@proofofwork-agency/toolpin 0.2.3 → 0.2.5

package/README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://github.com/proofofwork-agency/toolpin/actions/workflows/ci.yml/badge.svg)](https://github.com/proofofwork-agency/toolpin/actions/workflows/ci.yml)
 [![License: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-blue)](LICENSE)
-[![npm publish pending](https://img.shields.io/badge/npm-publish%20pending-orange)](https://www.npmjs.com/package/@proofofwork-agency/toolpin)
+[![npm](https://img.shields.io/npm/v/@proofofwork-agency/toolpin)](https://www.npmjs.com/package/@proofofwork-agency/toolpin)
 [![Status: pre-1.0 beta](https://img.shields.io/badge/status-pre--1.0%20beta-yellow)](https://github.com/proofofwork-agency/toolpin/releases)
 
 ToolPin is a review gate for MCP server installs. It helps teams inspect what
@@ -209,7 +209,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: proofofwork-agency/toolpin@v0.2.3
+      - uses: proofofwork-agency/toolpin@v0.2.5
         with:
           live: "true"
           verify: "true"
@@ -217,9 +217,9 @@ jobs:
 ```
 
 The checked-in composite Action builds ToolPin from the action source by
-default, then runs `toolpin ci`. After npm publish, set `toolpin-version` to an
-npm version specifier if you want the Action to install
-`@proofofwork-agency/toolpin` from npm instead.
+default, then runs `toolpin ci`. Set `toolpin-version` to an npm version
+specifier if you want the Action to install `@proofofwork-agency/toolpin` from
+npm instead.
 
 Recommended CI posture for reviewed lockfiles is `toolpin ci --live --verify`
 for capability drift. Use `--skip-live-verification` only as an explicit downgrade
@@ -252,7 +252,7 @@ for the exact scope and limits.
 - ToolPin curated registry source of truth in GitHub:
   <https://github.com/proofofwork-agency/toolpin/blob/main/registry/v0/servers>
   with a GitHub Pages static mirror for docs/browsing:
-  <https://proofofwork-agency.github.io/toolpin/registry/v0>
+  <https://proofofwork-agency.github.io/toolpin/registry/v0/servers>
 - Custom registry configuration via `.toolpin/registries.json`.
 - Search ranking over name, title, description, package type, transport, and
   repository.
@@ -268,9 +268,10 @@ for the exact scope and limits.
 
 ## Roadmap
 
-The immediate release path is public distribution:
+The first public release path is complete. Near-term work now focuses on
+adoption and evidence quality:
 
-- Publish the npm package with provenance.
+- Keep npm provenance publishing healthy for every release.
 - Keep the GitHub Action pinned and documented for CI adoption.
 - Continue tightening evidence definitions, policy fields, and trust docs.
 
@@ -282,7 +283,7 @@ Longer-term direction:
 - Safer secret brokering without plaintext client config.
 - Task-first MCP discovery and stronger tool-description review signals.
 
-See [docs/ROADMAP.md](docs/ROADMAP.md) for project direction.
+See [docs/ROADMAP.md](https://github.com/proofofwork-agency/toolpin/blob/main/docs/ROADMAP.md) for project direction.
 
 ## Contributing
 
@@ -296,7 +297,8 @@ npm run registry:check
 ```
 
 Please read [CONTRIBUTING.md](CONTRIBUTING.md), [SECURITY.md](SECURITY.md), and
-[CLA.md](CLA.md) before opening larger changes.
+[CLA.md](https://github.com/proofofwork-agency/toolpin/blob/main/CLA.md)
+before opening larger changes.
 
 ## License
 
@@ -307,11 +309,11 @@ ToolPin is distributed under the Apache License 2.0. See [LICENSE](LICENSE).
 - [Hosted documentation](https://proofofwork-agency.github.io/toolpin/)
 - [CLI reference](https://proofofwork-agency.github.io/toolpin/docs/reference/cli)
 - [Threat model](https://proofofwork-agency.github.io/toolpin/docs/concepts/threat-model)
-- [Client config matrix](docs/client-configs.md)
+- [Client config matrix](https://github.com/proofofwork-agency/toolpin/blob/main/docs/client-configs.md)
 - [Catch drift in CI](docs/how-to/catch-drift-in-ci.md)
-- [ToolPin vs. the MCP ecosystem](docs/site/concepts/comparison.md)
+- [ToolPin vs. the MCP ecosystem](https://proofofwork-agency.github.io/toolpin/docs/concepts/comparison)
 - [Security policy](SECURITY.md)
-- [Disclaimer](DISCLAIMER.md)
+- [Disclaimer](https://github.com/proofofwork-agency/toolpin/blob/main/DISCLAIMER.md)
 
 ## Notice
 
@@ -320,4 +322,5 @@ ToolPin is distributed under the Apache License 2.0. See [LICENSE](LICENSE).
 > services. That code can access files, networks, and credentials through the
 > client that runs it. ToolPin's score, evidence tier, and lockfile checks are
 > review aids, not a guarantee that any server is safe. See
-> [DISCLAIMER.md](DISCLAIMER.md) and [docs/threat-model.md](docs/threat-model.md).
+> [DISCLAIMER.md](https://github.com/proofofwork-agency/toolpin/blob/main/DISCLAIMER.md)
+> and the [threat model](https://proofofwork-agency.github.io/toolpin/docs/concepts/threat-model).

package/action.yml

@@ -35,7 +35,7 @@ inputs:
     required: false
     default: ""
   toolpin-version:
-    description: Optional npm version specifier for the @proofofwork-agency/toolpin npm package after public npm publish. Leave empty to install from this action source.
+    description: Optional npm version specifier for the published @proofofwork-agency/toolpin npm package. Leave empty to install from this action source.
     required: false
     default: ""
   policy:

package/dist/cli.js

@@ -1475,7 +1475,7 @@ Lock and governance
   toolpin doctor [--file mcp-lock.json] [--scope|-s all|project|global] [--global|-g] [--json]
   toolpin secrets audit [--file mcp-lock.json] [--scope|-s all|project|global] [--global|-g] [--json]
   toolpin policy digest [--policy .toolpin/policy.json] [--json]
-  toolpin policy check <server> --client|-c <client|all> [--version <server-version>] [--source toolpin|official|docker|all|custom-id] [--policy .toolpin/policy.json]
+  toolpin policy check <server> --client|-c <client|all> [--version <server-version>] [--scope|-s project|global] [--source toolpin|official|docker|all|custom-id] [--policy .toolpin/policy.json] [--json] [--live]
   toolpin lock <server> --client|-c <client|all> [--version <server-version>] [--source toolpin|official|docker|all|custom-id] [--scope project|global] [--file mcp-lock.json]
   toolpin lock digest [--file mcp-lock.json] [--json]
   toolpin lock key-fingerprint --public-key public.pem [--json]

package/dist/tui/command.js

@@ -8,7 +8,7 @@ export function commandLineFor(commandId, state, server) {
     const serverName = server ? shellQuote(server.name) : "<server-name>";
     switch (commandId) {
         case "ingest":
-            return `toolpin ingest ${source} --pages 6`;
+            return `toolpin ingest ${source} --limit 500 --pages 25`;
         case "installed":
             return "toolpin list --scope all --json";
         case "sources":
@@ -22,7 +22,7 @@ export function commandLineFor(commandId, state, server) {
         case "info":
             return `toolpin info ${serverName} ${source}${live}`;
         case "audit":
-            return `toolpin audit ${serverName} ${source}${live}`;
+            return `toolpin audit server ${serverName} ${source}${live}`;
         case "plan":
             return `toolpin plan ${serverName} --client ${state.client} ${source}${live}`;
         case "install":

package/dist/tui/views/panels.js

@@ -509,7 +509,7 @@ export function Footer({ state, width }) {
     const copyright = "© 2026 Proofofwork Agency · https://github.com/proofofwork-agency/toolpin";
     const copyrightWidth = Math.min(copyright.length, Math.max(0, width - 8));
     const hintWidth = Math.max(10, width - copyrightWidth - 8);
-    return (_jsxs(Box, { paddingX: 2, marginTop: 1, flexShrink: 0, flexDirection: "column", children: [_jsx(TrustStateLegend, { width: Math.max(1, width - 4) }), _jsxs(Box, { justifyContent: "space-between", children: [_jsx(Box, { width: hintWidth, children: _jsx(Text, { wrap: "truncate", children: hints.map(([keyName, label], index) => (_jsxs(React.Fragment, { children: [index > 0 ? _jsx(Text, { color: CHROME, children: "  |  " }) : null, _jsx(Text, { bold: true, color: "white", children: keyName }), _jsxs(Text, { color: MUTED, children: [":", label] })] }, keyName))) }) }), _jsx(Text, { color: CHROME, wrap: "truncate", children: truncate(copyright, copyrightWidth) })] })] }));
+    return (_jsxs(Box, { paddingX: 2, marginTop: 1, flexShrink: 0, flexDirection: "column", children: [_jsxs(Box, { width: Math.max(1, width - 4), justifyContent: "space-between", marginTop: 1, marginBottom: 1, children: [_jsx(Box, { width: hintWidth, children: _jsx(Text, { wrap: "truncate", children: hints.map(([keyName, label], index) => (_jsxs(React.Fragment, { children: [index > 0 ? _jsx(Text, { color: CHROME, children: "  |  " }) : null, _jsx(Text, { bold: true, color: "white", children: keyName }), _jsxs(Text, { color: MUTED, children: [":", label] })] }, keyName))) }) }), _jsx(Text, { color: CHROME, wrap: "truncate", children: truncate(copyright, copyrightWidth) })] }), _jsx(Box, { width: Math.max(1, width - 4), justifyContent: "flex-end", children: _jsx(TrustStateLegend, { width: Math.max(1, width - 4) }) })] }));
 }
 export function TrustStateLegend({ width }) {
     const compact = width < 118;
@@ -526,7 +526,7 @@ export function TrustStateLegend({ width }) {
             { label: "UNVERIFIED", color: ERR, text: "weak evidence" },
             { label: "BLOCKED", color: ERR, text: "stop" },
         ];
-    return (_jsxs(Text, { wrap: "truncate", children: [_jsx(Text, { color: CHROME, children: "trust " }), items.map((item, index) => (_jsxs(React.Fragment, { children: [index > 0 ? _jsx(Text, { color: CHROME, children: " " }) : null, _jsx(Text, { color: item.color, children: "\u2593" }), _jsx(Text, { bold: true, color: item.color, children: item.label }), _jsxs(Text, { color: MUTED, children: [" ", item.text] })] }, item.label)))] }));
+    return (_jsxs(Box, { flexDirection: "column", alignItems: "flex-end", marginTop: 1, marginBottom: 1, children: [_jsx(Text, { color: CHROME, children: "trust legend" }), _jsx(Box, { marginTop: 1, marginBottom: 1, flexDirection: compact ? "column" : "row", alignItems: "flex-end", children: items.map((item, index) => (_jsxs(Box, { marginLeft: index > 0 && !compact ? 2 : 0, marginTop: compact && index > 0 ? 1 : 0, children: [_jsx(Box, { marginRight: 1, children: _jsx(Text, { color: item.color, children: "\u2593" }) }), _jsx(Text, { bold: true, color: item.color, children: item.label }), _jsxs(Text, { color: MUTED, children: [" ", item.text] })] }, item.label))) })] }));
 }
 function EmptyPanel({ title }) {
     return (_jsxs(Box, { flexDirection: "column", backgroundColor: SURFACE, paddingX: 2, paddingY: 1, flexGrow: 1, children: [_jsx(ModalTitle, { title: title.toLowerCase(), file: "empty" }), _jsx(Text, { color: MUTED, children: "No server selected. Search and select a server first." })] }));

package/dist/version.js

@@ -1 +1 @@
-export const TOOLPIN_VERSION = "0.2.3";
+export const TOOLPIN_VERSION = "0.2.5";

package/docs/assets/readme/terminal-demo.svg

@@ -112,7 +112,7 @@
   <circle class="dot-red" cx="60" cy="53" r="9"/>
   <circle class="dot-yellow" cx="90" cy="53" r="9"/>
   <circle class="dot-green" cx="120" cy="53" r="9"/>
-    <text x="160" y="61" class="small">ToolPin v0.2.2 - MCP install review gate - toolpin or tpn</text>
+    <text x="160" y="61" class="small">ToolPin - MCP install review gate - toolpin or tpn</text>
 
   <g class="frame f1">
     <text x="62" y="126"><tspan class="prompt">$</tspan><tspan class="cmd"> toolpin search contextrelay --source toolpin</tspan></text>

package/docs/how-to/catch-drift-in-ci.md

@@ -41,7 +41,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: proofofwork-agency/toolpin@v0.2.3
+      - uses: proofofwork-agency/toolpin@v0.2.5
         with:
           file: mcp-lock.json
           live: "true"
@@ -100,7 +100,7 @@ toolpin lock digest --file mcp-lock.json
 Use it in CI:
 
 ```yaml
-- uses: proofofwork-agency/toolpin@v0.2.3
+- uses: proofofwork-agency/toolpin@v0.2.5
   with:
     file: mcp-lock.json
     live: "true"
@@ -122,7 +122,7 @@ toolpin lock verify-signature --policy .toolpin/policy.json --key public.pem --f
 Then in CI:
 
 ```yaml
-- uses: proofofwork-agency/toolpin@v0.2.3
+- uses: proofofwork-agency/toolpin@v0.2.5
   with:
     file: mcp-lock.json
     live: "true"
@@ -139,7 +139,7 @@ trust root are controlled outside the PR path.
 To enforce a non-default policy path:
 
 ```yaml
-- uses: proofofwork-agency/toolpin@v0.2.3
+- uses: proofofwork-agency/toolpin@v0.2.5
   with:
     policy: security/toolpin-policy.json
 ```
@@ -147,7 +147,7 @@ To enforce a non-default policy path:
 To make CI skip policy enforcement explicitly:
 
 ```yaml
-- uses: proofofwork-agency/toolpin@v0.2.3
+- uses: proofofwork-agency/toolpin@v0.2.5
   with:
     no-policy: "true"
 ```
@@ -156,7 +156,7 @@ To re-run verification before comparing locked plans, use the stricter CI
 posture:
 
 ```yaml
-- uses: proofofwork-agency/toolpin@v0.2.3
+- uses: proofofwork-agency/toolpin@v0.2.5
   with:
     live: "true"
     verify: "true"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@proofofwork-agency/toolpin",
-  "version": "0.2.3",
+  "version": "0.2.5",
   "description": "Trusted install, lockfile, and governance layer for MCP servers",
   "license": "Apache-2.0",
   "keywords": [
@@ -39,6 +39,7 @@
     "tpn": "./dist/cli.js"
   },
   "scripts": {
+    "prebuild": "node -e \"require('fs').rmSync('dist', { recursive: true, force: true })\"",
     "build": "tsc -p tsconfig.json",
     "postbuild": "node -e \"require('fs').chmodSync('dist/cli.js', 0o755)\"",
     "docs:build": "docusaurus build website",