@maximtop/opencode-debug-mode 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CONTRIBUTING.md +10 -4
- package/dist/index.js +3 -1
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/CONTRIBUTING.md
CHANGED
|
@@ -39,10 +39,16 @@ git push origin vX.Y.Z
|
|
|
39
39
|
|
|
40
40
|
Use the same sequence with an exact `X.Y.Z-beta.N` or `X.Y.Z-rc.N` version for a prerelease. Do not move or reuse a published tag or version.
|
|
41
41
|
|
|
42
|
-
The release workflow is safe to rerun. It accepts an existing GitHub Release only when the tag, prerelease state, tarball, and checksum match. If the npm version already exists, its registry integrity must match the prepared manifest; any mismatch is reported as a collision. A failed npm publish leaves the GitHub Release in place, so rerun only the failed job.
|
|
42
|
+
The release workflow is safe to rerun. It accepts an existing GitHub Release only when the tag, prerelease state, tarball, and checksum match. If the npm version already exists, its registry integrity must match the prepared manifest; any mismatch is reported as a collision. A failed npm publish leaves the GitHub Release in place, so normally rerun only the failed job. If the workflow itself must be fixed first, commit the fix to `master`, temporarily allow branch `master` in the GitHub Environment `npm`, manually run the same Release workflow with the existing version tag, and let it check out that immutable tag and verify the existing assets before publishing. Remove the temporary branch policy immediately after the run. Never move or replace the tag.
|
|
43
43
|
|
|
44
|
-
|
|
44
|
+
```sh
|
|
45
|
+
gh workflow run release.yml --ref master -f tag=vX.Y.Z
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
The manual recovery reuses the tarball and checksum already attached to the GitHub Release instead of rebuilding them. Keep the temporary `master` policy until the complete run succeeds, including `publish-npm`; then remove it. Provenance for this exceptional recovery points to the recovery workflow commit on `master`, while the verified manifest, checksum, and package contents remain bound to the immutable release tag.
|
|
49
|
+
|
|
50
|
+
### npm publishing authentication
|
|
45
51
|
|
|
46
|
-
|
|
52
|
+
The package uses an npm Trusted Publisher bound to user `maximtop`, repository `opencode-debug-mode`, workflow `release.yml`, Environment `npm`, and permission `npm publish`. The Environment has no manual approval and normally permits only protected tag pattern `v*`. Do not add `NODE_AUTH_TOKEN` or `NPM_TOKEN`: releases authenticate only through GitHub OIDC and receive provenance automatically.
|
|
47
53
|
|
|
48
|
-
|
|
54
|
+
The bootstrap `v0.1.0` publication used a short-lived granular token because the npm package did not exist yet. That token and its GitHub secret were removed after Trusted Publishing was configured, and the package now disallows token-based publication.
|
package/dist/index.js
CHANGED
|
@@ -3599,10 +3599,12 @@ function createDebugModePlugin(options = {}) {
|
|
|
3599
3599
|
if (config.command?.debug !== void 0) logCollision("command.debug");
|
|
3600
3600
|
config.agent ??= {};
|
|
3601
3601
|
config.command ??= {};
|
|
3602
|
+
const permission = { question: "allow" };
|
|
3602
3603
|
config.agent.debug = {
|
|
3603
3604
|
mode: "primary",
|
|
3604
3605
|
description: "Hypothesis-driven runtime debugging",
|
|
3605
|
-
prompt
|
|
3606
|
+
prompt,
|
|
3607
|
+
permission
|
|
3606
3608
|
};
|
|
3607
3609
|
config.command.debug = {
|
|
3608
3610
|
description: "Start hypothesis-driven runtime debugging",
|