@easonwumac/computer-linker 0.1.7 → 0.1.8

package/CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to Computer Linker will be documented in this file.
 This project follows a small pre-1.0 changelog: breaking contract changes are
 called out even when the package version is still `0.x`.
 
+## 0.1.8 - 2026-06-27
+
+### Changed
+
+- Public release audit now scans tracked files, packed files, and Git history
+  for npm access-token shaped values before publishing.
+- Public release audit now labels tracked, untracked, and packed-file findings
+  separately so release failures point at the right source.
+- Release validation now locks the npm access-token audit rule and release
+  checklist wording so the public gate cannot silently regress.
+
 ## 0.1.7 - 2026-06-27
 
 ### Changed

package/docs/release-checklist.md

@@ -132,8 +132,7 @@ so it reports both final blockers in one place before `public:mirror`.
 
 This adds the public-release audit: packed-file inspection, tracked and
 non-ignored untracked file secret-shape scanning, production `npm audit`,
-dependency license allowlist checks, third-party provenance marker scanning,
-retired product-name marker scanning, and a high-risk Git history secret scan.
+dependency license allowlist checks, npm access-token scanning, third-party provenance marker scanning, retired product-name marker scanning, and a high-risk Git history secret scan.
 
 Before changing the current GitHub repository to public visibility while
 preserving its Git history, run the stricter one-command gate:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@easonwumac/computer-linker",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "One computer, one permissioned MCP linker for local workspaces.",
   "type": "module",
   "main": "dist/client.js",