@dk/hipp 0.1.22 → 0.1.23

package/README.md

@@ -44,10 +44,27 @@ stays clean, and your registry package is guaranteed to match your Git tag.
 ### Tag and Publish
 
 ```bash
+git commit -m "Release"
 git tag v1.0.0
+git push origin main --tags
 npx @dk/hipp
 ```
 
+The tag and commit **must be pushed to origin** before running HIPP. HIPP verifies the
+tag exists on the remote and that HEAD matches the upstream branch.
+
+Use `-y` to skip confirmation (for CI):
+
+```bash
+npx @dk/hipp --yes
+```
+
+Pass npm options via `--`:
+
+```bash
+npx @dk/hipp -- --access public --tag beta
+```
+
 HIPP will:
 
 1. **Key Generation**: Generate Ed25519 signing keys if needed (`hipp.priv`, `hipp.pub`)
@@ -115,7 +132,8 @@ The manifest contains:
   "name": "Jane Developer",
   "email": "jane@example.com",
   "npm": "10.2.4",
-  "node": "v20.11.0"
+  "node": "v20.11.0",
+  "hipp": "0.1.22"
 }
 ```
 
@@ -220,19 +238,20 @@ PERFORMANCE OF THIS SOFTWARE.
 Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):
 
 ```bash
-npx @dk/hipp verify @dk/hipp@0.1.22
+npx @dk/hipp verify @dk/hipp@0.1.23
 ```
 
 ```json
 {
   "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.22",
-  "revision": "384db1fb92cd1d5f0c72a32f12748c6b683996e0",
-  "hash": "afad3a4ee75bb430c416067e841dd127de3577c27cd89bbf4064e1da568e1aa1",
-  "signature": "2XhbwQWY5tp/7frdyRjh2ynyigjdu5fumebrfN1/eMvSSuSawNwekZctBs+CfsfBI61V1tu4plzOhRvgsw8AAw==",
+  "tag": "v0.1.23",
+  "revision": "5f94c47e1a6858a6e74ae10c0727cd481e22fb04",
+  "hash": "2945f93a1fb565f0806a4f924cfeb8509e5dd9714f814eaa22e763ac8d3d3935",
+  "signature": "KfyYgmbwMWesEXaTxRydY+9P96rjfCLU+H9B3bVmJ4to3oGsioYeVLDG2B4GYiJRRh49bSwh8MnRoHfpF/s8DA==",
   "name": "Dmytri Kleiner",
   "email": "dev@dmytri.to",
   "npm": "11.12.1",
-  "node": "v25.8.2"
+  "node": "v25.8.2",
+  "hipp": "0.0.0"
 }
 ```

package/hipp.js

@@ -483,7 +483,7 @@ async function runVerify(packageSpec) {
       fail(`❌ Manifest not found or invalid in README`);
     }
 
-    const { origin: originUrl, tag, revision, signature, name, email, npm: npmVer, node: nodeVer } = manifest;
+    const { origin: originUrl, tag, revision, signature, name, email, npm: npmVer, node: nodeVer, hipp: hippVer } = manifest;
 
     log.info(`🌿 Cloning git origin at tag ${tag}...`);
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-git-`));
@@ -573,8 +573,12 @@ async function runVerify(packageSpec) {
       log.info(`📍 Publisher: ${name} <${email}>`);
       log.info(`📍 Origin: ${originUrl}`);
       log.info(`📍 Tag: ${tag}`);
-      if (npmVer && nodeVer) {
-        log.info(`ℹ️  npm: ${npmVer} | node: ${nodeVer}`);
+      if (npmVer || nodeVer || hippVer) {
+        const parts = [];
+        if (hippVer) parts.push(`hipp: ${hippVer}`);
+        if (npmVer) parts.push(`npm: ${npmVer}`);
+        if (nodeVer) parts.push(`node: ${nodeVer}`);
+        log.info(`ℹ️  ${parts.join(' | ')}`);
       }
     } finally {
       fs.rmSync(tmpDir, { recursive: true, force: true });
@@ -677,6 +681,9 @@ async function run() {
     const revision = refInfo.head;
     const npmVersion = runCmd('npm', ['--version']).stdout.trim();
     const nodeVersion = process.version;
+    const hippPkgPath = path.join(path.dirname(process.argv[1]), 'package.json');
+    const hippPkg = JSON.parse(fs.readFileSync(hippPkgPath, 'utf8'));
+    const hippVersion = hippPkg.version;
     const originUrl = provenance.remoteUrl;
     const dataToSign = buildSignData(tarballHash, originUrl, rawTag, revision, name, email);
     const signature = signContent(dataToSign, privateKey);
@@ -691,6 +698,7 @@ async function run() {
       email: email,
       npm: npmVersion,
       node: nodeVersion,
+      hipp: hippVersion,
     };
 
     stagedReadme = stagedReadme.trimEnd() + '\n\n## Verify\n\n' +

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dk/hipp",
-  "version": "0.1.22",
+  "version": "0.1.23",
   "description": "High Integrity Package Publisher",
   "main": "hipp.js",
   "bin": {