@easonwumac/computer-linker 0.1.7 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +25 -0
  2. package/README.md +16 -18
  3. package/docs/release-checklist.md +13 -12
  4. package/package.json +2 -1
package/CHANGELOG.md CHANGED
@@ -5,6 +5,31 @@ All notable changes to Computer Linker will be documented in this file.
5
5
  This project follows a small pre-1.0 changelog: breaking contract changes are
6
6
  called out even when the package version is still `0.x`.
7
7
 
8
+ ## 0.1.9 - 2026-06-27
9
+
10
+ ### Added
11
+
12
+ - Added `npm run release -- --otp <code>` as the one-command local npm publish
13
+ path, wrapping publish, tag creation, registry verification, published CLI
14
+ smoke, and Git push.
15
+
16
+ ### Changed
17
+
18
+ - README, release checklist, and release wrapper help now recommend the
19
+ one-command release path while keeping check, dry-run, and lower-level
20
+ publish commands for diagnostics.
21
+
22
+ ## 0.1.8 - 2026-06-27
23
+
24
+ ### Changed
25
+
26
+ - Public release audit now scans tracked files, packed files, and Git history
27
+ for npm access-token shaped values before publishing.
28
+ - Public release audit now labels tracked, untracked, and packed-file findings
29
+ separately so release failures point at the right source.
30
+ - Release validation now locks the npm access-token audit rule and release
31
+ checklist wording so the public gate cannot silently regress.
32
+
8
33
  ## 0.1.7 - 2026-06-27
9
34
 
10
35
  ### Changed
package/README.md CHANGED
@@ -472,25 +472,23 @@ npm ci
472
472
  npm run product:check
473
473
  ```
474
474
 
475
- For npm publishing, use the local release wrapper instead of hand-running every
476
- step:
477
-
478
- ```bash
479
- npm run release:check
480
- npm run release:dry-run
481
- npm run release:publish -- --create-tag --push --otp <code>
475
+ For npm publishing, use the local release wrapper instead of hand-running every
476
+ step:
477
+
478
+ ```bash
479
+ npm run release -- --otp <code>
482
480
  ```
483
-
484
- `release:check` runs the local product/public package gates without publishing.
485
- `release:dry-run` runs `npm publish --dry-run` and creates a temporary local
486
- `v<package.version>` tag only for that dry-run when the tag is missing.
487
- `release:publish` requires a clean main/master worktree, a dated changelog
488
- heading, npm login, and a release tag. Pass `--create-tag` to create the tag
489
- on `HEAD`; pass `--push` only when you want the script to push `HEAD` and the
490
- release tag after a successful npm publish. After npm accepts the publish, the
491
- wrapper waits for registry metadata, verifies the npm dist-tag, and runs the
492
- published CLI from a clean temporary directory. Use `npm run release:verify` to
493
- repeat that post-publish check for the current `package.json` version.
481
+
482
+ `release` requires a clean main/master worktree, a dated changelog heading, and
483
+ npm login. It creates `v<package.version>` on `HEAD` when missing, runs npm's
484
+ publish guard, publishes, waits for registry metadata, verifies the npm
485
+ dist-tag, runs the published CLI from a clean temporary directory, then pushes
486
+ `HEAD` and the release tag. Use `npm run release:check` before the final commit
487
+ when you want a non-publishing gate, `npm run release:dry-run` for an npm
488
+ dry-run only, or `npm run release:publish -- --create-tag --push --otp <code>`
489
+ when debugging the lower-level publish wrapper directly. Use `npm run release:verify`
490
+ to repeat the post-publish check for the current `package.json`
491
+ version.
494
492
  On Windows, if `NODE_AUTH_TOKEN` is saved in the User environment but the
495
493
  current shell has not picked it up yet, the release wrapper loads it only into
496
494
  the current release process before running `npm whoami` or `npm publish`.
package/docs/release-checklist.md CHANGED
@@ -30,17 +30,15 @@ npm run public:check
30
30
 
31
31
  ## Local npm Release Automation
32
32
 
33
- Use the local wrapper when you are ready to publish from the current repository:
34
-
35
- ```bash
36
- npm run release:check
37
- npm run release:dry-run
38
- npm run release:publish -- --create-tag --push --otp <code>
33
+ Use the local wrapper when you are ready to publish from the current repository:
34
+
35
+ ```bash
36
+ npm run release -- --otp <code>
39
37
  ```
40
-
41
- `release:check` runs the local product and public package gates without
42
- publishing. It does not require a clean worktree, so it is useful before the
43
- final release commit.
38
+
39
+ `release:check` runs the local product and public package gates without
40
+ publishing. It does not require a clean worktree, so it is useful before the
41
+ final release commit.
44
42
 
45
43
  `release:dry-run` requires the release commit to be clean and on main/master.
46
44
  It runs `npm publish --dry-run`; if `v<package.version>` is missing, it creates
@@ -56,6 +54,10 @@ release tag automatically before publishing, `--otp <code>` for npm 2FA, and
56
54
  version metadata, verifies the configured npm dist-tag, and runs the published
57
55
  CLI from a clean temporary directory. `release:verify` repeats only that
58
56
  post-publish registry check for the current `package.json` version.
57
+ `release` is the productized one-command path for normal local publishing; it
58
+ uses the lower-level `release:publish` behavior with automatic tag creation and
59
+ push enabled. Use `npm run release:publish -- --create-tag --push --otp <code>`
60
+ only when debugging that lower-level publish wrapper directly.
59
61
  On Windows, a `NODE_AUTH_TOKEN` saved in the User environment is loaded into
60
62
  the release process automatically when the current shell has not inherited it.
61
63
 
@@ -132,8 +134,7 @@ so it reports both final blockers in one place before `public:mirror`.
132
134
 
133
135
  This adds the public-release audit: packed-file inspection, tracked and
134
136
  non-ignored untracked file secret-shape scanning, production `npm audit`,
135
- dependency license allowlist checks, third-party provenance marker scanning,
136
- retired product-name marker scanning, and a high-risk Git history secret scan.
137
+ dependency license allowlist checks, npm access-token scanning, third-party provenance marker scanning, retired product-name marker scanning, and a high-risk Git history secret scan.
137
138
 
138
139
  Before changing the current GitHub repository to public visibility while
139
140
  preserving its Git history, run the stricter one-command gate:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@easonwumac/computer-linker",
3
- "version": "0.1.7",
3
+ "version": "0.1.9",
4
4
  "description": "One computer, one permissioned MCP linker for local workspaces.",
5
5
  "type": "module",
6
6
  "main": "dist/client.js",
@@ -61,6 +61,7 @@
61
61
  "public:release-ready": "node scripts/alpha-readiness-report.mjs --accept-public-snapshot --require-evidence --require-dated-changelog",
62
62
  "public:repo-ready": "npm run product:check && npm run public:audit -- --strict-history",
63
63
  "public:snapshot": "node scripts/create-public-snapshot.mjs",
64
+ "release": "node scripts/release-npm.mjs --publish --create-tag --push",
64
65
  "release:check": "node scripts/release-npm.mjs --check",
65
66
  "release:dry-run": "node scripts/release-npm.mjs --dry-run",
66
67
  "release:publish": "node scripts/release-npm.mjs --publish",