@kungfu-tech/buildchain 2.2.1-alpha.0 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,282 +1,186 @@
1
- # Kungfu Buildchain
1
+ # Buildchain
2
2
 
3
- Kungfu Buildchain is the v2 source of truth for Kungfu reusable GitHub
4
- workflows, the minimal Buildchain-native GitHub Actions surface, and release-line
5
- automation.
3
+ Buildchain Release Passport is a mature product release record for artifacts
4
+ that users or agents depend on.
6
5
 
7
- The repository does more than collect workflow files. Its main job is to make a
8
- Kungfu release auditable and repeatable: a protected branch merge should produce
9
- the right version commit, exact release tag, floating channel tag, and next
10
- alpha line without a maintainer hand-moving refs or repairing package metadata
11
- after the fact.
6
+ Buildchain by Kungfu uses GitHub as the execution and trust substrate: protected
7
+ refs, reviewed promotion PRs, exact tags, GitHub Releases, npm Trusted
8
+ Publishing, and machine-readable evidence. Its job is to turn release intent
9
+ into an auditable product record, not to ask a repository to migrate away from
10
+ its existing CI.
12
11
 
13
- ## Why This Exists
12
+ The same mechanism releases Buildchain itself.
14
13
 
15
- Kungfu release automation has to solve a few problems at the same time:
14
+ ## Install and Verify
16
15
 
17
- - consumers need stable refs such as `v2`, `v2.0`, and `v2.0-alpha`;
18
- - maintainers need exact immutable refs such as `v2.0.2` and
19
- `v2.0.3-alpha.0` for audit and rollback;
20
- - package manifests must record the same version that the release tag
21
- advertises;
22
- - alpha and release promotion must follow reviewed PRs, not local scripts or
23
- manually edited tags;
24
- - the release toolchain itself must be released by the same governance model
25
- that it applies to product repositories.
16
+ For standalone use, install a platform archive from a GitHub Release and verify
17
+ the release passport before trusting the binary:
26
18
 
27
- The older ABV model solved this by treating a GitHub release PR as the release
28
- intent. Buildchain v2 keeps that semantic contract, but implements it inside a
29
- modern monorepo with Node 24 actions, pnpm, tsup bundles, committed `dist`
30
- outputs, reusable workflow tests, package-manager adapters, and a TOML lifecycle
31
- protocol for non-Node projects.
19
+ ```bash
20
+ # Example for Linux x64. Use the archive that matches your platform.
21
+ curl -LO https://github.com/kungfu-systems/buildchain/releases/download/v2.2.1/buildchain-x86_64-unknown-linux-gnu.tar.gz
22
+ curl -LO https://github.com/kungfu-systems/buildchain/releases/download/v2.2.1/buildchain.release.json
23
+ curl -LO https://github.com/kungfu-systems/buildchain/releases/download/v2.2.1/artifact-evidence.json
24
+ npx @kungfu-tech/buildchain verify release-passport buildchain.release.json
25
+ tar -xzf buildchain-x86_64-unknown-linux-gnu.tar.gz
26
+ ./buildchain version
27
+ ```
32
28
 
33
- ## Mental Model
29
+ Release pages publish platform archives, checksums, release passport files, and
30
+ a single evidence bundle:
31
+
32
+ - `buildchain-x86_64-unknown-linux-gnu.tar.gz`
33
+ - `buildchain-aarch64-apple-darwin.tar.gz`
34
+ - `buildchain-x86_64-pc-windows-msvc.zip`
35
+ - `checksums.txt`
36
+ - `buildchain.release.json`
37
+ - `artifact-evidence.json`
38
+ - `product-mechanism.json`
39
+ - `impact.json`
40
+ - `agent-index.json`
41
+ - `check-report.json`
42
+ - `llms.txt`
43
+ - `buildchain-release-bundle.tar.gz`
44
+ - `buildchain-release-bundle.json`
45
+
46
+ Loose top-level `buildchain` and `buildchain.exe` assets are intentionally not
47
+ published. The executable lives inside each platform archive, which prevents
48
+ Linux and macOS artifacts from overwriting each other in a merged release lane.
49
+
50
+ For npm consumers:
34
51
 
35
- Buildchain release automation is branch-driven:
52
+ ```bash
53
+ npm install -D @kungfu-tech/buildchain
54
+ npx buildchain version
55
+ npx buildchain doctor --json
56
+ ```
36
57
 
37
- | Merge path | Meaning | Exact tag | Floating tags and branches |
38
- | --------------------------------------- | ------------------------------------------------------ | ---------------- | ----------------------------------------------- |
39
- | `dev/vX/vX.Y -> alpha/vX/vX.Y` | publish the next testable alpha for a minor line | `vX.Y.Z-alpha.N` | `vX.Y-alpha`, `alpha/vX/vX.Y`, `dev/vX/vX.Y` |
40
- | `alpha/vX/vX.Y -> release/vX/vX.Y` | publish production for that minor line | `vX.Y.Z` | `vX.Y`, usually `vX`, `release/vX/vX.Y` |
41
- | `release/vX/vX.Y -> publish-gate/major` | publish the next major from a reviewed production line | `v(X+1).0.0` | `v(X+1)`, `v(X+1).0`, `release/v(X+1)/v(X+1).0` |
58
+ The npm package exposes the `buildchain` command and importable toolkit APIs:
42
59
 
43
- After a production release, Buildchain prepares the next alpha source commit for
44
- the same minor line and moves `dev/vX/vX.Y`, `alpha/vX/vX.Y`, and
45
- `vX.Y-alpha` to that next prerelease state. This is why a release can leave the
46
- production channel at `v2.0.2` while the test channel is already at
47
- `v2.0.3-alpha.0`.
48
-
49
- Kungfu treats minor lines as long-running product trains. `v2.0`, `v2.1`, and
50
- future minor refs can each receive many patch releases such as `v2.0.1234`.
51
- `v2` points at the selected stable major line, while `v2.0` points at the
52
- latest production patch for that minor line.
53
-
54
- Buildchain opens a new minor line when it adds a new compatible welded surface:
55
- a reusable workflow contract, public CLI command family, published package
56
- subpath, evidence protocol, or installable binary distribution shape. The local
57
- decision log lives in [`docs/versioning.md`](docs/versioning.md).
58
-
59
- `publish-gate/major` replaces the old ABV `main` channel. It is deliberately
60
- not named `main` because it is not the active development trunk. Maintainers use
61
- the same PR flow as other channel promotions: merging
62
- `release/v2/v2.0 -> publish-gate/major` means "publish the next major line from
63
- this production state." The promotion then creates the next major production
64
- version, for example `v3.0.0`, and prepares `dev/v3/v3.0` plus
65
- `alpha/v3/v3.0` at `v3.0.1-alpha.0`. The older `major-gate` branch name is only
66
- a compatibility alias during migration.
67
-
68
- Exact tags are always v-prefixed. Use `v2.0.0` and `v2.0.1-alpha.0`; bare tags
69
- such as `1.0.0` are not maintained as Buildchain release entrypoints.
70
-
71
- ## Repository Layout
72
-
73
- ```text
74
- .github/workflows/ Repository checks, reusable workflows, and release promotion
75
- actions/ GitHub Actions implementations, grouped by action
76
- fixtures/ Safe fixture repositories or fixture descriptors
77
- packages/ Shared libraries, added only when justified
78
- tests/ Inventory and contract data used by checks
79
- docs/ Governance, migration, architecture, and rollback notes
80
- scripts/ Local verification scripts
60
+ ```js
61
+ import { createBuildchainLogger } from "@kungfu-tech/buildchain/logging";
62
+ import { verifyReleasePassport } from "@kungfu-tech/buildchain/release-passport";
81
63
  ```
82
64
 
83
- ## Buildchain v2 Contract
84
-
85
- Buildchain v2 ships these active surfaces:
86
-
87
- - repository workflows under `.github/workflows`;
88
- - the public npm package `@kungfu-tech/buildchain` and `buildchain` CLI for
89
- initializing and validating new repositories;
90
- - the active reusable build workflow `.github/workflows/.build.yml`;
91
- - exactly three GitHub Actions under `actions/<name>`:
92
- `validate-config`, `run-lifecycle`, and `promote-buildchain-ref`;
93
- - action runtime on Node 24;
94
- - workspace package management with pnpm;
95
- - action bundling through tsup;
96
- - committed `dist/index.js` bundles for direct GitHub Actions consumption;
97
- - package-manager adapters for pnpm, npm, and yarn version-state updates;
98
- - `buildchain.toml` lifecycle configuration for custom version files and
99
- verification commands;
100
- - `project.type = "web-surface"` configuration for site and app repositories
101
- that need preview/staging/production deployment manifests and dry-run deploy
102
- plans without package-release version semantics;
103
- - opt-in anchored/manual version strategy for packages whose version is pinned
104
- to an explicit upstream release instead of derived from the Buildchain tag;
105
- - `actions/validate-config` migration preflight for TOML version-state and
106
- lifecycle declarations without running heavyweight builds;
107
- - `.github/workflows/.build.yml` as the reusable build surface for
108
- tri-platform runner presets, custom runner matrices, caller-provided lifecycle
109
- commands, trusted event gating, artifact name templates, expected artifact
110
- checks, optional digest-pinned Linux job containers, deterministic artifact
111
- manifests, publish-gate source locks, resolved release manifests, and
112
- aggregate build summaries;
113
- - `.github/workflows/.web-surface.yml` as the reusable site/app surface for PR
114
- preview plans and optional apply, closed-PR preview cleanup apply, push-main
115
- staging apply, and explicit production environment gates;
116
- - `actions/run-lifecycle` for callers that need the same lifecycle/manifest
117
- contract inside their own workflows;
118
- - governance-closed self-promotion through `Buildchain Ref Promotion`.
119
- - `v2.2` release passport and binary distribution contracts for GitHub Release
120
- assets, artifact evidence, impact ledgers, agent indexes, and standalone CLI
121
- archives.
122
-
123
- Stable consumers should reference actions as:
65
+ The package also ships `dist/site/` as the Buildchain-owned fact source for
66
+ `buildchain.libkungfu.dev`.
124
67
 
125
- ```yaml
126
- uses: kungfu-systems/buildchain/actions/<name>@v2
68
+ ## Use Buildchain
69
+
70
+ Bootstrap a repository:
71
+
72
+ ```bash
73
+ npx @kungfu-tech/buildchain init --type package --package-manager pnpm
74
+ npx @kungfu-tech/buildchain validate --require-version-state
75
+ npx @kungfu-tech/buildchain release --dry-run --target-ref alpha/v2/v2.2
127
76
  ```
128
77
 
129
- Documented reusable workflows should be referenced as:
78
+ Buildchain supports package and non-package projects through `buildchain.toml`.
79
+ Lifecycle commands can call pnpm, npm, yarn, pip, Conan, CMake, Make, custom
80
+ scripts, or any other command that can run in the repository checkout.
81
+
82
+ Buildchain's active GitHub Action surface is deliberately small:
83
+
84
+ - `actions/validate-config`
85
+ - `actions/run-lifecycle`
86
+ - `actions/promote-buildchain-ref`
87
+
88
+ The active reusable workflow surfaces are:
89
+
90
+ - `.github/workflows/.build.yml` for deterministic multi-platform build and
91
+ artifact contracts;
92
+ - `.github/workflows/.web-surface.yml` for preview, staging, production, and
93
+ cleanup plans for site/app repositories;
94
+ - `.github/workflows/buildchain-ref-promotion.yml` for protected release
95
+ promotion and version-state transactions;
96
+ - `.github/workflows/binary-distribution.yml` for Buildchain's own release
97
+ passport proof case.
98
+
99
+ Stable consumers should reference actions and workflows through floating major
100
+ refs after reviewing the exact release passport:
130
101
 
131
102
  ```yaml
132
- uses: kungfu-systems/buildchain/.github/workflows/<workflow>.yml@v2
103
+ uses: kungfu-systems/buildchain/actions/validate-config@v2
133
104
  ```
134
105
 
135
- Repositories can also bootstrap local integration through the CLI:
136
-
137
- ```bash
138
- npx @kungfu-tech/buildchain init --type package
139
- npx @kungfu-tech/buildchain validate --require-version-state
140
- npx @kungfu-tech/buildchain release --dry-run --target-ref alpha/v2/v2.0
141
- npx @kungfu-tech/buildchain npm dry-run --json
106
+ ```yaml
107
+ uses: kungfu-systems/buildchain/.github/workflows/.build.yml@v2
142
108
  ```
143
109
 
144
- Standalone `workflows` and `action-*` repositories are historical rollback
145
- anchors. Buildchain no longer ships migrated copies of legacy action
146
- repositories.
147
-
148
- Some hidden reusable workflow files from the old `workflows` repository still
149
- exist in this repository so they can be linted, audited, and made fail-closed
150
- while consumers migrate. They are not Buildchain-native release or publish
151
- surfaces unless this README or a dedicated document explicitly names them.
152
- Modern package, artifact, and publish integrations should use `.build.yml`,
153
- `buildchain.toml`, lifecycle commands, and publish transaction evidence instead
154
- of retired legacy action paths.
155
-
156
- ## Release Governance
157
-
158
- Buildchain promotes its own release refs through
159
- `.github/workflows/buildchain-ref-promotion.yml` and
160
- `actions/promote-buildchain-ref`.
161
-
162
- The important constraints are:
163
-
164
- - non-dry-run promotion is not available from manual dispatch;
165
- - promotion must be backed by a protected same-repository PR channel path;
166
- - protected channel details must be readable and must enforce protection for
167
- administrators;
168
- - alpha promotion must come from `dev/vX/vX.Y -> alpha/vX/vX.Y`;
169
- - release promotion must come from `alpha/vX/vX.Y -> release/vX/vX.Y`;
170
- - major promotion must come from `release/vX/vX.Y -> publish-gate/major`;
171
- - release promotion must match an existing same-patch alpha tag tree;
172
- - generated version-state commits must pass the configured verification command
173
- before refs move;
174
- - `BUILDCHAIN_PROMOTION_TOKEN` is the release authority used to move protected
175
- refs when repository policy requires it.
176
-
177
- Buildchain's top-level `Release - New Version` workflow is intentionally a
178
- no-op for this repository. Buildchain itself is promoted only by
179
- `Buildchain Ref Promotion` after `Verify` succeeds. The legacy hidden
180
- `.release-new-version.yml` file is not the modern publish surface; it remains a
181
- migration boundary for old consumers and must not be used for new Buildchain v2
182
- integrations.
183
-
184
- Buildchain's npm package is published by the same promotion transaction that
185
- creates exact v-prefixed release tags. Alpha releases such as
186
- `v2.0.13-alpha.0` publish to npm with dist-tag `alpha`; stable releases such as
187
- `v2.0.13` publish with dist-tag `latest`. Floating refs like `v2`, `v2.0`, and
188
- `v2.0-alpha` never publish npm packages. The old tag-push npm workflow is
189
- dry-run only; real npm publish happens before public release refs move, using
190
- the evidence contract in `lifecycle.publish`.
191
-
192
- For release-line planning, use the CLI dry-run:
110
+ ## Release Model
111
+
112
+ Buildchain treats a reviewed branch merge as release intent:
113
+
114
+ | Merge path | Meaning | Exact tag | Floating refs |
115
+ | --- | --- | --- | --- |
116
+ | `dev/vX/vX.Y -> alpha/vX/vX.Y` | publish the next testable alpha for a minor line | `vX.Y.Z-alpha.N` | `vX.Y-alpha`, `alpha/vX/vX.Y`, `dev/vX/vX.Y` |
117
+ | `alpha/vX/vX.Y -> release/vX/vX.Y` | publish production for that minor line | `vX.Y.Z` | `vX.Y`, usually `vX`, `release/vX/vX.Y` |
118
+ | `release/vX/vX.Y -> publish-gate/major` | publish the next major from a reviewed production line | `v(X+1).0.0` | `v(X+1)`, `v(X+1).0`, new dev/alpha/release branches |
119
+
120
+ Exact tags are immutable. Floating channel tags and branches are machine-updated
121
+ by Buildchain and must remain writable by the release authority.
122
+
123
+ After a production release, Buildchain prepares the next alpha source commit for
124
+ the same minor line. That keeps production consumers pinned to the production
125
+ passport while development can continue on the next testable patch.
126
+
127
+ `publish-gate/major` is not an active development trunk. It is a reviewed
128
+ promotion gate used when maintainers decide that the next production release
129
+ should open a new major line.
130
+
131
+ ## Toolkit Observability
132
+
133
+ Buildchain includes a logging toolkit for release and build steps:
193
134
 
194
135
  ```bash
195
- buildchain release --dry-run --target-ref release/v2/v2.0 --sha <verified-sha>
136
+ buildchain mark --event native.configure --phase configure --component cmake
137
+ buildchain span --event native.build --phase build -- cmake --build build
138
+ buildchain log summary --json
139
+ buildchain verify observability-log .buildchain/logs/events.jsonl --min-events 4
196
140
  ```
197
141
 
198
- This prints the branch/tag/version-state/governance plan that a channel merge
199
- would trigger. It is intentionally separate from `buildchain npm dry-run`, which
200
- only checks package publish shape.
201
-
202
- ## Documentation
203
-
204
- - [Documentation map](docs/MAP.md) routes common user, contributor, release,
205
- workflow, and security questions to the right document.
206
- - [Contributing guide](CONTRIBUTING.md) explains local development, commit
207
- rules, and pull request flow.
208
- - [Security policy](SECURITY.md) explains private vulnerability reporting.
209
- - [License policy](LICENSE-POLICY.md) explains Apache-2.0 and DCO contribution
210
- terms.
211
- - [Release governance](docs/release-governance.md) explains the design problem,
212
- old ABV compatibility, hard constraints, and operational guarantees.
213
- - [Release flow diagrams](docs/release-flow.md) gives the branch/tag state
214
- machine and Mermaid diagrams.
215
- - [Migration inventory](docs/migration-inventory.md) lists migrated and retired
216
- action repositories.
217
- - [Ownership rules](docs/ownership.md) defines source-of-truth and rollback
218
- boundaries.
219
- - [promote-buildchain-ref](actions/promote-buildchain-ref/README.md) documents
220
- the internal promotion action.
221
- - [Lifecycle protocol](docs/lifecycle-protocol.md) documents `buildchain.toml`
222
- for custom version-state files and lifecycle commands.
223
- - [Reusable build surface](docs/reusable-build-surface.md) documents the build
224
- workflow, local runner matrix, artifact contract, and libnode-shaped fixture.
225
- - [Web-surface deployments](docs/web-surface-deployments.md) documents the
226
- preview/staging/production channel ontology, deployment manifest, adapter
227
- contract, and dry-run cleanup/deploy plans.
228
- - [Buildchain CLI and npm package](docs/cli.md) documents the npm package,
229
- command-line entrypoint, repository bootstrap flow, and release-only publish
230
- gate.
142
+ Every event records a timestamp. `span` records duration. The API form can be
143
+ imported from repository scripts so heavy builds can mark phases from inside
144
+ their own code.
145
+
146
+ ## Site Fact Source
147
+
148
+ `@kungfu-tech/buildchain` publishes `dist/site/`:
149
+
150
+ - `buildchain-site.json`
151
+ - `site-manifest.json`
152
+ - `cli-registry.json`
153
+ - `workflow-registry.json`
154
+ - `release-model.json`
155
+ - `artifact-schemas.json`
156
+ - `product-mechanism.json`
157
+ - `release-provenance.json`
158
+ - `agent-index.json`
159
+
160
+ `buildchain.libkungfu.dev` should render from these package-owned facts, then
161
+ layer presentation around them. The site should not hand-write Buildchain's
162
+ current release mechanics.
231
163
 
232
164
  ## Local Verification
233
165
 
234
166
  ```bash
235
167
  corepack enable pnpm
236
168
  pnpm install --frozen-lockfile
169
+ pnpm run generate:site
237
170
  pnpm run check
171
+ npm pack --dry-run --json --registry=https://registry.npmjs.org/
238
172
  ```
239
173
 
240
- `pnpm run check` validates inventory data, lints all root workflows including
241
- hidden reusable workflows, and rebuilds every action bundle.
242
-
243
- ## Lifecycle Configuration
244
-
245
- Projects can add `buildchain.toml` to declare release version state and
246
- lifecycle commands. Buildchain v2 supports TOML only. The promotion action uses
247
- configured version files to create source version commits, then runs
248
- `lifecycle.verify` before moving release refs. Repositories that publish
249
- external artifacts can also declare `lifecycle.publish`; with publish
250
- transactions enabled, Buildchain requires machine-readable evidence before exact
251
- release tags and floating channel refs move.
252
-
253
- Web-surface projects can also declare `project.type = "web-surface"` with
254
- preview, staging, and production channels. Those projects get deployment
255
- manifests and dry-run deploy/cleanup plans, but they are not forced into package
256
- version lines or anchored release semantics.
257
-
258
- ## Safety Defaults
259
-
260
- - Lab workflows are manual by default.
261
- - Publishing is disabled unless explicitly enabled by a production release
262
- workflow. Reusable builds expose `publish-channel`, `publish-allowed`, and
263
- `publish-reason` so callers can gate publish jobs on a reviewed channel ref
264
- instead of inferring publish eligibility from ad hoc branch checks.
265
- - Publish gate branches are resolved to a source SHA before checkout. Builds,
266
- verification, artifact manifests, and summaries use that locked SHA; publish
267
- jobs must re-check the branch tip before external side effects.
268
- - Publish transactions are keyed by repository, version, source SHA, and target
269
- ref rather than run id. Reruns may resume missing artifacts, accept matching
270
- existing artifacts, and fail closed on conflicting material until an explicit
271
- repair override is used.
272
- - Fork pull requests must not reach secrets or self-hosted runners.
273
- - Candidate refs are expected to come from `kungfu-systems/*`.
274
- - Self-hosted runner validation is available only through the manual
275
- `Self-hosted Runner Smoke` workflow.
276
-
277
174
  ## Read Next
278
175
 
176
+ - [Install and verify](docs/install.md)
279
177
  - [Documentation map](docs/MAP.md)
178
+ - [Product mechanism](docs/product-mechanism.md)
179
+ - [Release Passport and binary distribution](docs/release-passport.md)
180
+ - [Binary distribution details](docs/binary-distribution.md)
181
+ - [Toolkit observability](docs/toolkit-observability.md)
182
+ - [Site bundle contract](docs/site-bundle-contract.md)
280
183
  - [Lifecycle protocol](docs/lifecycle-protocol.md)
281
- - [Publish transaction](docs/publish-transaction.md)
282
184
  - [Reusable build surface](docs/reusable-build-surface.md)
185
+ - [Publish transaction](docs/publish-transaction.md)
186
+ - [Release governance](docs/release-governance.md)
@@ -0,0 +1,13 @@
1
+ {
2
+ "schemaVersion": 1,
3
+ "contract": "kungfu-buildchain-site-agent-index",
4
+ "readOrder": [
5
+ "site-manifest.json",
6
+ "product-mechanism.json",
7
+ "release-model.json",
8
+ "cli-registry.json",
9
+ "workflow-registry.json",
10
+ "artifact-schemas.json"
11
+ ],
12
+ "instruction": "Use this bundle as the package-owned fact source for Buildchain pages. Do not infer current release mechanics from prose alone."
13
+ }
@@ -0,0 +1,26 @@
1
+ {
2
+ "schemaVersion": 1,
3
+ "contract": "kungfu-buildchain-artifact-schema-index",
4
+ "releasePassport": [
5
+ "buildchain.release.json",
6
+ "artifact-evidence.json",
7
+ "product-mechanism.json",
8
+ "impact.json",
9
+ "agent-index.json",
10
+ "check-report.json",
11
+ "llms.txt",
12
+ "buildchain-release-bundle.json",
13
+ "buildchain-release-bundle.tar.gz"
14
+ ],
15
+ "site": [
16
+ "buildchain-site.json",
17
+ "site-manifest.json",
18
+ "cli-registry.json",
19
+ "workflow-registry.json",
20
+ "release-model.json",
21
+ "artifact-schemas.json",
22
+ "product-mechanism.json",
23
+ "release-provenance.json",
24
+ "agent-index.json"
25
+ ]
26
+ }
@@ -0,0 +1,150 @@
1
+ {
2
+ "schemaVersion": 1,
3
+ "contract": "kungfu-buildchain-site-bundle",
4
+ "product": {
5
+ "name": "Buildchain",
6
+ "formalName": "Buildchain by Kungfu",
7
+ "category": "Buildchain Release Passport"
8
+ },
9
+ "package": {
10
+ "name": "@kungfu-tech/buildchain",
11
+ "versionSource": "package.json#version"
12
+ },
13
+ "sourceOfTruth": "npm package @kungfu-tech/buildchain/dist/site",
14
+ "humanFirst": true,
15
+ "agentFirst": true,
16
+ "entrypoints": [
17
+ "cli-registry.json",
18
+ "workflow-registry.json",
19
+ "release-model.json",
20
+ "artifact-schemas.json",
21
+ "product-mechanism.json",
22
+ "release-provenance.json",
23
+ "agent-index.json",
24
+ "site-manifest.json"
25
+ ],
26
+ "docs": [
27
+ {
28
+ "id": "install",
29
+ "title": "Install and verify Buildchain",
30
+ "path": "docs/install.md",
31
+ "plane": "use",
32
+ "exists": true
33
+ },
34
+ {
35
+ "id": "release-passport",
36
+ "title": "Release Passport protocol",
37
+ "path": "docs/release-passport.md",
38
+ "plane": "verify",
39
+ "exists": true
40
+ },
41
+ {
42
+ "id": "binary-distribution",
43
+ "title": "Binary distribution contract",
44
+ "path": "docs/binary-distribution.md",
45
+ "plane": "verify",
46
+ "exists": true
47
+ },
48
+ {
49
+ "id": "toolkit-observability",
50
+ "title": "Toolkit observability",
51
+ "path": "docs/toolkit-observability.md",
52
+ "plane": "use",
53
+ "exists": true
54
+ },
55
+ {
56
+ "id": "site-bundle-contract",
57
+ "title": "Site bundle contract",
58
+ "path": "docs/site-bundle-contract.md",
59
+ "plane": "use",
60
+ "exists": true
61
+ },
62
+ {
63
+ "id": "product-mechanism",
64
+ "title": "Product mechanism",
65
+ "path": "docs/product-mechanism.md",
66
+ "plane": "why",
67
+ "exists": true
68
+ },
69
+ {
70
+ "id": "cli",
71
+ "title": "CLI and npm package",
72
+ "path": "docs/cli.md",
73
+ "plane": "use",
74
+ "exists": true
75
+ },
76
+ {
77
+ "id": "lifecycle-protocol",
78
+ "title": "Lifecycle protocol",
79
+ "path": "docs/lifecycle-protocol.md",
80
+ "plane": "use",
81
+ "exists": true
82
+ },
83
+ {
84
+ "id": "reusable-build-surface",
85
+ "title": "Reusable build surface",
86
+ "path": "docs/reusable-build-surface.md",
87
+ "plane": "use",
88
+ "exists": true
89
+ },
90
+ {
91
+ "id": "publish-transaction",
92
+ "title": "Publish transaction",
93
+ "path": "docs/publish-transaction.md",
94
+ "plane": "verify",
95
+ "exists": true
96
+ },
97
+ {
98
+ "id": "release-governance",
99
+ "title": "Release governance",
100
+ "path": "docs/release-governance.md",
101
+ "plane": "why",
102
+ "exists": true
103
+ },
104
+ {
105
+ "id": "release-flow",
106
+ "title": "Release flow",
107
+ "path": "docs/release-flow.md",
108
+ "plane": "verify",
109
+ "exists": true
110
+ },
111
+ {
112
+ "id": "versioning",
113
+ "title": "Versioning",
114
+ "path": "docs/versioning.md",
115
+ "plane": "why",
116
+ "exists": true
117
+ },
118
+ {
119
+ "id": "web-surface-deployments",
120
+ "title": "Web surface deployments",
121
+ "path": "docs/web-surface-deployments.md",
122
+ "plane": "use",
123
+ "exists": true
124
+ }
125
+ ],
126
+ "releaseModel": {
127
+ "schemaVersion": 1,
128
+ "contract": "kungfu-buildchain-release-model",
129
+ "exactTags": "v-prefixed exact tags are immutable release records.",
130
+ "floatingTags": "vX, vX.Y, and vX.Y-alpha are channel pointers updated by Buildchain transactions.",
131
+ "channelBranches": [
132
+ "dev/vX/vX.Y",
133
+ "alpha/vX/vX.Y",
134
+ "release/vX/vX.Y",
135
+ "publish-gate/major"
136
+ ],
137
+ "releasePassport": {
138
+ "entrypoint": "buildchain.release.json",
139
+ "bundle": "buildchain-release-bundle.tar.gz",
140
+ "contract": "kungfu-buildchain-release-passport"
141
+ },
142
+ "npm": {
143
+ "package": "@kungfu-tech/buildchain",
144
+ "command": "./bin/buildchain.mjs",
145
+ "versionSource": "package.json#version",
146
+ "alphaDistTag": "alpha",
147
+ "stableDistTag": "latest"
148
+ }
149
+ }
150
+ }