto": {
@@ -34,7 +34,7 @@
     "test": "node --test dist/rpc-client.test.js"
   },
   "dependencies": {
-    "@otto-build/contracts": "^1.2.6"
+    "@otto-build/contracts": "^1.3.1"
   },
   "engines": {
     "node": ">=22.0.0"

package/pkg/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@loop24/client",
-  "version": "1.2.6",
+  "version": "1.3.1",
   "piConfig": {
     "_comment": "AUTO-SYNCED from root package.json by scripts/sync-piconfig.mjs (runs on prebuild). Do not edit this block directly — edit root package.json and re-run `npm run build` or `npm run sync-piconfig`.",
     "name": "otto",

package/src/resources/extensions/coworker-scratchpad/scratchpad-tool.ts

@@ -90,18 +90,18 @@ export function registerScratchpadTool(pi: ExtensionAPI, deps: ScratchpadToolDep
     name: 'cw_scratchpad',
     label: 'Co-worker scratchpad',
     description:
-      'USE FOR: loading or analyzing files (CSV, JSON, Parquet), tabular data manipulation with polars or DuckDB, multi-step data exploration where state should persist across turns, or anything that calls otto.collectors. ' +
+      'USE FOR: loading or analyzing files (CSV, JSON, Parquet, XLSX), tabular data manipulation with polars or DuckDB, multi-step data exploration where state should persist across turns, or anything that calls otto.collectors. ' +
       'DO NOT USE FOR: simple arithmetic, lookups answerable from reasoning alone, pure prose, code review, or one-off calculations with no file or data source involved. ' +
       'IF the user explicitly names this tool ("use cw_scratchpad", "run this in the scratchpad", "exec a cell"), use it regardless of the rules above. ' +
       'IF UNSURE whether a request belongs here, ASK the user once: "Do you want me to run this in cw_scratchpad so you can inspect the cells via /sp view, or answer inline?" Wait for their reply before deciding. ' +
       'Runs TypeScript cells in a persistent JS kernel scoped to a named scratchpad. State persists across cells via globalThis.* and across Otto sessions via on-disk kernel.db + namespace.json. ' +
-      'Pre-bound libs in every cell: polars, DuckDB, dateFns, lodash, zod, axios. otto.collectors.{list,open} enumerates and loads data sources. ' +
+      'Pre-bound libs in every cell: polars, DuckDB, XLSX, dateFns, lodash, zod, axios. otto.collectors.{list,open} enumerates and loads data sources. ' +
       'Actions: exec (run a TypeScript cell), view (return the last N cells). ' +
       'Distinct from the analyst extension\'s SQL-only `scratchpad` tool — this one runs arbitrary TypeScript.',
     promptSnippet:
-      'cw_scratchpad — run TypeScript cells in a persistent JS kernel. USE for files (CSV/JSON/Parquet), polars/DuckDB analysis, otto.collectors, or multi-step data work. NOT for arithmetic or pure prose. If unsure, ASK the user first.',
+      'cw_scratchpad — run TypeScript cells in a persistent JS kernel. USE for files (CSV/JSON/Parquet/XLSX), polars/DuckDB analysis, otto.collectors, or multi-step data work. NOT for arithmetic or pure prose. If unsure, ASK the user first.',
     promptGuidelines: [
-      'Trigger criteria: the request involves loading a file (CSV/JSON/Parquet/etc.), querying tabular data via polars or DuckDB, calling otto.collectors, or building state that must survive across turns.',
+      'Trigger criteria: the request involves loading a file (CSV/JSON/Parquet/XLSX/etc.), querying tabular data via polars or DuckDB, calling otto.collectors, or building state that must survive across turns.',
       'Skip the tool for: trivial arithmetic, lookups you can answer from reasoning, prose generation, code review, and pure-explanation tasks.',
       'If the user names the tool explicitly (e.g. "use cw_scratchpad", "in the scratchpad", "exec a cell"), always honor that request and skip the unsure-prompt.',
       'IF UNSURE whether a request fits the trigger criteria, ask the user once before deciding: "Do you want me to run this in cw_scratchpad (you can inspect the cells via /sp view) or answer inline?" Wait for the user\'s reply before either calling the tool or answering inline.',
@@ -109,7 +109,7 @@ export function registerScratchpadTool(pi: ExtensionAPI, deps: ScratchpadToolDep
       'The cell body is wrapped in (async () => { ... })(). let/const/var are local to the cell. To persist, assign to globalThis.foo = ...',
       'For DuckDB tables that survive across Otto sessions, use `await otto.duckdb.connect()`. For ephemeral in-memory, use `DuckDB.DuckDBInstance.create(":memory:")`.',
       'For polars→DuckDB: prefer `otto.duckdb.registerDf(name, df)` over manual API discovery. If inference picks the wrong column type, pass `{ schema: { col: \'TYPE\' } }` as the third argument. Falls back to polars\' own SQL (`df.sql(...)`) for one-off aggregations.',
-      'Pre-bound libs available in every cell: polars, DuckDB, dateFns, lodash, zod, axios. No imports needed.',
+      'Pre-bound libs available in every cell: polars, DuckDB, XLSX, dateFns, lodash, zod, axios. No imports needed.',
       'Use otto.collectors.list() to discover data sources and otto.collectors.open(uri) to load one.',
       'The `name` parameter defaults to the currently attached scratchpad. Omit it unless you want to operate on a different one (this does NOT switch the user attachment).',
       'A returned string that looks markdown-shaped will appear in the response as text/markdown automatically. Return a markdown table or heading to render it.',

package/src/resources/extensions/otto/commands/release-notes/_data.ts

@@ -33,13 +33,29 @@ export interface ReleaseNotesManifest {
 
 export const RELEASE_NOTES_MANIFEST: ReleaseNotesManifest = {
 	truncated: false,
-	total: 15,
+	total: 17,
 	oldestBundled: '1.0.0',
-	newestBundled: '1.2.6',
+	newestBundled: '1.3.1',
 	historyUrl: 'https://github.com/cmetech/otto-cli/blob/main/CHANGELOG.md',
 };
 
 export const RELEASE_NOTES: ReleaseNote[] = [
+	{
+		version: '1.3.1',
+		date: '2026-06-04',
+		headline: 'Windows-install hotfix on top of 1.3.0: the vendored xlsx tarball now ships pre-extracted via `bundleDependencies`, working around an npm bug that prevented `file:` deps in published global packages from resolving on Windows.',
+		fixed: [
+			'**`npm i -g @cmetech/otto@1.3.0` failed on Windows** with `npm warn tarball … seems to be corrupted` followed by `ENOENT … \\vendor\\xlsx-0.20.3.tgz`. Root cause: npm\'s `file:` protocol resolution for deps inside a globally-installed published package is broken on Windows — the inner tarball never gets read even though it ships correctly inside the outer `@cmetech/otto` tarball (byte-identical SHA-256 verified). Switched from `file:`-based vendoring to `bundleDependencies: ["xlsx"]`, which ships the pre-extracted `node_modules/xlsx/` directory (26 files) directly inside the published `@cmetech/otto` tarball. End-user installs no longer go through the `file:` resolver — npm sees `xlsx` already populated in `node_modules` and skips dep resolution entirely. The `file:vendor/xlsx-0.20.3.tgz` dep spec is preserved so local dev installs still work; the SHA-drift guard test and prepublish verifier are unchanged. SheetJS is pure JavaScript (`os: any`, `cpu: any`, no native bindings) so one bundled copy works on Windows / Linux / macOS.',
+		],
+	},
+	{
+		version: '1.3.0',
+		date: '2026-06-03',
+		headline: 'Restores xlsx capability in scratchpad cells via SheetJS Community Edition, replacing the 1.2.6 removal of `exceljs`. Vendored install means `npm i -g @cmetech/otto` remains a single command with no outbound CDN reach.',
+		added: [
+			'**SheetJS Community Edition (`XLSX`) bound in scratchpad cells.** Restores the xlsx read/write capability dropped in 1.2.6 with the removal of `exceljs`. The SheetJS CE tarball is vendored at `vendor/xlsx-0.20.3.tgz` (SHA-256 verified at prepublish by `scripts/verify-vendored-xlsx.mjs` and at unit-test time by `src/tests/vendor-xlsx.test.ts`), so there is no outbound CDN reach at install time — `npm i -g @cmetech/otto` remains the single command for compliance/air-gapped environments. Cells now write `const wb = XLSX.utils.book_new(); …` (SheetJS canonical API; ExcelJS-style `new Workbook()` calls from pre-1.2.6 cells continue to ReferenceError). CE → Pro upgrade path is documented in `vendor/README.md`: drop a Pro tarball, swap the `file:` reference, regenerate the lockfile — no code change required; the `XLSX` binding name stays.',
+		],
+	},
 	{
 		version: '1.2.6',
 		date: '2026-06-03',

package/vendor/README.md

@@ -0,0 +1,68 @@
+# Vendored dependencies
+
+This directory holds vendored npm package tarballs that are bundled inside the
+published `@cmetech/otto` package. They are referenced from root `package.json`
+via `"file:vendor/<name>.tgz"` deps. End users never reach the upstream CDN
+during `npm i -g @cmetech/otto` — the tarball ships inside the OTTO tarball.
+
+## Files
+
+| File | Purpose |
+|---|---|
+| `xlsx-0.20.3.tgz` | SheetJS Community Edition 0.20.3 (binding name `XLSX` in scratchpad cells). Source: <https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz>. |
+| `xlsx-0.20.3.tgz.sha256` | Recorded SHA-256 of the file above. Verified at `prepublishOnly` and by `src/tests/vendor-xlsx.test.ts`. |
+| `README.md` | This file. |
+
+## Refresh procedure (new CE version)
+
+1. Download the new tarball:
+   ```bash
+   curl -sL "https://cdn.sheetjs.com/xlsx-X.Y.Z/xlsx-X.Y.Z.tgz" -o vendor/xlsx-X.Y.Z.tgz
+   ```
+2. Compute and record the SHA-256:
+   ```bash
+   shasum -a 256 vendor/xlsx-X.Y.Z.tgz | awk '{print $1 "  xlsx-X.Y.Z.tgz"}' > vendor/xlsx-X.Y.Z.tgz.sha256
+   ```
+3. Update root `package.json`:
+   - `dependencies.xlsx` → `"file:vendor/xlsx-X.Y.Z.tgz"`.
+4. Update `scripts/verify-vendored-xlsx.mjs`: change the `TARBALL_BASENAME` constant to `xlsx-X.Y.Z.tgz`.
+5. Update `src/tests/vendor-xlsx.test.ts`: change the `TARBALL_BASENAME` constant.
+6. Regenerate the lockfile:
+   ```bash
+   npm install --package-lock-only --ignore-scripts
+   ```
+7. Run the verification:
+   ```bash
+   npm run verify:vendored-xlsx
+   ```
+8. Remove the previous tarball + SHA file from `vendor/`.
+9. Commit.
+
+## CE → Pro upgrade procedure
+
+SheetJS Pro is distributed as a separate tarball (`xlsxPro-X.Y.Z.tgz`) and
+requires a license token at download time. The runtime API is identical to CE —
+no code change is needed; only the vendored file and its references move.
+
+1. Obtain the Pro tarball from SheetJS (purchase + tarball URL with embedded
+   license token). Download to `vendor/xlsxPro-X.Y.Z.tgz`.
+2. Compute and record the SHA-256:
+   ```bash
+   shasum -a 256 vendor/xlsxPro-X.Y.Z.tgz | awk '{print $1 "  xlsxPro-X.Y.Z.tgz"}' > vendor/xlsxPro-X.Y.Z.tgz.sha256
+   ```
+3. Update root `package.json`:
+   - `dependencies.xlsx` → `"file:vendor/xlsxPro-X.Y.Z.tgz"`.
+4. Update `scripts/verify-vendored-xlsx.mjs`: change `TARBALL_BASENAME` to
+   `xlsxPro-X.Y.Z.tgz`.
+5. Update `src/tests/vendor-xlsx.test.ts`: change `TARBALL_BASENAME`.
+6. Regenerate the lockfile:
+   ```bash
+   npm install --package-lock-only --ignore-scripts
+   ```
+7. Optionally remove `vendor/xlsx-*.tgz` (the previous CE tarball) once confident
+   in the swap.
+8. Commit. Tag a release. Publish.
+
+The `XLSX` binding name does **not** change. No edits to `kernel-bindings.ts`,
+`kernel-entry.ts`, the cell sandbox, prompts, or tests other than the basename
+constants.

package/vendor/xlsx-0.20.3.tgz.sha256

@@ -0,0 +1 @@
+8dc73fc3b00203e72d176e85b50938627c7b086e607c682e8d3c22c02bb99fe8  xlsx-0.20.3.tgz