@gianfrancopiana/openclaw-autoresearch 1.0.7 → 1.0.9

package/README.md

@@ -129,9 +129,10 @@ npm test
 npm run validate
 npm run release:verify
 npm run smoke:openclaw-host -- /absolute/path/to/openclaw
+npm run smoke:registry-openclaw-host -- <published-version> /absolute/path/to/openclaw
 ```
 
-Release instructions, including npm 2FA publishing, live in [`RELEASING.md`](RELEASING.md).
+Release instructions, including `npm run release:prepare -- <version> --host /absolute/path/to/openclaw` and GitHub Actions trusted publishing with npm provenance, live in [`RELEASING.md`](RELEASING.md).
 
 The local test shim supports typechecking and tests without a full OpenClaw host checkout. Runtime behavior depends on a real OpenClaw host, so run the host smoke against a current checkout before release.
 

package/RELEASING.md

@@ -2,45 +2,62 @@
 
 ## Prerequisites
 
-- npm access to `@gianfrancopiana`
-- either npm account 2FA enabled for publishing, or a granular access token with `Bypass 2FA` enabled
+- GitHub release access for `gianfrancopiana/openclaw-autoresearch`
+- npm trusted publishing configured for `@gianfrancopiana/openclaw-autoresearch`
+  - repository: `gianfrancopiana/openclaw-autoresearch`
+  - workflow: `.github/workflows/npm-publish.yml`
+  - environment: `npm`
+- fallback only: local npm publish access with 2FA or a granular publish token
 
 ## Release
 
-1. Update the package version in `package.json`, then sync generated metadata:
+1. Prepare the version bump from a clean branch:
 
    ```bash
-   npm run sync:release-metadata
+   npm run release:prepare -- <version> --host /absolute/path/to/openclaw
+   ```
+
+   This updates `package.json`, `openclaw.plugin.json`, and `package-lock.json`,
+   syncs generated metadata, checks the matching `v<version>` tag, runs
+   `release:verify`, and smoke-tests against the supplied OpenClaw checkout.
+
+   If you do not have a host checkout available, omit `--host` and run the host
+   smoke before publishing:
+
+   ```bash
+   npm run smoke:openclaw-host -- /absolute/path/to/openclaw
    ```
 
    If you change the minimum supported OpenClaw version, keep
    `openclaw.install`, `openclaw.compat`, and `openclaw.build` aligned too.
 
-2. Run the release checks:
+2. Open and merge a PR with the version and metadata changes.
+
+3. Create and publish the matching GitHub release/tag from `main`:
 
    ```bash
-   npm install
-   npm run release:verify
+   npm run release:check-tag -- v<version>
+   gh release create v<version> --target main --title v<version> --notes-file release-notes.md
    ```
 
-   CI runs the same release verification, so metadata drift should fail before
-   publish.
+   Publishing the GitHub release triggers `.github/workflows/npm-publish.yml`,
+   which publishes the package to npm with provenance through GitHub OIDC.
 
-3. Smoke-test against a current local OpenClaw checkout:
+4. Watch the publish workflow and verify npm:
 
    ```bash
-   npm run smoke:openclaw-host -- /absolute/path/to/openclaw
+   gh run list --workflow npm-publish.yml --limit 1
+   npm view @gianfrancopiana/openclaw-autoresearch version
+   npm view @gianfrancopiana/openclaw-autoresearch@<version> version
    ```
 
-4. Publish:
+5. Verify the published registry tarball against the same host:
 
    ```bash
-   npm publish --otp=123456
+   npm run smoke:registry-openclaw-host -- <published-version> /absolute/path/to/openclaw
    ```
 
-   Replace `123456` with the current code from your authenticator app.
-
-5. Verify install:
+6. Verify install:
 
    ```bash
    openclaw plugins install @gianfrancopiana/openclaw-autoresearch
@@ -52,9 +69,27 @@
    pnpm openclaw plugins install @gianfrancopiana/openclaw-autoresearch
    ```
 
-## Common failure
+## Local fallback
+
+Prefer the GitHub Actions trusted-publishing workflow. If it is unavailable,
+publish from a clean checkout only:
+
+```bash
+npm ci
+npm run release:verify
+npm publish --otp=123456
+```
+
+Replace `123456` with the current code from your authenticator app.
+
+## Common failures
+
+If the publish workflow fails because trusted publishing is not configured,
+add the npm trusted publisher for `.github/workflows/npm-publish.yml` and rerun
+the release workflow.
 
-If `npm publish` fails with `E403` and mentions 2FA or bypass tokens, the current auth on this machine is not sufficient to publish. Either:
+If local `npm publish` fails with `E403` and mentions 2FA or bypass tokens, the
+current auth on this machine is not sufficient to publish. Either:
 
 - re-run `npm publish --otp=<current-code>`
 - or switch to a granular npm token with publish rights and `Bypass 2FA` enabled

package/openclaw.plugin.json

@@ -13,7 +13,7 @@
       "autoresearch_status"
     ]
   },
-  "version": "1.0.7",
+  "version": "1.0.9",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gianfrancopiana/openclaw-autoresearch",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "description": "Faithful OpenClaw port of pi-autoresearch.",
   "type": "module",
   "main": "./index.ts",
@@ -11,7 +11,11 @@
     "test": "vitest run",
     "validate": "npm run check:release-metadata && npm run typecheck && npm run test",
     "release:verify": "npm run validate && npm pack --dry-run",
-    "smoke:openclaw-host": "node ./scripts/smoke-openclaw-host.mjs"
+    "release:check-tag": "node ./scripts/check-release-tag.mjs",
+    "release:prepare": "node ./scripts/prepare-release.mjs",
+    "prepublishOnly": "npm run release:verify",
+    "smoke:openclaw-host": "node ./scripts/smoke-openclaw-host.mjs",
+    "smoke:registry-openclaw-host": "node ./scripts/smoke-openclaw-registry.mjs"
   },
   "keywords": [
     "openclaw",
@@ -50,7 +54,12 @@
     "@sinclair/typebox": "0.34.48"
   },
   "peerDependencies": {
-    "openclaw": "*"
+    "openclaw": ">=2026.4.25"
+  },
+  "peerDependenciesMeta": {
+    "openclaw": {
+      "optional": true
+    }
   },
   "publishConfig": {
     "access": "public"