@lumenflow/cli 5.0.3 → 5.2.0

package/dist/release.js

@@ -26,11 +26,11 @@
  * WU-1074: Add release command for npm publishing
  */
 import { Command } from 'commander';
-import { existsSync, lstatSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, unlinkSync, writeFileSync, } from 'node:fs';
+import { existsSync, lstatSync, mkdirSync, readFileSync, readdirSync, rmSync, statSync, unlinkSync, writeFileSync, } from 'node:fs';
 import { readFile, writeFile } from 'node:fs/promises';
-import { dirname, join } from 'node:path';
+import { dirname, isAbsolute, join } from 'node:path';
 import { parse as parseYaml, stringify as stringifyYaml } from 'yaml';
-import { homedir, tmpdir } from 'node:os';
+import { homedir } from 'node:os';
 import { execSync } from 'node:child_process';
 import { getGitForCwd } from '@lumenflow/core/git-adapter';
 import { die, createError, ErrorCodes } from '@lumenflow/core/error-handler';
@@ -38,6 +38,7 @@ import { ensureOnMain } from '@lumenflow/core/wu-helpers';
 import { REMOTES, FILE_SYSTEM, PKG_MANAGER } from '@lumenflow/core/wu-constants';
 import { withMicroWorktree } from '@lumenflow/core/micro-worktree';
 import { runCLI } from './cli-entry-point.js';
+import { cleanupTempDir, createTrackedTempDir } from './temp-dir-cleanup.js';
 /** Log prefix for console output */
 const LOG_PREFIX = '[release]';
 /** Directory containing @lumenflow packages */
@@ -150,6 +151,104 @@ export const RELEASE_WU_TOOL = 'release';
  * Used as the operation identifier when creating the micro-worktree.
  */
 export const RELEASE_OPERATION_NAME = 'release';
+/**
+ * WU-2854: Env var that overrides the release micro-worktree base directory.
+ *
+ * Mirrors the WU-2826/WU-2850 pattern exported by `lumenflow-upgrade.ts`.
+ * Operators can point the release worktree at a specific location (for
+ * example a tmpfs-backed scratch disk or a fast NVMe mount) when the
+ * default XDG cache target is inappropriate for their environment.
+ */
+export const RELEASE_WORKTREE_DIR_ENV = 'LUMENFLOW_RELEASE_WORKTREE_DIR';
+/**
+ * WU-2854: XDG Base Directory Specification env var. When set by the user
+ * we respect it as the cache root; otherwise we fall back to
+ * `${HOME}/.cache`. Kept lowercase in our own code for lint parity with
+ * `lumenflow-upgrade.ts`.
+ */
+const XDG_CACHE_HOME_ENV = 'XDG_CACHE_HOME';
+/**
+ * WU-2854: Sub-path under the cache root where per-version release
+ * worktrees live. The `${version}` leaf keeps concurrent releases — or a
+ * release retried after a crash — from clashing on the same directory
+ * while still being trivially inspectable on disk.
+ */
+const RELEASE_WORKTREE_CACHE_SUBDIR = 'lumenflow/release-worktree';
+/**
+ * WU-2854: Resolve the user cache root (XDG-compliant). When
+ * `XDG_CACHE_HOME` is set to an absolute non-empty path we use it
+ * verbatim; otherwise we default to `${HOME}/.cache`.
+ *
+ * Duplicated locally instead of imported from `lumenflow-upgrade.ts` to
+ * keep the release.ts blast radius narrow for WU-2854. A future refactor
+ * can extract a shared `xdg-cache-paths` module once a third consumer
+ * appears (tracking note: if `withMicroWorktree` itself moves off `/tmp`
+ * for *all* operations, consolidate there).
+ */
+export function resolveReleaseCacheHome() {
+    const xdg = process.env[XDG_CACHE_HOME_ENV];
+    const trimmed = typeof xdg === 'string' ? xdg.trim() : '';
+    if (trimmed.length > 0 && isAbsolute(trimmed)) {
+        return trimmed;
+    }
+    return join(homedir(), '.cache');
+}
+/**
+ * WU-2854: Resolve the micro-worktree base directory for `pnpm release`.
+ *
+ * Priority:
+ *   1. `LUMENFLOW_RELEASE_WORKTREE_DIR` env var (when set and non-empty)
+ *   2. `${XDG_CACHE_HOME:-${HOME}/.cache}/lumenflow/release-worktree/${version}/`
+ *
+ * The v5.1.0 cut hit `ERR_PNPM_ENOSPC` during `pnpm install
+ * --frozen-lockfile` inside `/tmp/release-*` on a host with tmpfs `/tmp`.
+ * `withMicroWorktree` creates its directory via `mkdtempSync(join(tmpdir(),
+ * ...))`, so routing `TMPDIR` at this path before the call is the
+ * least-invasive way to land the ~1000 dep install footprint on the
+ * user's home partition without touching `@lumenflow/core`.
+ *
+ * Ensures the directory exists so the downstream `mkdtempSync` call inside
+ * `withMicroWorktree` does not ENOENT on first run.
+ */
+export function resolveReleaseWorktreeDir(version) {
+    const override = process.env[RELEASE_WORKTREE_DIR_ENV];
+    const trimmed = typeof override === 'string' ? override.trim() : '';
+    const dir = trimmed.length > 0
+        ? isAbsolute(trimmed)
+            ? trimmed
+            : join(process.cwd(), trimmed)
+        : join(resolveReleaseCacheHome(), RELEASE_WORKTREE_CACHE_SUBDIR, version);
+    try {
+        mkdirSync(dir, { recursive: true });
+    }
+    catch {
+        // Best-effort — if we cannot create it, downstream will surface a
+        // clearer error. Returning the path keeps the helper deterministic.
+    }
+    return dir;
+}
+/**
+ * WU-2854: Remove the release worktree directory after a successful run.
+ *
+ * Release worktrees are strictly disposable (version bump + build + pack +
+ * publish — no state worth preserving across runs) so we always clean up
+ * on success. Failure branches intentionally retain the directory so the
+ * operator can inspect residue (partial `pnpm install`, failed publish
+ * logs, etc.) before the next attempt reclaims the space.
+ *
+ * Always best-effort: residual removal errors must never fail an
+ * otherwise successful release. Mirrors `cleanupUpgradeWorktreeDir` from
+ * `lumenflow-upgrade.ts` (WU-2850).
+ */
+export function cleanupReleaseWorktreeDir(dir) {
+    try {
+        rmSync(dir, { recursive: true, force: true });
+    }
+    catch {
+        // Intentional swallow — cleanup is an optimisation, not a correctness
+        // requirement. The next run will reuse/recreate the path.
+    }
+}
 /**
  * Build a micro-worktree ID from a release version (WU-2219)
  *
@@ -998,46 +1097,62 @@ const NPM_404_TOKEN = '404';
  * Throws via `die` on failure. Opt-in via `--verify-consumer-install`.
  */
 export function verifyConsumerInstall(packageJsonPaths, options = {}) {
-    const tarballDir = options.tarballDir ?? mkdtempSync(join(tmpdir(), 'lumenflow-release-tarballs-'));
-    const consumerDir = mkdtempSync(join(tmpdir(), 'lumenflow-release-consumer-'));
-    console.log(`${LOG_PREFIX} [${CONSUMER_INSTALL_LABEL}] Packing ${packageJsonPaths.length} packages into ${tarballDir}`);
-    const tarballs = [];
-    for (const packageJsonPath of packageJsonPaths) {
-        const manifest = readPackageManifest(packageJsonPath);
-        const packageName = manifest.name;
-        if (!packageName) {
-            continue;
-        }
-        const tarballPath = packWorkspacePackage(packageName, tarballDir, options.cwd);
-        tarballs.push({ packageName, tarballPath });
-    }
-    // Seed the consumer directory with a minimal package.json so `npm install`
-    // has somewhere to write node_modules.
-    writeFileSync(join(consumerDir, PACKAGE_JSON_FILENAME), JSON.stringify({ name: 'lumenflow-release-consumer-probe', private: true }));
-    const installArgs = tarballs.map((t) => t.tarballPath).join(' ');
-    const installCommand = `npm install --no-save --no-audit --no-fund ${installArgs}`;
-    let output = '';
+    // WU-2859: /tmp/lumenflow-* scratch dirs must be cleaned up on success
+    // AND failure. Previously these leaked on every release preflight and on
+    // every npm-install failure, filling tmpfs during parallel wu:prep waves.
+    const callerProvidedTarballDir = options.tarballDir !== undefined;
+    const tarballDir = callerProvidedTarballDir
+        ? options.tarballDir
+        : createTrackedTempDir('lumenflow-release-tarballs-');
+    const consumerDir = createTrackedTempDir('lumenflow-release-consumer-');
     try {
-        output = execSync(installCommand, {
-            cwd: consumerDir,
-            stdio: ['ignore', 'pipe', 'pipe'],
-            encoding: FILE_SYSTEM.ENCODING,
-        });
+        console.log(`${LOG_PREFIX} [${CONSUMER_INSTALL_LABEL}] Packing ${packageJsonPaths.length} packages into ${tarballDir}`);
+        const tarballs = [];
+        for (const packageJsonPath of packageJsonPaths) {
+            const manifest = readPackageManifest(packageJsonPath);
+            const packageName = manifest.name;
+            if (!packageName) {
+                continue;
+            }
+            const tarballPath = packWorkspacePackage(packageName, tarballDir, options.cwd);
+            tarballs.push({ packageName, tarballPath });
+        }
+        // Seed the consumer directory with a minimal package.json so `npm install`
+        // has somewhere to write node_modules.
+        writeFileSync(join(consumerDir, PACKAGE_JSON_FILENAME), JSON.stringify({ name: 'lumenflow-release-consumer-probe', private: true }));
+        const installArgs = tarballs.map((t) => t.tarballPath).join(' ');
+        const installCommand = `npm install --no-save --no-audit --no-fund ${installArgs}`;
+        let output = '';
+        try {
+            output = execSync(installCommand, {
+                cwd: consumerDir,
+                stdio: ['ignore', 'pipe', 'pipe'],
+                encoding: FILE_SYSTEM.ENCODING,
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            die(`${CONSUMER_INSTALL_FAILURE_HEADER}\n\n` +
+                `Scratch consumer dir: ${consumerDir}\n` +
+                `Tarball dir: ${tarballDir}\n\n` +
+                `${message}`);
+        }
+        if (output.includes(NPM_404_TOKEN)) {
+            die(`${CONSUMER_INSTALL_FAILURE_HEADER}\n\n` +
+                `Scratch consumer dir: ${consumerDir}\n` +
+                `Tarball dir: ${tarballDir}\n\n` +
+                `npm install printed a 404:\n${output}`);
+        }
+        console.log(`${LOG_PREFIX} ✅ [${CONSUMER_INSTALL_LABEL}] Consumer install succeeded for ${tarballs.length} packages`);
+    }
+    finally {
+        // Caller-provided tarball dirs are cleaned up by the caller; our contract
+        // is that any dir we created here is removed before returning.
+        if (!callerProvidedTarballDir) {
+            cleanupTempDir(tarballDir);
+        }
+        cleanupTempDir(consumerDir);
     }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        die(`${CONSUMER_INSTALL_FAILURE_HEADER}\n\n` +
-            `Scratch consumer dir: ${consumerDir}\n` +
-            `Tarball dir: ${tarballDir}\n\n` +
-            `${message}`);
-    }
-    if (output.includes(NPM_404_TOKEN)) {
-        die(`${CONSUMER_INSTALL_FAILURE_HEADER}\n\n` +
-            `Scratch consumer dir: ${consumerDir}\n` +
-            `Tarball dir: ${tarballDir}\n\n` +
-            `npm install printed a 404:\n${output}`);
-    }
-    console.log(`${LOG_PREFIX} ✅ [${CONSUMER_INSTALL_LABEL}] Consumer install succeeded for ${tarballs.length} packages`);
 }
 /**
  * Pack a workspace package into a tarball on disk and return the absolute path.
@@ -1241,115 +1356,147 @@ export async function executeReleaseInMicroWorktree(opts) {
     }
     // Exit changeset pre mode if active (read-only check, write to micro-worktree)
     const changesetPreActive = isInChangesetPreMode(mainCwd);
+    // WU-2854: Retarget the micro-worktree base dir off tmpfs /tmp (default on
+    // many Debian/Ubuntu cloud hosts) onto the user's home partition.
+    // `withMicroWorktree` resolves its worktree path via
+    // `mkdtempSync(join(tmpdir(), …))`, so setting TMPDIR for the duration of
+    // the call is the least-invasive way to steer the worktree location
+    // without modifying @lumenflow/core. The default target is the user's
+    // XDG cache (${XDG_CACHE_HOME:-$HOME/.cache}/lumenflow/release-worktree/
+    // <version>/). Consumers can override via LUMENFLOW_RELEASE_WORKTREE_DIR.
+    // Mirrors WU-2850 pattern used by lumenflow-upgrade.ts.
+    const releaseWorktreeDir = resolveReleaseWorktreeDir(version);
+    /* eslint-disable sonarjs/publicly-writable-directories -- WU-2854: target is user-owned XDG cache dir, not /tmp. */
+    const originalTmpdir = process.env.TMPDIR;
+    process.env.TMPDIR = releaseWorktreeDir;
+    let releaseTransactionSucceeded = false;
     // ── Micro-worktree: all writes happen here ──────────────────────────
-    await withReleaseEnv(async () => {
-        await withMicroWorktree({
-            operation: RELEASE_OPERATION_NAME,
-            id: buildReleaseWorktreeId(version),
-            logPrefix: LOG_PREFIX,
-            execute: async ({ worktreePath }) => {
-                // Resolve package paths relative to micro-worktree
-                const worktreePackagePaths = findPackageJsonPaths(worktreePath);
-                const worktreePackageDirs = worktreePackagePaths.map((path) => dirname(path));
-                // Exit changeset pre mode in micro-worktree if it was active on main
-                if (changesetPreActive) {
-                    console.log(`${LOG_PREFIX} Detected changeset pre-release mode, exiting...`);
-                    exitChangesetPreMode(worktreePath);
-                    console.log(`${LOG_PREFIX} ✅ Exited changeset pre mode`);
-                }
-                // Phase 1: Materialize dist symlinks and build
-                const distPreparation = ensureDistPathsMaterialized(worktreePackageDirs, {
-                    skipBuild,
-                    dryRun: false,
-                });
-                if (distPreparation.materializedCount > 0) {
-                    console.log(`${LOG_PREFIX} [${PRE_FLIGHT_LABEL}] Materialized ${distPreparation.materializedCount} symlinked dist directories`);
-                }
-                // WU-2221: Install deps in micro-worktree (no node_modules by default)
-                runCommand(`${PKG_MANAGER} install --frozen-lockfile`, {
-                    label: 'install',
-                    cwd: worktreePath,
-                });
-                console.log(`${LOG_PREFIX} ✅ Dependencies installed in micro-worktree`);
-                if (!skipBuild) {
-                    runCommand(`${PKG_MANAGER} build`, { label: 'build', cwd: worktreePath });
-                    console.log(`${LOG_PREFIX} ✅ Build complete`);
-                }
-                else {
-                    console.log(`${LOG_PREFIX} Skipping build (--skip-build)`);
-                }
-                // Phase 2: Version bump (inside micro-worktree)
-                console.log(`${LOG_PREFIX} Bumping versions to ${version}...`);
-                await updatePackageVersions(worktreePackagePaths, version);
-                const versionPolicyPath = await updateVersionPolicy(version, worktreePath);
-                if (versionPolicyPath) {
-                    console.log(`${LOG_PREFIX} ✅ Updated ${VERSION_POLICY_RELATIVE_PATH}`);
-                }
-                console.log(`${LOG_PREFIX} ✅ Versions updated to ${version}`);
-                // Phase 2b: Regenerate Starlight changelog manifest (WU-2570).
-                // The generator reads currentVersion from the freshly bumped
-                // version-policy.yaml, so it must run AFTER updateVersionPolicy
-                // and BEFORE the release commit is built, otherwise the tagged
-                // commit carries a stale currentVersion and the live docs site
-                // displays the previous release.
-                const changelogAbsPath = join(worktreePath, CHANGELOG_RELATIVE_PATH);
-                const changelogExisted = existsSync(changelogAbsPath);
-                if (changelogExisted) {
-                    regenerateChangelog(worktreePath);
-                    console.log(`${LOG_PREFIX} ✅ Regenerated ${CHANGELOG_RELATIVE_PATH}`);
-                }
-                // Phase 3: Validate packed artifacts after the version bump and before
-                // any commit, tag, or optional npm publish step.
-                validateReleaseArtifactsForPublish(worktreePackagePaths, false, worktreePath);
-                // Phase 3b (WU-2825): Static preflight — every publishable package's
-                // @lumenflow/* deps must either be in the current publish set or
-                // already available on the npm registry. Catches private:true leaks
-                // (the v5.0.1 @lumenflow/host regression) before publish.
-                assertPublishSetResolvable(worktreePackagePaths);
-                // Phase 3c (WU-2825): Optional dynamic check — pack all tarballs
-                // and run `npm install` in a scratch consumer dir to catch ERESOLVE,
-                // exports-map drift, and peer conflicts that the static check cannot
-                // see.
-                if (opts.verifyConsumerInstall) {
-                    verifyConsumerInstall(worktreePackagePaths, { cwd: worktreePath });
-                }
-                // Phase 4: Publish to npm (from micro-worktree)
-                if (shouldPublishPackages) {
-                    console.log(`${LOG_PREFIX} Publishing packages to npm...`);
-                    runCommand(`${PKG_MANAGER} -r publish --access public --no-git-checks`, {
-                        label: 'publish',
+    try {
+        await withReleaseEnv(async () => {
+            await withMicroWorktree({
+                operation: RELEASE_OPERATION_NAME,
+                id: buildReleaseWorktreeId(version),
+                logPrefix: LOG_PREFIX,
+                execute: async ({ worktreePath }) => {
+                    // Resolve package paths relative to micro-worktree
+                    const worktreePackagePaths = findPackageJsonPaths(worktreePath);
+                    const worktreePackageDirs = worktreePackagePaths.map((path) => dirname(path));
+                    // Exit changeset pre mode in micro-worktree if it was active on main
+                    if (changesetPreActive) {
+                        console.log(`${LOG_PREFIX} Detected changeset pre-release mode, exiting...`);
+                        exitChangesetPreMode(worktreePath);
+                        console.log(`${LOG_PREFIX} ✅ Exited changeset pre mode`);
+                    }
+                    // Phase 1: Materialize dist symlinks and build
+                    const distPreparation = ensureDistPathsMaterialized(worktreePackageDirs, {
+                        skipBuild,
+                        dryRun: false,
+                    });
+                    if (distPreparation.materializedCount > 0) {
+                        console.log(`${LOG_PREFIX} [${PRE_FLIGHT_LABEL}] Materialized ${distPreparation.materializedCount} symlinked dist directories`);
+                    }
+                    // WU-2221: Install deps in micro-worktree (no node_modules by default)
+                    runCommand(`${PKG_MANAGER} install --frozen-lockfile`, {
+                        label: 'install',
                         cwd: worktreePath,
                     });
-                    console.log(`${LOG_PREFIX} ✅ Packages published to npm`);
-                }
-                else {
-                    console.log(`${LOG_PREFIX} Skipping npm publish (--skip-publish)`);
-                }
-                // Build list of modified files for commit
-                const relativePaths = worktreePackagePaths.map((p) => p.replace(worktreePath + '/', ''));
-                // Include version-policy.yaml if it exists
-                if (existsSync(join(worktreePath, VERSION_POLICY_RELATIVE_PATH))) {
-                    relativePaths.push(VERSION_POLICY_RELATIVE_PATH);
-                }
-                // Include changelog.json if it was regenerated (WU-2570).
-                // The file is always regenerated when it existed before the bump,
-                // so only check the pre-bump existence flag — not whether the file
-                // is dirty in git — to keep the commit deterministic.
-                if (changelogExisted) {
-                    relativePaths.push(CHANGELOG_RELATIVE_PATH);
-                }
-                // Include changeset pre.json removal if applicable
-                if (changesetPreActive) {
-                    const changesetPrePath = join(CHANGESET_DIR, CHANGESET_PRE_JSON);
-                    relativePaths.push(changesetPrePath);
-                }
-                return {
-                    commitMessage: buildCommitMessage(version),
-                    files: relativePaths,
-                };
-            },
+                    console.log(`${LOG_PREFIX} ✅ Dependencies installed in micro-worktree`);
+                    if (!skipBuild) {
+                        runCommand(`${PKG_MANAGER} build`, { label: 'build', cwd: worktreePath });
+                        console.log(`${LOG_PREFIX} ✅ Build complete`);
+                    }
+                    else {
+                        console.log(`${LOG_PREFIX} Skipping build (--skip-build)`);
+                    }
+                    // Phase 2: Version bump (inside micro-worktree)
+                    console.log(`${LOG_PREFIX} Bumping versions to ${version}...`);
+                    await updatePackageVersions(worktreePackagePaths, version);
+                    const versionPolicyPath = await updateVersionPolicy(version, worktreePath);
+                    if (versionPolicyPath) {
+                        console.log(`${LOG_PREFIX} ✅ Updated ${VERSION_POLICY_RELATIVE_PATH}`);
+                    }
+                    console.log(`${LOG_PREFIX} ✅ Versions updated to ${version}`);
+                    // Phase 2b: Regenerate Starlight changelog manifest (WU-2570).
+                    // The generator reads currentVersion from the freshly bumped
+                    // version-policy.yaml, so it must run AFTER updateVersionPolicy
+                    // and BEFORE the release commit is built, otherwise the tagged
+                    // commit carries a stale currentVersion and the live docs site
+                    // displays the previous release.
+                    const changelogAbsPath = join(worktreePath, CHANGELOG_RELATIVE_PATH);
+                    const changelogExisted = existsSync(changelogAbsPath);
+                    if (changelogExisted) {
+                        regenerateChangelog(worktreePath);
+                        console.log(`${LOG_PREFIX} ✅ Regenerated ${CHANGELOG_RELATIVE_PATH}`);
+                    }
+                    // Phase 3: Validate packed artifacts after the version bump and before
+                    // any commit, tag, or optional npm publish step.
+                    validateReleaseArtifactsForPublish(worktreePackagePaths, false, worktreePath);
+                    // Phase 3b (WU-2825): Static preflight — every publishable package's
+                    // @lumenflow/* deps must either be in the current publish set or
+                    // already available on the npm registry. Catches private:true leaks
+                    // (the v5.0.1 @lumenflow/host regression) before publish.
+                    assertPublishSetResolvable(worktreePackagePaths);
+                    // Phase 3c (WU-2825): Optional dynamic check — pack all tarballs
+                    // and run `npm install` in a scratch consumer dir to catch ERESOLVE,
+                    // exports-map drift, and peer conflicts that the static check cannot
+                    // see.
+                    if (opts.verifyConsumerInstall) {
+                        verifyConsumerInstall(worktreePackagePaths, { cwd: worktreePath });
+                    }
+                    // Phase 4: Publish to npm (from micro-worktree)
+                    if (shouldPublishPackages) {
+                        console.log(`${LOG_PREFIX} Publishing packages to npm...`);
+                        runCommand(`${PKG_MANAGER} -r publish --access public --no-git-checks`, {
+                            label: 'publish',
+                            cwd: worktreePath,
+                        });
+                        console.log(`${LOG_PREFIX} ✅ Packages published to npm`);
+                    }
+                    else {
+                        console.log(`${LOG_PREFIX} Skipping npm publish (--skip-publish)`);
+                    }
+                    // Build list of modified files for commit
+                    const relativePaths = worktreePackagePaths.map((p) => p.replace(worktreePath + '/', ''));
+                    // Include version-policy.yaml if it exists
+                    if (existsSync(join(worktreePath, VERSION_POLICY_RELATIVE_PATH))) {
+                        relativePaths.push(VERSION_POLICY_RELATIVE_PATH);
+                    }
+                    // Include changelog.json if it was regenerated (WU-2570).
+                    // The file is always regenerated when it existed before the bump,
+                    // so only check the pre-bump existence flag — not whether the file
+                    // is dirty in git — to keep the commit deterministic.
+                    if (changelogExisted) {
+                        relativePaths.push(CHANGELOG_RELATIVE_PATH);
+                    }
+                    // Include changeset pre.json removal if applicable
+                    if (changesetPreActive) {
+                        const changesetPrePath = join(CHANGESET_DIR, CHANGESET_PRE_JSON);
+                        relativePaths.push(changesetPrePath);
+                    }
+                    return {
+                        commitMessage: buildCommitMessage(version),
+                        files: relativePaths,
+                    };
+                },
+            });
         });
-    });
+        releaseTransactionSucceeded = true;
+    }
+    finally {
+        if (originalTmpdir === undefined) {
+            delete process.env.TMPDIR;
+        }
+        else {
+            process.env.TMPDIR = originalTmpdir;
+        }
+        // WU-2854: Only clean up on success. Preserving the directory on
+        // failure lets operators inspect residue (partial install, failed
+        // publish logs) before the next attempt reclaims the space.
+        if (releaseTransactionSucceeded) {
+            cleanupReleaseWorktreeDir(releaseWorktreeDir);
+        }
+    }
+    /* eslint-enable sonarjs/publicly-writable-directories */
     // ── Post micro-worktree: tag and push tag ─────────────────────────
     // The micro-worktree has already merged the version bump commit to main
     // and pushed to origin. Now create and push the git tag.