ultimate-pi 0.1.0 → 0.1.2

package/.github/workflows/publish-npm.yml

@@ -0,0 +1,32 @@
+name: Publish to npm
+run-name: Publish npm from ${{ github.ref_name }}
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.14.0'
+
+      - name: Ensure npm trusted publishing minimum version
+        run: |
+          npm i -g npm@^11.5.1
+          node -v
+          npm -v
+
+      - name: Publish package
+        run: npm publish --provenance --access public

package/README.md

@@ -1,4 +1,4 @@
-![Ultimate PI banner](.github/banner.png)
+![Ultimate PI banner](https://raw.githubusercontent.com/aryaniyaps/ultimate-pi/main/.github/banner-v2.png)
 
 > (Beta) The **ultimate AI coding harness** on top of [**pi.dev**](https://pi.dev).
 

package/package.json

@@ -1,11 +1,19 @@
 {
   "name": "ultimate-pi",
-  "version": "0.1.0",
-  "description": "Custom pi package starter with caveman and impeccable.style skills",
+  "version": "0.1.2",
+  "description": "Custom pi package starter",
   "keywords": [
-    "pi-package"
+    "pi-package",
+    "pi-mono",
+    "pi",
+    "ai-harness",
+    "coding-agent"
   ],
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/aryaniyaps/ultimate-pi"
+  },
   "pi": {
     "extensions": [
       "./extensions"

package/wiki/README.md

@@ -8,3 +8,12 @@ Track architecture and implementation decisions for this repo.
 - [0002 - Add project banner to README](decisions/0002-add-project-banner-to-readme.md)
 - [0003 - Remove redundant README title heading when banner already contains title](decisions/0003-remove-redundant-readme-title-heading.md)
 - [0004 - Publish package to npm as ultimate-pi](decisions/0004-publish-package-to-npm-as-ultimate-pi.md)
+- [0005 - Automate npm publish with GitHub Actions](decisions/0005-automate-npm-publish-with-github-actions.md)
+- [0006 - Switch npm automation to Trusted Publishing (OIDC)](decisions/0006-switch-to-npm-trusted-publishing.md)
+- [0007 - Use absolute banner URL for npm README rendering](decisions/0007-use-absolute-banner-url-for-npm-readme-rendering.md)
+- [0008 - Rename banner asset for cache-busting on npm README](decisions/0008-rename-banner-asset-for-cache-busting.md)
+- [0009 - Force OIDC path by clearing NODE_AUTH_TOKEN in publish step](decisions/0009-force-oidc-path-by-clearing-node-auth-token-in-publish-step.md)
+- [0010 - Simplify setup-node for npm Trusted Publishing](decisions/0010-simplify-setup-node-for-npm-trusted-publishing.md)
+- [0011 - Add noop workflow change to force fresh publish run](decisions/0011-add-noop-workflow-change-to-force-fresh-publish-run.md)
+- [0012 - Align workflow runtime with npm Trusted Publishing requirements](decisions/0012-align-workflow-runtime-with-npm-trusted-publishing-requirements.md)
+- [0013 - Add package repository URL for provenance validation](decisions/0013-add-package-repository-url-for-provenance-validation.md)

package/wiki/decisions/0005-automate-npm-publish-with-github-actions.md

@@ -0,0 +1,27 @@
+# 0005 - Automate npm publish with GitHub Actions
+
+- Date: 2026-04-25
+- Status: Accepted
+
+## Context
+User requested automated package publishing through GitHub Actions.
+Repository currently has no workflow files.
+Package already prepared for npm publish as ultimate-pi.
+
+## Alternatives
+1. Keep manual local npm publish only.
+2. Publish on every push to main.
+3. Publish on version tags with optional manual trigger.
+
+## Chosen option
+Create a GitHub Actions workflow that publishes to npm on tags matching v* and supports manual dispatch.
+
+## Rationale
+- Safe release gate with explicit version tags.
+- Standard npm automation pattern.
+- Keeps accidental publishes low risk.
+
+## Consequences
+- Maintainer must create npm token and store as NPM_TOKEN secret.
+- Release process must include tag creation.
+- Version in package.json must be bumped before tagging.

package/wiki/decisions/0006-switch-to-npm-trusted-publishing.md

@@ -0,0 +1,26 @@
+# 0006 - Switch npm automation to Trusted Publishing (OIDC)
+
+- Date: 2026-04-25
+- Status: Accepted
+
+## Context
+User flagged npm warning: token-based automation has security risks.
+Current workflow uses NPM_TOKEN secret for publish.
+
+## Alternatives
+1. Keep automation token secret (NPM_TOKEN).
+2. Publish manually from local machine only.
+3. Use npm Trusted Publishing with GitHub OIDC.
+
+## Chosen option
+Use npm Trusted Publishing. Remove token auth from workflow. Grant id-token permission and publish with provenance.
+
+## Rationale
+- Eliminates long-lived npm secret in GitHub.
+- Aligns with npm security guidance for CI/CD.
+- Produces provenance attestations for supply-chain trust.
+
+## Consequences
+- Must configure Trusted Publisher in npm package settings.
+- Publish only works from linked repo/workflow context.
+- Workflow must run on supported GitHub-hosted runner.

package/wiki/decisions/0007-use-absolute-banner-url-for-npm-readme-rendering.md

@@ -0,0 +1,26 @@
+# 0007 - Use absolute banner URL for npm README rendering
+
+- Date: 2026-04-25
+- Status: Accepted
+
+## Context
+README banner currently uses repository-relative path .github/banner.png.
+GitHub renders relative image paths in repository context.
+npm README rendering does not reliably resolve repository-relative image paths.
+
+## Alternatives
+1. Keep relative image path.
+2. Remove banner image from README.
+3. Use absolute raw GitHub URL to banner asset.
+
+## Chosen option
+Replace README banner image path with absolute raw.githubusercontent.com URL.
+
+## Rationale
+- Works in npm package page rendering.
+- Still works in GitHub README rendering.
+- Minimal one-line README diff.
+
+## Consequences
+- URL tied to repository path/branch (main).
+- Banner breaks if file path or default branch changes.

package/wiki/decisions/0008-rename-banner-asset-for-cache-busting.md

@@ -0,0 +1,26 @@
+# 0008 - Rename banner asset for cache-busting on npm README
+
+- Date: 2026-04-25
+- Status: Accepted
+
+## Context
+Banner image update is not reflected on npm package page.
+README already uses absolute raw.githubusercontent URL.
+Likely cause is CDN/browser cache on unchanged asset path.
+
+## Alternatives
+1. Keep same filename and wait for cache expiry.
+2. Add query parameter to image URL.
+3. Rename banner file and update README URL.
+
+## Chosen option
+Rename banner file path from .github/banner.png to .github/banner-v2.png and update README reference.
+
+## Rationale
+- New path forces cache miss immediately.
+- Minimal, safe change.
+- Works in GitHub and npm renderers.
+
+## Consequences
+- Any external links to old filename break.
+- Future banner refreshes should use versioned filenames.

package/wiki/decisions/0009-force-oidc-path-by-clearing-node-auth-token-in-publish-step.md

@@ -0,0 +1,25 @@
+# 0009 - Force OIDC path by clearing NODE_AUTH_TOKEN in publish step
+
+- Date: 2026-04-25
+- Status: Accepted
+
+## Context
+GitHub Actions publish job failed with npm E404 on PUT for ultimate-pi@0.1.2.
+Job log shows NODE_AUTH_TOKEN present during publish step, which can force token auth path instead of Trusted Publishing OIDC.
+
+## Alternatives
+1. Keep workflow unchanged and only reconfigure npm settings.
+2. Revert fully to long-lived NPM_TOKEN secret.
+3. Keep Trusted Publishing and explicitly clear NODE_AUTH_TOKEN in publish step.
+
+## Chosen option
+Use Trusted Publishing and set NODE_AUTH_TOKEN to empty string for publish step.
+
+## Rationale
+- Prevents accidental fallback to stale/unauthorized token auth.
+- Preserves secure OIDC-based publish flow.
+- Minimal surgical workflow diff.
+
+## Consequences
+- Requires npm Trusted Publisher to be correctly configured.
+- Any desired token-based publish would need explicit workflow change.

package/wiki/decisions/0010-simplify-setup-node-for-npm-trusted-publishing.md

@@ -0,0 +1,26 @@
+# 0010 - Simplify setup-node for npm Trusted Publishing
+
+- Date: 2026-04-25
+- Status: Accepted
+
+## Context
+Publish run still fails with ENEEDAUTH after Trusted Publisher setup.
+Current workflow sets npm registry-url and explicitly sets NODE_AUTH_TOKEN empty.
+This may keep npm on token-based auth path and bypass OIDC exchange.
+
+## Alternatives
+1. Keep current workflow and retry only.
+2. Re-introduce npm token secret.
+3. Remove registry auth shaping and let npm Trusted Publishing OIDC path run naturally.
+
+## Chosen option
+Use setup-node with node-version only. Remove registry-url and NODE_AUTH_TOKEN override.
+
+## Rationale
+- Avoids writing auth-specific npmrc configuration for token path.
+- Aligns with minimal OIDC trusted publishing examples.
+- Smallest workflow diff.
+
+## Consequences
+- Requires npm Trusted Publisher config to be correct.
+- If Trusted Publishing unavailable, publish will fail until fallback token flow is re-added.

package/wiki/decisions/0011-add-noop-workflow-change-to-force-fresh-publish-run.md

@@ -0,0 +1,25 @@
+# 0011 - Add noop workflow change to force fresh publish run
+
+- Date: 2026-04-25
+- Status: Accepted
+
+## Context
+User requested a fresh commit and publish attempt because rerun signal looked stale.
+Current publish workflow logic already targeted for Trusted Publishing.
+
+## Alternatives
+1. Keep rerunning same workflow execution.
+2. Make a functional workflow change.
+3. Make a minimal non-functional workflow change and trigger new run from new commit.
+
+## Chosen option
+Add a non-functional workflow metadata field (run-name) and push a new commit.
+
+## Rationale
+- Produces clean new run context tied to fresh commit SHA.
+- Avoids unnecessary behavior changes.
+- Smallest viable diff.
+
+## Consequences
+- No runtime behavior change expected.
+- Still depends on npm auth configuration correctness.

package/wiki/decisions/0012-align-workflow-runtime-with-npm-trusted-publishing-requirements.md

@@ -0,0 +1,26 @@
+# 0012 - Align workflow runtime with npm Trusted Publishing requirements
+
+- Date: 2026-04-25
+- Status: Accepted
+
+## Context
+Publish workflow still fails authentication.
+Trusted publisher mapping is already verified by user.
+Remaining common causes include runtime mismatch: npm 11.5.1+ and Node 22.14+.
+
+## Alternatives
+1. Keep current Node 20 workflow.
+2. Switch to token-based publish only.
+3. Upgrade workflow runtime to Node 22.14+, ensure npm 11.5.1+, keep OIDC permissions.
+
+## Chosen option
+Upgrade workflow to Node 22.14.0 and add npm upgrade/verification step before publish.
+
+## Rationale
+- Directly addresses documented Trusted Publishing runtime requirements.
+- Keeps secure OIDC model intact.
+- Minimal focused diff in workflow only.
+
+## Consequences
+- Slightly longer workflow run due npm update step.
+- Future runtime bumps may be needed when npm guidance changes.

package/wiki/decisions/0013-add-package-repository-url-for-provenance-validation.md

@@ -0,0 +1,25 @@
+# 0013 - Add package repository URL for provenance validation
+
+- Date: 2026-04-25
+- Status: Accepted
+
+## Context
+Trusted publishing auth now passes, but publish fails with npm E422 provenance validation.
+Error states package.json repository.url is empty and must match https://github.com/aryaniyaps/ultimate-pi.
+
+## Alternatives
+1. Disable provenance flag in publish command.
+2. Keep failing publish and document manual workaround.
+3. Add exact repository URL metadata in package.json to satisfy provenance validation.
+
+## Chosen option
+Add package.json repository metadata with URL https://github.com/aryaniyaps/ultimate-pi.
+
+## Rationale
+- Fixes current hard failure from npm provenance verifier.
+- Keeps secure --provenance publish mode.
+- Minimal metadata-only package diff.
+
+## Consequences
+- Repository URL must stay accurate.
+- If repo moves, metadata must be updated before next publish.