sqlrite 0.1.4__tar.gz → 0.1.6__tar.gz

{sqlrite-0.1.4 → sqlrite-0.1.6}/.github/workflows/release.yml

@@ -7,8 +7,9 @@
 # Phase 6d: tag-all + publish-crate + publish-ffi + finalize.
 # Phase 6e adds publish-desktop.
 # Phase 6f adds build-python-wheels + publish-python.
-# Phases 6g–6i add publish-nodejs / publish-wasm / publish-go as
-# separate jobs to this same file.
+# Phase 6g adds build-nodejs-binaries + publish-nodejs.
+# Phases 6h–6i add publish-wasm / publish-go as separate jobs
+# to this same file.
 #
 # Design doc: docs/release-plan.md.
 # One-time registry / branch-protection setup: docs/release-secrets.md.
@@ -86,15 +87,16 @@ jobs:
   # BEFORE any publish step so a bad version number (e.g., tag
   # already exists for some reason) aborts the whole release cleanly.
   #
-  # As of Phase 6f, we tag:
+  # As of Phase 6g, we tag:
   #   - sqlrite-v<V>           (Rust engine)
   #   - sqlrite-ffi-v<V>       (C FFI prebuilt binaries)
   #   - sqlrite-desktop-v<V>   (Tauri desktop installers)
   #   - sqlrite-py-v<V>        (Python wheels on PyPI)
+  #   - sqlrite-node-v<V>      (Node.js N-API bindings on npm)
   #   - v<V>                   (umbrella)
   #
-  # Later phases add sqlrite-node-v<V>, sqlrite-wasm-v<V>,
-  # sdk/go/v<V> as their publish jobs come online.
+  # Later phases add sqlrite-wasm-v<V>, sdk/go/v<V> as their
+  # publish jobs come online.
   #
   # Idempotent on re-run: if a tag already exists (partial-failure
   # scenario where publish-crate succeeded but publish-ffi failed,
@@ -124,6 +126,7 @@ jobs:
             "sqlrite-ffi-v$V"
             "sqlrite-desktop-v$V"
             "sqlrite-py-v$V"
+            "sqlrite-node-v$V"
             "v$V"
           )
           for tag in "${TAGS[@]}"; do
@@ -633,6 +636,259 @@ jobs:
           files: dist/*
           generate_release_notes: true
 
+  # ---------------------------------------------------------------------------
+  # Step 3g: build Node.js N-API binaries for every supported
+  # platform. (Phase 6g — build half; publish half lives in the
+  # next job.)
+  #
+  # Architecture: the "bundled binaries" approach, not napi-rs's
+  # newer optional-deps-per-platform pattern. The main `sqlrite`
+  # npm package ships every platform's `.node` binary inside one
+  # tarball; napi-rs's generated `index.js` dispatcher picks the
+  # right one at require time based on process.platform / arch.
+  # Simpler for MVP than maintaining N+1 npm packages; the cost
+  # is a ~15 MiB tarball instead of a ~4 MiB per-platform download,
+  # which is fine for a database driver people install once.
+  #
+  # Same build/publish split as publish-python for the same
+  # reason: npm expects one `npm publish` invocation per package
+  # version. If every matrix cell published independently, a
+  # partial-failure would put some-but-not-all binaries on npm
+  # with no clean rollback.
+  #
+  # Matrix mirrors publish-ffi / publish-desktop / publish-python.
+  # Naming convention for the `.node` file is napi-rs's own: the
+  # platform triple is baked into the filename, e.g.,
+  # `sqlrite.linux-x64-gnu.node` vs `sqlrite.darwin-arm64.node`.
+  # The `files` glob in sdk/nodejs/package.json matches on
+  # `sqlrite.*.node`, so whichever binaries land in the directory
+  # at publish time get included in the tarball.
+  build-nodejs-binaries:
+    name: Build Node.js binary (${{ matrix.platform }})
+    needs: [detect, tag-all]
+    if: needs.detect.outputs.should_release == 'true'
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            platform: linux-x86_64
+            napi_triple: linux-x64-gnu
+          - os: ubuntu-24.04-arm
+            platform: linux-aarch64
+            napi_triple: linux-arm64-gnu
+          - os: macos-latest
+            platform: macos-aarch64
+            napi_triple: darwin-arm64
+          - os: windows-latest
+            platform: windows-x86_64
+            napi_triple: win32-x64-msvc
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: sdk/nodejs/package-lock.json
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          shared-key: build-nodejs-${{ matrix.platform }}
+
+      - name: Install npm deps
+        working-directory: sdk/nodejs
+        run: npm ci
+
+      # `napi build --platform --release` produces:
+      #   - sqlrite.<napi_triple>.node  (the actual binary)
+      #   - index.js                    (platform-dispatch loader)
+      #   - index.d.ts                  (TypeScript types)
+      # We upload all three but only index.js/d.ts from the
+      # Linux x86_64 cell (they're identical across platforms
+      # since napi generates platform-agnostic dispatch code).
+      - name: Build native binary
+        working-directory: sdk/nodejs
+        run: npm run build
+
+      - name: Verify binary exists
+        working-directory: sdk/nodejs
+        shell: bash
+        run: |
+          ls -la sqlrite.*.node
+          # Fail early if napi produced an unexpected filename —
+          # otherwise the publish step would silently ship an
+          # incomplete tarball.
+          test -f "sqlrite.${{ matrix.napi_triple }}.node"
+
+      - name: Upload .node binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: nodejs-binary-${{ matrix.platform }}
+          path: sdk/nodejs/sqlrite.${{ matrix.napi_triple }}.node
+          if-no-files-found: error
+          retention-days: 1
+
+      # Only Linux x86_64 uploads the shared dispatcher files.
+      # These are identical regardless of build platform (they're
+      # just require-the-right-.node glue), so we only need one
+      # copy in the final npm tarball.
+      - name: Upload JS dispatcher (linux-x86_64 only)
+        if: matrix.platform == 'linux-x86_64'
+        uses: actions/upload-artifact@v4
+        with:
+          name: nodejs-dispatcher
+          path: |
+            sdk/nodejs/index.js
+            sdk/nodejs/index.d.ts
+          if-no-files-found: error
+          retention-days: 1
+
+  # ---------------------------------------------------------------------------
+  # Step 3h: aggregate every platform's `.node` binary + the JS
+  # dispatcher into sdk/nodejs/, publish to npm via OIDC trusted
+  # publishing, and cut the per-product `sqlrite-node-v<V>`
+  # GitHub Release.
+  #
+  # OIDC trusted publishing: similar to the PyPI setup in
+  # publish-python. `permissions: id-token: write` lets npm mint
+  # a short-lived OIDC token, which `npm publish --provenance`
+  # exchanges for a one-time upload token. No NPM_TOKEN secret.
+  # One-time trusted-publisher config on npmjs.com — see
+  # docs/release-secrets.md.
+  #
+  # `--provenance` also attaches a signed attestation linking
+  # the package to this exact GitHub Actions workflow run (via
+  # sigstore, same mechanism as PyPI's PEP 740). Users who care
+  # about supply-chain can verify it with `npm audit signatures`.
+  publish-nodejs:
+    name: Publish Node.js package to npm
+    needs: [detect, tag-all, build-nodejs-binaries]
+    if: needs.detect.outputs.should_release == 'true'
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      # OIDC for npm trusted publisher + provenance signing.
+      id-token: write
+      # For softprops/action-gh-release step at the end.
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      # NOTE: deliberately NO `registry-url:` here. setting that
+      # makes setup-node generate an `.npmrc` with
+      # `_authToken=${NODE_AUTH_TOKEN}`, which forces npm into
+      # token-based auth and *bypasses* the trusted-publisher
+      # OIDC pathway entirely. The v0.1.5 canary blew up on this
+      # exact issue: `404 Not Found - PUT ... is not in this
+      # registry` because npm sent an empty/missing
+      # NODE_AUTH_TOKEN instead of minting an OIDC token.
+      #
+      # With registry-url omitted, no `.npmrc` is generated, and
+      # npm CLI ≥ 11.5 auto-detects the GitHub Actions OIDC
+      # environment (via ACTIONS_ID_TOKEN_REQUEST_URL +
+      # permissions: id-token: write below), mints an OIDC token,
+      # and exchanges it at npm for a one-time publish token. The
+      # public default registry is fine — that's where
+      # registry.npmjs.org lives anyway.
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      # Node 20 LTS ships with npm 10.x, but trusted publishing
+      # auto-detection landed in npm 11.5. Force-upgrade so we
+      # don't depend on the runner image happening to ship a
+      # recent-enough npm.
+      - name: Upgrade npm to latest (need 11.5+ for trusted publishing)
+        run: npm install -g npm@latest
+
+      # Pull every platform's `.node` binary plus the JS
+      # dispatcher into sdk/nodejs/, overlaying them on top of
+      # the checked-out package.json / package-lock.json / etc.
+      - name: Download .node binaries
+        uses: actions/download-artifact@v4
+        with:
+          pattern: nodejs-binary-*
+          path: sdk/nodejs
+          merge-multiple: true
+
+      - name: Download JS dispatcher
+        uses: actions/download-artifact@v4
+        with:
+          name: nodejs-dispatcher
+          path: sdk/nodejs
+
+      - name: List publish payload
+        working-directory: sdk/nodejs
+        run: |
+          ls -la
+          echo "---"
+          npm --version
+          echo "---"
+          # Dry-run the pack to see exactly what ends up in the
+          # published tarball. A missing .node file or a stray
+          # devDep pulled in by accident would be visible here.
+          npm pack --dry-run
+
+      # Single atomic publish via OIDC trusted publisher. No
+      # `--provenance` flag and no env block — npm 11.5+ adds
+      # provenance automatically when the publish runs over OIDC,
+      # and an explicit `--provenance` flag combined with no
+      # auth token would actually error out under the older
+      # token-auth pathway.
+      #
+      # `--access public` is REQUIRED because `@joaoh82/sqlrite`
+      # is a scoped package and scoped packages default to
+      # private; without the flag, npm rejects the upload for a
+      # free-tier account that can't host private packages.
+      - name: Publish to npm
+        working-directory: sdk/nodejs
+        run: npm publish --access public
+
+      - name: GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: sqlrite-node-v${{ needs.detect.outputs.version }}
+          name: Node.js v${{ needs.detect.outputs.version }}
+          body: |
+            Published to npm: https://www.npmjs.com/package/@joaoh82/sqlrite/v/${{ needs.detect.outputs.version }}
+
+            ```bash
+            npm install @joaoh82/sqlrite@${{ needs.detect.outputs.version }}
+            ```
+
+            ```javascript
+            const { Database } = require('@joaoh82/sqlrite');
+
+            const db = new Database(':memory:');
+            db.exec('CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)');
+            const stmt = db.prepare('INSERT INTO users (name) VALUES (?)');
+            stmt.run('alice');
+
+            for (const row of db.prepare('SELECT * FROM users').iterate()) {
+              console.log(row);
+            }
+            ```
+
+            **Binaries bundled in this release:**
+            - Linux x86_64 (`sqlrite.linux-x64-gnu.node`)
+            - Linux aarch64 (`sqlrite.linux-arm64-gnu.node`)
+            - macOS aarch64 (`sqlrite.darwin-arm64.node`)
+            - Windows x86_64 (`sqlrite.win32-x64-msvc.node`)
+
+            The package's `index.js` dispatcher auto-selects the right binary at require time — no platform-specific install step.
+
+            Verify package provenance:
+            ```bash
+            npm audit signatures
+            ```
+
+            See the umbrella release [v${{ needs.detect.outputs.version }}](../../releases/tag/v${{ needs.detect.outputs.version }}) for the full changelog.
+          generate_release_notes: true
+
   # ---------------------------------------------------------------------------
   # Step 4: create the umbrella GitHub Release. Runs after all
   # publish-* jobs succeed. Uses GitHub's native auto-generated
@@ -641,7 +897,7 @@ jobs:
   # config if we add one later.
   finalize:
     name: Finalize umbrella release
-    needs: [detect, publish-crate, publish-ffi, publish-desktop, publish-python]
+    needs: [detect, publish-crate, publish-ffi, publish-desktop, publish-python, publish-nodejs]
     if: needs.detect.outputs.should_release == 'true'
     runs-on: ubuntu-latest
     steps:
@@ -663,8 +919,9 @@ jobs:
             - 🔧 [C FFI](../../releases/tag/sqlrite-ffi-v${{ needs.detect.outputs.version }}) — prebuilt `libsqlrite_c` for Linux x86_64/aarch64, macOS aarch64, Windows x86_64
             - 🖥️ [Desktop](../../releases/tag/sqlrite-desktop-v${{ needs.detect.outputs.version }}) — unsigned installers for Linux (AppImage + deb), macOS (dmg aarch64), Windows (msi)
             - 🐍 [Python](../../releases/tag/sqlrite-py-v${{ needs.detect.outputs.version }}) → [PyPI](https://pypi.org/project/sqlrite/${{ needs.detect.outputs.version }}/) — abi3-py38 wheels for Linux x86_64/aarch64, macOS aarch64, Windows x86_64 + sdist
+            - 🟢 [Node.js](../../releases/tag/sqlrite-node-v${{ needs.detect.outputs.version }}) → [npm](https://www.npmjs.com/package/@joaoh82/sqlrite/v/${{ needs.detect.outputs.version }}) — N-API bindings with prebuilt `.node` binaries for Linux x86_64/aarch64, macOS aarch64, Windows x86_64
 
-            _Node.js / WASM / Go SDKs land as their publish jobs come online (Phases 6g–6i)._
+            _WASM / Go SDKs land as their publish jobs come online (Phases 6h–6i)._
 
             ---
 

{sqlrite-0.1.4 → sqlrite-0.1.6}/Cargo.lock

@@ -3736,7 +3736,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-desktop"
-version = "0.1.4"
+version = "0.1.6"
 dependencies = [
  "serde",
  "serde_json",
@@ -3748,7 +3748,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-engine"
-version = "0.1.4"
+version = "0.1.6"
 dependencies = [
  "clap",
  "env_logger",
@@ -3763,7 +3763,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-ffi"
-version = "0.1.4"
+version = "0.1.6"
 dependencies = [
  "cbindgen",
  "sqlrite-engine",
@@ -3771,7 +3771,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-nodejs"
-version = "0.1.4"
+version = "0.1.6"
 dependencies = [
  "napi",
  "napi-build",
@@ -3781,7 +3781,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-python"
-version = "0.1.4"
+version = "0.1.6"
 dependencies = [
  "pyo3",
  "sqlrite-engine",

{sqlrite-0.1.4 → sqlrite-0.1.6}/Cargo.toml

@@ -27,7 +27,7 @@ resolver = "3"
 # `package =` key so the import name stays `sqlrite` internally:
 #     sqlrite = { package = "sqlrite-engine", path = "…" }
 name = "sqlrite-engine"
-version = "0.1.4"
+version = "0.1.6"
 authors = ["Joao Henrique Machado Silva <joaoh82@gmail.com>"]
 edition = "2024"
 rust-version = "1.85"

{sqlrite-0.1.4 → sqlrite-0.1.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sqlrite
-Version: 0.1.4
+Version: 0.1.6
 Classifier: Development Status :: 3 - Alpha
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: MIT License

{sqlrite-0.1.4 → sqlrite-0.1.6}/README.md

@@ -224,7 +224,7 @@ Lockstep versioning — one dispatch bumps every product to the same `vX.Y.Z`. T
 
 - [x] **6a — Bump script**: `scripts/bump-version.sh` rewrites the version string in ten manifests (7 TOML, 3 JSON) in a single pass; semver-validated, idempotent, cross-platform (BSD + GNU sed). Runnable locally for rehearsing a release: `./scripts/bump-version.sh 0.2.0 && cargo build && git diff`.
 - [x] **6b — CI**: `.github/workflows/ci.yml` runs on every PR + push to main. Seven parallel jobs: `rust-build-and-test` (Linux/macOS/Windows × cargo build + test), `rust-lint` (fmt + clippy + doc), `python-sdk` (Linux/macOS/Windows × maturin develop + pytest in a venv), `nodejs-sdk` (Linux/macOS/Windows × napi build + node --test), `go-sdk` (Linux/macOS × cargo build sqlrite-ffi + go test), `wasm-build` (wasm-pack + size report), `desktop-build` (npm ci + Tauri Rust compile). Cargo / npm / pip caching for fast PR turnaround.
-- [x] **6c — Trusted publisher setup + branch protection runbook**: [`docs/release-secrets.md`](docs/release-secrets.md) captures the one-time web-UI setup — crates.io token in the `release` environment, OIDC trusted publishers on PyPI (`sqlrite`) and npm (`sqlrite` + `sqlrite-wasm`), GitHub `release` environment with required reviewer, branch protection on `main` requiring 14 CI jobs + 1 review. No code changes — executable as-is, ready to run through in the GitHub + registry UIs.
+- [x] **6c — Trusted publisher setup + branch protection runbook**: [`docs/release-secrets.md`](docs/release-secrets.md) captures the one-time web-UI setup — crates.io token in the `release` environment, OIDC trusted publishers on PyPI (`sqlrite`) and npm (`@joaoh82/sqlrite` + `sqlrite-wasm` — Node binding is scoped because npm's similarity check rejects the unscoped name against `sqlite`/`sqlite3`), GitHub `release` environment with required reviewer, branch protection on `main` requiring 14 CI jobs + 1 review. No code changes — executable as-is, ready to run through in the GitHub + registry UIs.
 - [x] **6d — Release PR + skeleton publish**: two workflows under `.github/workflows/`. `release-pr.yml` (manual dispatch with version input → bump-version.sh → PR), `release.yml` (fires on `release: v<semver>` merge commit → `tag-all` + `publish-crate` + `publish-ffi` matrix [linux x86_64/aarch64, macOS aarch64, windows x86_64] + umbrella release). Idempotent tag creation so "Re-run failed jobs" works after partial failures. `cargo publish` gated by the `release` environment's required-reviewer rule. First canary: `v0.1.1`.
 - [ ] **6e — Desktop publish**: add `publish-desktop` to `release.yml` — Tauri build matrix → unsigned `.AppImage` / `.deb` / `.dmg` / `.msi` → GitHub Release
 - [ ] **6f — Python SDK publish**: `maturin-action` → abi3 wheels for manylinux x86_64/aarch64 + macOS universal + Windows x86_64 → PyPI via OIDC

{sqlrite-0.1.4 → sqlrite-0.1.6}/desktop/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sqlrite-desktop-frontend",
   "private": true,
-  "version": "0.1.4",
+  "version": "0.1.6",
   "type": "module",
   "scripts": {
     "dev": "vite",

{sqlrite-0.1.4 → sqlrite-0.1.6}/docs/embedding.md

@@ -217,7 +217,7 @@ Phase 6 lands GitHub Actions CI + release automation:
 
 - **crates.io** — `sqlrite-engine` crate (published under a different name from the `sqlrite` lib target because the short name was already taken; users `cargo add sqlrite-engine` but still write `use sqlrite::…`)
 - **PyPI** — `sqlrite` wheels (manylinux x86_64/aarch64, macOS universal, Windows x86_64)
-- **npm** — `sqlrite` (Node) + `sqlrite-wasm` (browser) packages
+- **npm** — `@joaoh82/sqlrite` (Node) + `sqlrite-wasm` (browser) packages
 - **Go modules** — `sdk/go/v*` git tags
 - **GitHub Releases** — Tauri desktop builds + C FFI prebuilt libraries
 

{sqlrite-0.1.4 → sqlrite-0.1.6}/docs/release-plan.md

@@ -73,7 +73,7 @@ GitHub Releases by product ("show me every Python release").
 | Rust engine     | `sqlrite-vX.Y.Z`       | crates.io + GitHub Release                       |
 | C FFI shim      | `sqlrite-ffi-vX.Y.Z`   | GitHub Release (per-platform tarballs)           |
 | Python SDK      | `sqlrite-py-vX.Y.Z`    | PyPI + GitHub Release                            |
-| Node.js SDK     | `sqlrite-node-vX.Y.Z`  | npm + GitHub Release                             |
+| Node.js SDK     | `sqlrite-node-vX.Y.Z`  | npm (`@joaoh82/sqlrite`) + GitHub Release        |
 | Go SDK          | `sdk/go/vX.Y.Z`        | Git tag (no registry) + GitHub Release assets    |
 | WASM            | `sqlrite-wasm-vX.Y.Z`  | npm (`sqlrite-wasm`) + GitHub Release            |
 | Desktop app     | `sqlrite-desktop-vX.Y.Z` | GitHub Release (unsigned installers)           |

{sqlrite-0.1.4 → sqlrite-0.1.6}/docs/release-secrets.md

@@ -105,27 +105,36 @@ release, status flips to "active".
 
 ## 3. npm trusted publishers (two packages)
 
-**Why two:** we publish `sqlrite` (Node.js bindings from
+**Why two:** we publish `@joaoh82/sqlrite` (Node.js bindings from
 `sdk/nodejs/`) and `sqlrite-wasm` (browser bindings from
 `sdk/wasm/`) as separate npm packages. Each needs its own
 trusted-publisher record.
 
-### 3a. Reserve `sqlrite` on npm
+**Why the scoped name on the Node.js package:** npm's registry
+rejects the unscoped `sqlrite` name because of a similarity check
+against the existing `sqlite` / `sqlite3` packages (levenshtein
+distance 1). Scoping under `@joaoh82` (the author's npm user
+scope) bypasses the check cleanly — same pattern as `@napi-rs/*`,
+`@swc/core`, etc. Discovered during the v0.1.5 canary attempt;
+rename PR landed before the retry. Applies to the Node.js
+package only; `sqlrite-wasm` may or may not hit the same check
+when 6h lands (if it does, rename to `@joaoh82/sqlrite-wasm`).
 
-1. Log in at <https://www.npmjs.com/>.
-2. Search for `sqlrite` — confirm it's not taken. (If it is,
-   we'll rename — update `sdk/nodejs/package.json`'s `name` +
-   `napi.name` to something like `@joaoh82/sqlrite` and file an
-   issue.)
+### 3a. Reserve `@joaoh82/sqlrite` on npm
 
-### 3b. Trusted publisher for `sqlrite`
+1. Log in at <https://www.npmjs.com/> as `joaoh82`.
+2. Scoped packages under your user scope are auto-owned — no
+   manual name reservation step required. First-time publish
+   against the trusted publisher will create the package.
+
+### 3b. Trusted publisher for `@joaoh82/sqlrite`
 
 npm's trusted publishing flow:
 
-1. From the package page (after first manual publish, or via
-   <https://www.npmjs.com/package/sqlrite> once pre-registered),
-   click **Settings** → **Trusted Publishers**.
+1. Go to <https://www.npmjs.com/settings/~/packages> (or your
+   profile → Packages) → **Trusted Publishers** tab.
 2. **Add a new publisher**:
+   - **Package name**: `@joaoh82/sqlrite`
    - **Publisher**: GitHub Actions
    - **Organization or user**: `joaoh82`
    - **Repository**: `rust_sqlite`
@@ -133,20 +142,14 @@ npm's trusted publishing flow:
    - **Environment**: `release`
 3. Save.
 
-**npm's chicken-and-egg:** npm doesn't offer a "pending
-publisher" mode like PyPI. A package must exist before you can
-add a trusted publisher for it. First-time publish workaround:
-
-- Use a classic npm access token (generate one scoped to publish
-  for `sqlrite` only) for the very first publish only.
-- Store it temporarily as `NPM_TOKEN` in the `release`
-  environment's secrets.
-- After the first publish succeeds, add the trusted publisher
-  via the UI, then delete `NPM_TOKEN` from the secrets.
-- On the next release, OIDC takes over automatically.
-
-Document the temporary token in a pinned issue so it gets
-rotated out once OIDC is live.
+**npm's chicken-and-egg, resolved for scoped packages:** For
+unscoped names (like the abandoned `sqlrite` attempt), npm
+requires the package to already exist before you can add a
+trusted publisher — first publish needs a temporary `NPM_TOKEN`.
+For scoped packages under your own user scope, npm auto-owns
+the scope, and the trusted-publisher registration works against
+the future package before it exists. First CI publish creates
+it cleanly with OIDC. **No temporary token needed.**
 
 ### 3c. Repeat for `sqlrite-wasm`
 

{sqlrite-0.1.4 → sqlrite-0.1.6}/docs/roadmap.md

@@ -360,7 +360,7 @@ One-time non-code setup — the state lives in registry web UIs + GitHub setting
 
 1. **crates.io API token** → `CRATES_IO_TOKEN` in the `release` environment's secrets (crates.io doesn't support OIDC yet, so this is the only long-lived token in the pipeline).
 2. **PyPI trusted publisher** pointed at `release.yml` / environment `release` — short-lived OIDC tokens, no secret to leak.
-3. **npm trusted publishers** for both `sqlrite` (the Node binding) and `sqlrite-wasm` (the browser binding). npm doesn't have a pending-publisher mode like PyPI, so the runbook captures the first-release bootstrap: temporary `NPM_TOKEN`, then swap to OIDC.
+3. **npm trusted publishers** for both `@joaoh82/sqlrite` (the Node binding — scoped because npm rejected the unscoped `sqlrite` name as too similar to `sqlite`/`sqlite3`) and `sqlrite-wasm` (the browser binding). Scoped packages under your own user scope auto-own the name, so the trusted-publisher flow works without a bootstrap `NPM_TOKEN`. See `docs/release-secrets.md` §3 for the full flow.
 4. **GitHub `release` environment** — required reviewer (maintainer), `main`-only deployments, scoped secrets. Acts as a second human-in-the-loop gate after the Release PR merge but before any registry write.
 5. **Branch protection on `main`** — require 14 CI status checks green + 1 review + conversation resolution. Admin bypass left available for emergencies.
 
@@ -419,9 +419,15 @@ Wheel matrix mirrors publish-ffi + publish-desktop: Linux x86_64 (manylinux2014
 
 Authentication via PyPI trusted publishing (OIDC) — zero long-lived tokens. `permissions: id-token: write` on the publish job plus the `release` GitHub environment (one-time trusted-publisher config on PyPI's web UI, documented in `docs/release-secrets.md`).
 
-### Phase 6g — Node.js SDK publish
+### ✅ Phase 6g — Node.js SDK publish
 
-Adds `publish-nodejs` job. `@napi-rs/cli` builds `.node` binaries per platform; npm publish via OIDC.
+Adds two jobs to `release.yml` — `build-nodejs-binaries` (matrix of 4 platforms) + `publish-nodejs` (aggregator + npm upload + GitHub Release).
+
+**Bundled-binaries architecture**: the main `sqlrite` npm package ships every platform's `.node` binary inside one tarball (~15 MiB), not the per-platform optional-dep packages `@napi-rs/*` projects use. Simpler for an MVP (one npm publish, one package to manage); the tradeoff is a bigger install, acceptable for a database driver people install once. The `index.js` dispatcher napi generates picks the right binary at require time via `process.platform` + `process.arch`.
+
+Same build/publish split as publish-python — matrix cells upload `.node` artifacts, a single aggregator job downloads everything into `sdk/nodejs/`, runs `npm publish --provenance` once. `--provenance` attaches a sigstore-signed attestation linking the published package to this exact workflow run (npm's equivalent of PyPI's PEP 740).
+
+Authentication via npm OIDC trusted publishing — zero long-lived `NPM_TOKEN`. One-time trusted-publisher registration on npmjs.com, documented in `docs/release-secrets.md`.
 
 ### Phase 6h — WASM publish
 

{sqlrite-0.1.4 → sqlrite-0.1.6}/examples/README.md

@@ -6,12 +6,12 @@ Phase 5 lands these incrementally — each sub-phase fills in one language. The
 
 | Language | Status | SDK published | Directory |
 |----------|--------|---------------|-----------|
-| Rust     | ✅ Phase 5a       | crates.io (Phase 6c) | [`rust/`](rust/)     |
+| Rust     | ✅ Phase 5a       | crates.io as `sqlrite-engine` (Phase 6d) | [`rust/`](rust/)     |
 | C (FFI)  | ✅ Phase 5b       | GitHub Releases (Phase 6d) | [`c/`](c/)           |
-| Python   | ✅ Phase 5c       | PyPI (Phase 6e)      | [`python/`](python/) |
-| Node.js  | ✅ Phase 5d       | npm (Phase 6e)       | [`nodejs/`](nodejs/) |
-| Go       | ✅ Phase 5e       | Go modules (Phase 6e)| [`go/`](go/)         |
-| WASM     | ✅ Phase 5g       | npm as `sqlrite-wasm` (Phase 6e) | [`wasm/`](wasm/)     |
+| Python   | ✅ Phase 5c       | PyPI as `sqlrite` (Phase 6f) | [`python/`](python/) |
+| Node.js  | ✅ Phase 5d       | npm as `@joaoh82/sqlrite` (Phase 6g) | [`nodejs/`](nodejs/) |
+| Go       | ✅ Phase 5e       | Go modules (Phase 6i) | [`go/`](go/)         |
+| WASM     | ✅ Phase 5g       | npm as `sqlrite-wasm` (Phase 6h) | [`wasm/`](wasm/)     |
 
 See [docs/roadmap.md](../docs/roadmap.md) for what each sub-phase delivers.
 

{sqlrite-0.1.4 → sqlrite-0.1.6}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "sqlrite"
-version = "0.1.4"
+version = "0.1.6"
 description = "Python bindings for SQLRite — a small, embeddable SQLite clone written in Rust."
 authors = [{ name = "Joao Henrique Machado Silva", email = "joaoh82@gmail.com" }]
 license = { text = "MIT" }

{sqlrite-0.1.4 → sqlrite-0.1.6}/sdk/python/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sqlrite-python"
-version = "0.1.4"
+version = "0.1.6"
 authors = ["Joao Henrique Machado Silva <joaoh82@gmail.com>"]
 edition = "2024"
 rust-version = "1.85"