sqlrite 0.1.6__tar.gz → 0.1.8__tar.gz

{sqlrite-0.1.6 → sqlrite-0.1.8}/.github/workflows/release.yml

@@ -8,8 +8,8 @@
 # Phase 6e adds publish-desktop.
 # Phase 6f adds build-python-wheels + publish-python.
 # Phase 6g adds build-nodejs-binaries + publish-nodejs.
-# Phases 6h–6i add publish-wasm / publish-go as separate jobs
-# to this same file.
+# Phase 6h adds publish-wasm.
+# Phase 6i adds publish-go.
 #
 # Design doc: docs/release-plan.md.
 # One-time registry / branch-protection setup: docs/release-secrets.md.
@@ -127,6 +127,7 @@ jobs:
             "sqlrite-desktop-v$V"
             "sqlrite-py-v$V"
             "sqlrite-node-v$V"
+            "sqlrite-wasm-v$V"
             "v$V"
           )
           for tag in "${TAGS[@]}"; do
@@ -821,32 +822,61 @@ jobs:
           name: nodejs-dispatcher
           path: sdk/nodejs
 
-      - name: List publish payload
+      - name: List publish payload + OIDC env diagnostics
         working-directory: sdk/nodejs
         run: |
           ls -la
           echo "---"
           npm --version
           echo "---"
+          # Confirm the OIDC env vars GitHub Actions auto-sets when
+          # `permissions: id-token: write` is granted. If either of
+          # these is empty, OIDC token exchange CAN'T happen and
+          # npm publish will fall back to "no auth available".
+          # Just print whether they're set, not their values
+          # (the URL has a trailing token-issuance path; treat as
+          # sensitive).
+          echo "ACTIONS_ID_TOKEN_REQUEST_URL  is set: ${ACTIONS_ID_TOKEN_REQUEST_URL:+yes}${ACTIONS_ID_TOKEN_REQUEST_URL:-NO}"
+          echo "ACTIONS_ID_TOKEN_REQUEST_TOKEN is set: ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:+yes}${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-NO}"
+          echo "---"
           # Dry-run the pack to see exactly what ends up in the
           # published tarball. A missing .node file or a stray
           # devDep pulled in by accident would be visible here.
           npm pack --dry-run
 
-      # Single atomic publish via OIDC trusted publisher. No
-      # `--provenance` flag and no env block — npm 11.5+ adds
-      # provenance automatically when the publish runs over OIDC,
-      # and an explicit `--provenance` flag combined with no
-      # auth token would actually error out under the older
-      # token-auth pathway.
+      # Single atomic publish via OIDC trusted publisher.
+      #
+      # The `--provenance` flag is what tells npm CLI to use the
+      # OIDC code path. Without it, npm only checks for `_authToken`
+      # config and gives up with ENEEDAUTH (this happened on the
+      # v0.1.6 canary attempt that ran without the flag — npm
+      # never even tried OIDC). With it, npm:
+      #   1. Reads ACTIONS_ID_TOKEN_REQUEST_URL +
+      #      ACTIONS_ID_TOKEN_REQUEST_TOKEN from the GHA env
+      #   2. Mints an OIDC token bearing the workflow's identity
+      #      claims (repo, environment, workflow filename, etc.)
+      #   3. Exchanges it at npm for a one-time publish token
+      #   4. Publishes the package + attaches a sigstore-signed
+      #      provenance attestation linking the artifact to this
+      #      exact workflow run
+      #
+      # The previous v0.1.5 failure with `--provenance` set was a
+      # different bug — `registry-url` on setup-node was generating
+      # an `.npmrc` that forced token-auth and bypassed OIDC. With
+      # registry-url removed (this file's previous fix) and
+      # `--provenance` restored, both bugs are addressed.
       #
       # `--access public` is REQUIRED because `@joaoh82/sqlrite`
-      # is a scoped package and scoped packages default to
-      # private; without the flag, npm rejects the upload for a
-      # free-tier account that can't host private packages.
+      # is a scoped package and scoped packages default to private;
+      # without the flag, npm rejects the upload for a free-tier
+      # account that can't host private packages.
+      #
+      # `--loglevel verbose` makes auth/transport errors
+      # diagnosable from the run log without re-running with
+      # debug-on. Cheap insurance against another silent failure.
       - name: Publish to npm
         working-directory: sdk/nodejs
-        run: npm publish --access public
+        run: npm publish --access public --provenance --loglevel verbose
 
       - name: GitHub Release
         uses: softprops/action-gh-release@v2
@@ -889,6 +919,161 @@ jobs:
             See the umbrella release [v${{ needs.detect.outputs.version }}](../../releases/tag/v${{ needs.detect.outputs.version }}) for the full changelog.
           generate_release_notes: true
 
+  # ---------------------------------------------------------------------------
+  # Step 3h: build the WASM package via wasm-pack and publish to
+  # npm as @joaoh82/sqlrite-wasm. (Phase 6h.)
+  #
+  # Single job — unlike the Python / Node SDKs there's no per-OS
+  # binary matrix, because WebAssembly is one universal artifact
+  # that runs on any wasm32-capable host (browsers, Deno, modern
+  # bundlers). One build, one upload.
+  #
+  # **Why scoped (`@joaoh82/sqlrite-wasm`) preemptively:** the
+  # unscoped `sqlrite-wasm` is currently free on npm but the
+  # similarity check that rejected `sqlrite` (vs `sqlite`) might
+  # also reject `sqlrite-wasm` (vs `sqlite-wasm` — distance 1).
+  # Going scoped from day one matches the Node SDK's
+  # `@joaoh82/sqlrite` decision and avoids the rename dance we
+  # did in PR #30. Free to revisit if the ecosystem demands an
+  # unscoped name.
+  #
+  # **Build target = `bundler`:** webpack/vite/rollup users get
+  # JS modules + .wasm without needing additional config. `web`
+  # / `nodejs` / `deno` targets can be added as siblings later
+  # if there's demand; one target per package is the simpler
+  # MVP shape.
+  #
+  # `--scope joaoh82` on `wasm-pack build` makes wasm-pack emit
+  # an auto-generated package.json with `name: "@joaoh82/sqlrite-wasm"`
+  # in the `pkg/` output directory — saves us from managing two
+  # package.json files (the auto-generated one and a hand-written
+  # override).
+  publish-wasm:
+    name: Publish WASM package to npm
+    needs: [detect, tag-all]
+    if: needs.detect.outputs.should_release == 'true'
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      # OIDC: required for npm trusted-publisher token exchange.
+      # Same flow proven in publish-nodejs after the v0.1.5–0.1.7
+      # debugging adventure.
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-unknown-unknown
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          shared-key: publish-wasm
+          workspaces: 'sdk/wasm -> target'
+
+      # Install wasm-pack — the canonical tool for building +
+      # packaging Rust crates as npm-publishable WASM modules.
+      # `cargo binstall` would be faster than `cargo install`
+      # (downloads a prebuilt binary) but binstall isn't
+      # preinstalled on `ubuntu-latest`; the curl|sh installer
+      # does the same thing in one step without bootstrapping
+      # binstall first.
+      - name: Install wasm-pack
+        run: |
+          curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
+
+      # See publish-nodejs for the long-form rationale of this
+      # whole setup-node + npm-upgrade dance. Short version:
+      # NO `registry-url:` (would force token-auth via .npmrc),
+      # then explicitly upgrade npm to 11.5+ so trusted
+      # publishing is supported.
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Upgrade npm to latest (need 11.5+ for trusted publishing)
+        run: npm install -g npm@latest
+
+      # Build the WASM package. `--target bundler` produces
+      # ES modules + .wasm that webpack/vite/rollup can consume
+      # directly. `--scope joaoh82` makes the auto-generated
+      # package.json's name `@joaoh82/sqlrite-wasm`. `--release`
+      # picks up the size-optimized profile from sdk/wasm/
+      # Cargo.toml ([profile.release] opt-level = "z" + LTO).
+      - name: Build WASM package
+        working-directory: sdk/wasm
+        run: |
+          wasm-pack build --release --target bundler --scope joaoh82
+          echo "--- generated pkg/ contents ---"
+          ls -la pkg/
+          echo "--- generated package.json ---"
+          cat pkg/package.json
+          echo "--- WASM binary size ---"
+          ls -la pkg/*.wasm
+
+      # OIDC env diagnostics — same defensive logging that paid
+      # off when publish-nodejs hit the trusted-publisher subject
+      # mismatch in v0.1.7.
+      - name: OIDC env diagnostics
+        working-directory: sdk/wasm/pkg
+        run: |
+          npm --version
+          echo "ACTIONS_ID_TOKEN_REQUEST_URL  is set: ${ACTIONS_ID_TOKEN_REQUEST_URL:+yes}${ACTIONS_ID_TOKEN_REQUEST_URL:-NO}"
+          echo "ACTIONS_ID_TOKEN_REQUEST_TOKEN is set: ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:+yes}${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-NO}"
+          npm pack --dry-run
+
+      # Atomic OIDC publish. Same flag combo proven in
+      # publish-nodejs: `--provenance` to trigger OIDC code path,
+      # `--access public` because scoped packages default to
+      # private, `--loglevel verbose` to keep error logs
+      # diagnosable.
+      - name: Publish to npm
+        working-directory: sdk/wasm/pkg
+        run: npm publish --access public --provenance --loglevel verbose
+
+      - name: GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: sqlrite-wasm-v${{ needs.detect.outputs.version }}
+          name: WASM v${{ needs.detect.outputs.version }}
+          body: |
+            Published to npm: https://www.npmjs.com/package/@joaoh82/sqlrite-wasm/v/${{ needs.detect.outputs.version }}
+
+            ```bash
+            npm install @joaoh82/sqlrite-wasm@${{ needs.detect.outputs.version }}
+            ```
+
+            ```javascript
+            // Bundler target — works with webpack, vite, rollup, parcel
+            import init, { Database } from '@joaoh82/sqlrite-wasm';
+
+            await init();
+            const db = new Database();
+            db.exec("CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)");
+            db.exec("INSERT INTO users (name) VALUES ('alice')");
+            const rows = db.query("SELECT id, name FROM users");
+            // → [{ id: 1, name: 'alice' }]
+            ```
+
+            **What's in the package:**
+            - `sqlrite_wasm_bg.wasm` — the WebAssembly engine binary
+            - `sqlrite_wasm.js` — auto-generated JS glue (wasm-bindgen)
+            - `sqlrite_wasm.d.ts` — TypeScript types
+            - `package.json` — bundler-target metadata
+
+            **Build target:** `bundler` (webpack/vite/rollup-friendly).
+            For `web` / `nodejs` / `deno` targets, build from source via `wasm-pack build sdk/wasm --target <target>`.
+
+            Verify package provenance:
+            ```bash
+            npm audit signatures
+            ```
+
+            See the umbrella release [v${{ needs.detect.outputs.version }}](../../releases/tag/v${{ needs.detect.outputs.version }}) for the full changelog.
+          files: sdk/wasm/pkg/*.wasm
+          generate_release_notes: true
+
   # ---------------------------------------------------------------------------
   # Step 4: create the umbrella GitHub Release. Runs after all
   # publish-* jobs succeed. Uses GitHub's native auto-generated
@@ -897,7 +1082,7 @@ jobs:
   # config if we add one later.
   finalize:
     name: Finalize umbrella release
-    needs: [detect, publish-crate, publish-ffi, publish-desktop, publish-python, publish-nodejs]
+    needs: [detect, publish-crate, publish-ffi, publish-desktop, publish-python, publish-nodejs, publish-wasm]
     if: needs.detect.outputs.should_release == 'true'
     runs-on: ubuntu-latest
     steps:
@@ -920,8 +1105,9 @@ jobs:
             - 🖥️ [Desktop](../../releases/tag/sqlrite-desktop-v${{ needs.detect.outputs.version }}) — unsigned installers for Linux (AppImage + deb), macOS (dmg aarch64), Windows (msi)
             - 🐍 [Python](../../releases/tag/sqlrite-py-v${{ needs.detect.outputs.version }}) → [PyPI](https://pypi.org/project/sqlrite/${{ needs.detect.outputs.version }}/) — abi3-py38 wheels for Linux x86_64/aarch64, macOS aarch64, Windows x86_64 + sdist
             - 🟢 [Node.js](../../releases/tag/sqlrite-node-v${{ needs.detect.outputs.version }}) → [npm](https://www.npmjs.com/package/@joaoh82/sqlrite/v/${{ needs.detect.outputs.version }}) — N-API bindings with prebuilt `.node` binaries for Linux x86_64/aarch64, macOS aarch64, Windows x86_64
+            - 🌐 [WASM](../../releases/tag/sqlrite-wasm-v${{ needs.detect.outputs.version }}) → [npm](https://www.npmjs.com/package/@joaoh82/sqlrite-wasm/v/${{ needs.detect.outputs.version }}) — browser/bundler-target WebAssembly build via wasm-pack
 
-            _WASM / Go SDKs land as their publish jobs come online (Phases 6h–6i)._
+            _Go SDK lands as its publish job comes online (Phase 6i)._
 
             ---
 

{sqlrite-0.1.6 → sqlrite-0.1.8}/Cargo.lock

@@ -3736,7 +3736,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-desktop"
-version = "0.1.6"
+version = "0.1.8"
 dependencies = [
  "serde",
  "serde_json",
@@ -3748,7 +3748,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-engine"
-version = "0.1.6"
+version = "0.1.8"
 dependencies = [
  "clap",
  "env_logger",
@@ -3763,7 +3763,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-ffi"
-version = "0.1.6"
+version = "0.1.8"
 dependencies = [
  "cbindgen",
  "sqlrite-engine",
@@ -3771,7 +3771,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-nodejs"
-version = "0.1.6"
+version = "0.1.8"
 dependencies = [
  "napi",
  "napi-build",
@@ -3781,7 +3781,7 @@ dependencies = [
 
 [[package]]
 name = "sqlrite-python"
-version = "0.1.6"
+version = "0.1.8"
 dependencies = [
  "pyo3",
  "sqlrite-engine",

{sqlrite-0.1.6 → sqlrite-0.1.8}/Cargo.toml

@@ -27,7 +27,7 @@ resolver = "3"
 # `package =` key so the import name stays `sqlrite` internally:
 #     sqlrite = { package = "sqlrite-engine", path = "…" }
 name = "sqlrite-engine"
-version = "0.1.6"
+version = "0.1.8"
 authors = ["Joao Henrique Machado Silva <joaoh82@gmail.com>"]
 edition = "2024"
 rust-version = "1.85"

{sqlrite-0.1.6 → sqlrite-0.1.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sqlrite
-Version: 0.1.6
+Version: 0.1.8
 Classifier: Development Status :: 3 - Alpha
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: MIT License

{sqlrite-0.1.6 → sqlrite-0.1.8}/README.md

@@ -224,12 +224,12 @@ Lockstep versioning — one dispatch bumps every product to the same `vX.Y.Z`. T
 
 - [x] **6a — Bump script**: `scripts/bump-version.sh` rewrites the version string in ten manifests (7 TOML, 3 JSON) in a single pass; semver-validated, idempotent, cross-platform (BSD + GNU sed). Runnable locally for rehearsing a release: `./scripts/bump-version.sh 0.2.0 && cargo build && git diff`.
 - [x] **6b — CI**: `.github/workflows/ci.yml` runs on every PR + push to main. Seven parallel jobs: `rust-build-and-test` (Linux/macOS/Windows × cargo build + test), `rust-lint` (fmt + clippy + doc), `python-sdk` (Linux/macOS/Windows × maturin develop + pytest in a venv), `nodejs-sdk` (Linux/macOS/Windows × napi build + node --test), `go-sdk` (Linux/macOS × cargo build sqlrite-ffi + go test), `wasm-build` (wasm-pack + size report), `desktop-build` (npm ci + Tauri Rust compile). Cargo / npm / pip caching for fast PR turnaround.
-- [x] **6c — Trusted publisher setup + branch protection runbook**: [`docs/release-secrets.md`](docs/release-secrets.md) captures the one-time web-UI setup — crates.io token in the `release` environment, OIDC trusted publishers on PyPI (`sqlrite`) and npm (`@joaoh82/sqlrite` + `sqlrite-wasm` — Node binding is scoped because npm's similarity check rejects the unscoped name against `sqlite`/`sqlite3`), GitHub `release` environment with required reviewer, branch protection on `main` requiring 14 CI jobs + 1 review. No code changes — executable as-is, ready to run through in the GitHub + registry UIs.
+- [x] **6c — Trusted publisher setup + branch protection runbook**: [`docs/release-secrets.md`](docs/release-secrets.md) captures the one-time web-UI setup — crates.io token in the `release` environment, OIDC trusted publishers on PyPI (`sqlrite`) and npm (`@joaoh82/sqlrite` + `@joaoh82/sqlrite-wasm` — both scoped because npm's similarity check rejects the unscoped names against `sqlite`/`sqlite3`/`sqlite-wasm`), GitHub `release` environment with required reviewer, branch protection on `main` requiring 14 CI jobs + 1 review. No code changes — executable as-is, ready to run through in the GitHub + registry UIs.
 - [x] **6d — Release PR + skeleton publish**: two workflows under `.github/workflows/`. `release-pr.yml` (manual dispatch with version input → bump-version.sh → PR), `release.yml` (fires on `release: v<semver>` merge commit → `tag-all` + `publish-crate` + `publish-ffi` matrix [linux x86_64/aarch64, macOS aarch64, windows x86_64] + umbrella release). Idempotent tag creation so "Re-run failed jobs" works after partial failures. `cargo publish` gated by the `release` environment's required-reviewer rule. First canary: `v0.1.1`.
 - [ ] **6e — Desktop publish**: add `publish-desktop` to `release.yml` — Tauri build matrix → unsigned `.AppImage` / `.deb` / `.dmg` / `.msi` → GitHub Release
 - [ ] **6f — Python SDK publish**: `maturin-action` → abi3 wheels for manylinux x86_64/aarch64 + macOS universal + Windows x86_64 → PyPI via OIDC
 - [ ] **6g — Node.js SDK publish**: `@napi-rs/cli` → `.node` binaries per platform → npm via OIDC
-- [ ] **6h — WASM publish**: `wasm-pack publish` → `sqlrite-wasm` on npm
+- [x] **6h — WASM publish**: `wasm-pack build --target bundler --scope joaoh82` + `npm publish --provenance` (OIDC) → `@joaoh82/sqlrite-wasm` on npm. Single job, no matrix (WebAssembly is universal). `.wasm` also attached to the `sqlrite-wasm-v<V>` GitHub Release.
 - [ ] **6i — Go SDK publish**: `sdk/go/vX.Y.Z` git tag + attach FFI tarballs to the Go GitHub Release for `go get` users who want prebuilt `libsqlrite_c`
 
 **Phase 6.1 — Code signing** *(follow-up)*

{sqlrite-0.1.6 → sqlrite-0.1.8}/desktop/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sqlrite-desktop-frontend",
   "private": true,
-  "version": "0.1.6",
+  "version": "0.1.8",
   "type": "module",
   "scripts": {
     "dev": "vite",

{sqlrite-0.1.6 → sqlrite-0.1.8}/docs/embedding.md

@@ -189,7 +189,7 @@ Full API tour: [`sdk/go/README.md`](../sdk/go/README.md); runnable walkthrough:
 `sdk/wasm/` — `wasm-bindgen` compiles the Rust engine directly to `wasm32-unknown-unknown`. The whole database runs in a browser tab:
 
 ```js
-import init, { Database } from 'sqlrite-wasm';
+import init, { Database } from '@joaoh82/sqlrite-wasm';
 await init();
 
 const db = new Database();
@@ -201,7 +201,7 @@ const rows = db.query("SELECT id, name FROM users");
 
 **In-memory only** in the MVP — file-backed mode needs OS file locks and a `-wal` sidecar that don't exist in a tab's sandbox. OPFS-backed persistence is a natural follow-up.
 
-Build locally via `wasm-pack build --target web --release` (or `bundler` / `nodejs`). Phase 6e publishes `sqlrite-wasm` to npm via `wasm-pack publish` on `v*` tag push.
+Build locally via `wasm-pack build --target web --release` (or `bundler` / `nodejs`). Phase 6h publishes `@joaoh82/sqlrite-wasm` (bundler target) to npm via `wasm-pack build` + `npm publish` (OIDC trusted publisher) on every release.
 
 The root engine crate is feature-gated (`cli` for rustyline/clap/env_logger; `file-locks` for fs2) so `default-features = false` strips out everything that wouldn't compile on `wasm32-unknown-unknown`.
 
@@ -217,7 +217,7 @@ Phase 6 lands GitHub Actions CI + release automation:
 
 - **crates.io** — `sqlrite-engine` crate (published under a different name from the `sqlrite` lib target because the short name was already taken; users `cargo add sqlrite-engine` but still write `use sqlrite::…`)
 - **PyPI** — `sqlrite` wheels (manylinux x86_64/aarch64, macOS universal, Windows x86_64)
-- **npm** — `@joaoh82/sqlrite` (Node) + `sqlrite-wasm` (browser) packages
+- **npm** — `@joaoh82/sqlrite` (Node) + `@joaoh82/sqlrite-wasm` (browser) packages
 - **Go modules** — `sdk/go/v*` git tags
 - **GitHub Releases** — Tauri desktop builds + C FFI prebuilt libraries
 

{sqlrite-0.1.6 → sqlrite-0.1.8}/docs/release-plan.md

@@ -75,7 +75,7 @@ GitHub Releases by product ("show me every Python release").
 | Python SDK      | `sqlrite-py-vX.Y.Z`    | PyPI + GitHub Release                            |
 | Node.js SDK     | `sqlrite-node-vX.Y.Z`  | npm (`@joaoh82/sqlrite`) + GitHub Release        |
 | Go SDK          | `sdk/go/vX.Y.Z`        | Git tag (no registry) + GitHub Release assets    |
-| WASM            | `sqlrite-wasm-vX.Y.Z`  | npm (`sqlrite-wasm`) + GitHub Release            |
+| WASM            | `sqlrite-wasm-vX.Y.Z`  | npm (`@joaoh82/sqlrite-wasm`) + GitHub Release   |
 | Desktop app     | `sqlrite-desktop-vX.Y.Z` | GitHub Release (unsigned installers)           |
 | **Meta**        | `vX.Y.Z`               | GitHub Release (links to the other seven; acts as the "this was release 0.2.0" anchor) |
 
@@ -290,8 +290,9 @@ from now.
    TestPyPI (for dry-runs) if we decide we want that later.
 3. **npm trusted publishing** — available via npm's newer "OIDC
    trusted publishing" system. One-time config on npm's web UI
-   for the `sqlrite` and `sqlrite-wasm` packages. No `NPM_TOKEN`
-   needed.
+   for the `@joaoh82/sqlrite` and `@joaoh82/sqlrite-wasm`
+   packages. No `NPM_TOKEN` needed (after a one-time placeholder
+   publish per `docs/release-secrets.md` §3a).
 4. **GitHub Environments** — create one called `release` in repo
    settings → Environments. Add `joaoh82` as a required reviewer
    on the `release` environment. The publish jobs reference

{sqlrite-0.1.6 → sqlrite-0.1.8}/docs/release-secrets.md

@@ -106,54 +106,84 @@ release, status flips to "active".
 ## 3. npm trusted publishers (two packages)
 
 **Why two:** we publish `@joaoh82/sqlrite` (Node.js bindings from
-`sdk/nodejs/`) and `sqlrite-wasm` (browser bindings from
+`sdk/nodejs/`) and `@joaoh82/sqlrite-wasm` (browser bindings from
 `sdk/wasm/`) as separate npm packages. Each needs its own
 trusted-publisher record.
 
-**Why the scoped name on the Node.js package:** npm's registry
-rejects the unscoped `sqlrite` name because of a similarity check
-against the existing `sqlite` / `sqlite3` packages (levenshtein
-distance 1). Scoping under `@joaoh82` (the author's npm user
-scope) bypasses the check cleanly — same pattern as `@napi-rs/*`,
-`@swc/core`, etc. Discovered during the v0.1.5 canary attempt;
-rename PR landed before the retry. Applies to the Node.js
-package only; `sqlrite-wasm` may or may not hit the same check
-when 6h lands (if it does, rename to `@joaoh82/sqlrite-wasm`).
-
-### 3a. Reserve `@joaoh82/sqlrite` on npm
-
-1. Log in at <https://www.npmjs.com/> as `joaoh82`.
-2. Scoped packages under your user scope are auto-owned — no
-   manual name reservation step required. First-time publish
-   against the trusted publisher will create the package.
-
-### 3b. Trusted publisher for `@joaoh82/sqlrite`
-
-npm's trusted publishing flow:
-
-1. Go to <https://www.npmjs.com/settings/~/packages> (or your
-   profile → Packages) → **Trusted Publishers** tab.
-2. **Add a new publisher**:
-   - **Package name**: `@joaoh82/sqlrite`
+**Why both are scoped:** npm's registry rejects unscoped names
+that are too similar to existing popular packages — `sqlrite` is
+levenshtein-distance 1 from `sqlite`/`sqlite3`, and
+`sqlrite-wasm` would be distance 1 from `sqlite-wasm`. Scoping
+under `@joaoh82` (the author's npm user scope) bypasses the
+check entirely — same pattern as `@napi-rs/*`, `@swc/core`,
+`@aws-sdk/*`. We learned this the hard way on the Node package
+during the v0.1.5 canary; for the WASM package we went scoped
+preemptively in Phase 6h.
+
+### 3a. Publish a placeholder for each scoped package
+
+**npm requires the package to exist before you can configure a
+trusted publisher for it** (no PyPI-style "pending publisher"
+flow as of late 2025). The bootstrap is a one-time manual
+publish of an empty `0.0.0` placeholder using your local
+credentials. Scoped packages under your own user scope are
+auto-owned, so no separate name reservation is needed beyond
+the publish itself.
+
+For each of `@joaoh82/sqlrite` and `@joaoh82/sqlrite-wasm`:
+
+```bash
+mkdir /tmp/scoped-placeholder && cd /tmp/scoped-placeholder
+cat > package.json <<'JSON'
+{
+  "name": "@joaoh82/sqlrite",
+  "version": "0.0.0",
+  "description": "Placeholder — real package ships from rust_sqlite CI",
+  "license": "MIT"
+}
+JSON
+npm login   # if not already
+npm publish --access public
+# Repeat for @joaoh82/sqlrite-wasm — change the name field.
+```
+
+The placeholder is harmless; the first CI release publishes a
+real `0.X.Y` over the top.
+
+### 3b. Trusted publisher for each package
+
+For each placeholder you just published:
+
+1. Go to the package's settings page:
+   - <https://www.npmjs.com/package/@joaoh82/sqlrite/access>
+   - <https://www.npmjs.com/package/@joaoh82/sqlrite-wasm/access>
+2. Find the **Trusted Publisher** section (under Settings, not
+   the package list).
+3. **Add publisher**:
    - **Publisher**: GitHub Actions
    - **Organization or user**: `joaoh82`
-   - **Repository**: `rust_sqlite`
-   - **Workflow filename**: `release.yml`
-   - **Environment**: `release`
-3. Save.
-
-**npm's chicken-and-egg, resolved for scoped packages:** For
-unscoped names (like the abandoned `sqlrite` attempt), npm
-requires the package to already exist before you can add a
-trusted publisher — first publish needs a temporary `NPM_TOKEN`.
-For scoped packages under your own user scope, npm auto-owns
-the scope, and the trusted-publisher registration works against
-the future package before it exists. First CI publish creates
-it cleanly with OIDC. **No temporary token needed.**
-
-### 3c. Repeat for `sqlrite-wasm`
-
-Same steps as 3a + 3b but for the `sqlrite-wasm` package.
+   - **Repository**: `rust_sqlite` *(repo basename, not
+     `joaoh82/rust_sqlite` — npm prepends the owner field)*
+   - **Workflow filename**: `release.yml` *(basename, not
+     `.github/workflows/release.yml`)*
+   - **Environment**: `release` *(case-sensitive — must match the
+     `environment: release` block on the publish-* jobs in the
+     workflow)*
+4. Save.
+
+**Verify**: each package's settings page should show the
+trusted publisher with status "active" after the first
+successful CI publish.
+
+**Why every field matters:** the OIDC subject claim our workflow
+sends to npm is `repo:joaoh82/rust_sqlite:environment:release`.
+npm builds the matcher from the form fields above; if any field
+disagrees with the OIDC claim, npm responds 404 ("OIDC token
+exchange error - package not found"), which is npm's misleading
+way of saying "no trusted publisher record matches your token's
+claims". Burned us once on v0.1.7 (typo'd repo name in the
+form); kept the form field reference here so the next person
+doesn't have to re-debug.
 
 ---
 
@@ -258,8 +288,9 @@ Run through this once everything above is done:
       `release.yml` / `release` pending for the `sqlrite`
       project.
 - [ ] npm trusted-publisher page shows the same for both
-      `sqlrite` and `sqlrite-wasm` (assuming the packages are
-      registered — if not, section 3b's bootstrap plan applies).
+      `@joaoh82/sqlrite` and `@joaoh82/sqlrite-wasm` (assuming
+      the placeholders are published per §3a — if not, section
+      3a applies).
 - [ ] Branch protection on `main` requires 14 status checks + 1
       review.
 - [ ] Open a dummy PR — the "Merge" button is greyed out until

{sqlrite-0.1.6 → sqlrite-0.1.8}/docs/roadmap.md

@@ -294,7 +294,7 @@ The Rust library is already shippable — this sub-phase adds crate metadata, do
 New `sdk/wasm/` crate (standalone, not in the Cargo workspace — wasm-only crates trip `cargo build --workspace` on native hosts). Compiles the Rust engine straight to `wasm32-unknown-unknown` via `wasm-bindgen`. Engine runs entirely in the browser tab.
 
 ```js
-import init, { Database } from 'sqlrite-wasm';
+import init, { Database } from '@joaoh82/sqlrite-wasm';
 await init();
 
 const db = new Database();
@@ -318,7 +318,7 @@ Landed:
 - No prepared-statement object at the JS boundary; `db.query(sql)` is one-shot. The engine still does prepare/execute internally.
 - Parameter binding deferred to 5a.2 (same as every other SDK).
 
-Phase 6e will publish `sqlrite-wasm` to npm via `wasm-pack publish` on `v*` tag push.
+Phase 6h publishes `@joaoh82/sqlrite-wasm` to npm via `wasm-pack build` + `npm publish` (OIDC trusted publisher) on every release.
 
 ## Phase 6 — Release engineering + CI/CD
 
@@ -360,7 +360,7 @@ One-time non-code setup — the state lives in registry web UIs + GitHub setting
 
 1. **crates.io API token** → `CRATES_IO_TOKEN` in the `release` environment's secrets (crates.io doesn't support OIDC yet, so this is the only long-lived token in the pipeline).
 2. **PyPI trusted publisher** pointed at `release.yml` / environment `release` — short-lived OIDC tokens, no secret to leak.
-3. **npm trusted publishers** for both `@joaoh82/sqlrite` (the Node binding — scoped because npm rejected the unscoped `sqlrite` name as too similar to `sqlite`/`sqlite3`) and `sqlrite-wasm` (the browser binding). Scoped packages under your own user scope auto-own the name, so the trusted-publisher flow works without a bootstrap `NPM_TOKEN`. See `docs/release-secrets.md` §3 for the full flow.
+3. **npm trusted publishers** for both `@joaoh82/sqlrite` (the Node binding) and `@joaoh82/sqlrite-wasm` (the browser binding). Both scoped because npm rejected the unscoped `sqlrite` and the WASM stem also risks the same similarity check against `sqlite-wasm`. Scoped packages under your own user scope auto-own the name; npm-side trusted-publisher config still requires the package to exist first (publish a `0.0.0` placeholder via `npm login` + `npm publish --access public` in a temp dir, then add the trusted publisher on the package's settings page). See `docs/release-secrets.md` §3 for the full flow + the gotchas we hit.
 4. **GitHub `release` environment** — required reviewer (maintainer), `main`-only deployments, scoped secrets. Acts as a second human-in-the-loop gate after the Release PR merge but before any registry write.
 5. **Branch protection on `main`** — require 14 CI status checks green + 1 review + conversation resolution. Admin bypass left available for emergencies.
 
@@ -429,9 +429,17 @@ Same build/publish split as publish-python — matrix cells upload `.node` artif
 
 Authentication via npm OIDC trusted publishing — zero long-lived `NPM_TOKEN`. One-time trusted-publisher registration on npmjs.com, documented in `docs/release-secrets.md`.
 
-### Phase 6h — WASM publish
+### ✅ Phase 6h — WASM publish
 
-Adds `publish-wasm` job. `wasm-pack publish` to npm as `sqlrite-wasm`.
+Adds a single `publish-wasm` job to `release.yml` (no per-platform matrix — WebAssembly is one universal artifact). `wasm-pack build --target bundler --scope joaoh82 --release` produces `sdk/wasm/pkg/` containing the `.wasm` binary, JS glue, TypeScript types, and an auto-generated `package.json` with `name: "@joaoh82/sqlrite-wasm"`. `npm publish --access public --provenance` then uploads via the same OIDC trusted-publisher flow as `publish-nodejs`.
+
+**Scoped (`@joaoh82/sqlrite-wasm`) preemptively** — the unscoped `sqlrite-wasm` is currently free on npm but the similarity check that rejected `sqlrite` (vs `sqlite`) might also reject `sqlrite-wasm` (vs `sqlite-wasm`, distance 1). Going scoped from day one matches the Node SDK and avoids the rename dance we did for it in PR #30.
+
+**Build target = `bundler`** ships JS modules + `.wasm` that webpack/vite/rollup/parcel users can consume directly. `web` / `nodejs` / `deno` targets can be added as siblings later if there's demand; one target per package is the simpler MVP shape.
+
+The `.wasm` binary is also attached to the `sqlrite-wasm-vX.Y.Z` GitHub Release for users who want a download link rather than going through npm.
+
+`docs/release-secrets.md` §3 now covers both scoped npm packages with the bootstrap-then-add-trusted-publisher flow we settled on after the v0.1.5–v0.1.7 publish-nodejs debugging cycle.
 
 ### Phase 6i — Go SDK publish
 

{sqlrite-0.1.6 → sqlrite-0.1.8}/examples/README.md

@@ -11,7 +11,7 @@ Phase 5 lands these incrementally — each sub-phase fills in one language. The
 | Python   | ✅ Phase 5c       | PyPI as `sqlrite` (Phase 6f) | [`python/`](python/) |
 | Node.js  | ✅ Phase 5d       | npm as `@joaoh82/sqlrite` (Phase 6g) | [`nodejs/`](nodejs/) |
 | Go       | ✅ Phase 5e       | Go modules (Phase 6i) | [`go/`](go/)         |
-| WASM     | ✅ Phase 5g       | npm as `sqlrite-wasm` (Phase 6h) | [`wasm/`](wasm/)     |
+| WASM     | ✅ Phase 5g       | npm as `@joaoh82/sqlrite-wasm` (Phase 6h) | [`wasm/`](wasm/)     |
 
 See [docs/roadmap.md](../docs/roadmap.md) for what each sub-phase delivers.
 
@@ -89,5 +89,5 @@ See [`wasm/index.html`](wasm/index.html) and [`sdk/wasm/README.md`](../sdk/wasm/
 ## Design notes
 
 - **One shape across languages.** Every SDK exposes `Connection`, `prepare`, `execute`, and typed `Row` access. The language-specific file in each subdir shows the same CRUD + transaction walkthrough, so users picking up a new binding recognize the surface immediately.
-- **No build step required for end users.** Phase 6 ships prebuilt wheels (Python), `.node` binaries (Node.js), `libsqlrite.{so,dylib,dll}` (for Go / C), and `sqlrite-wasm` (browser) — no "install Rust first" tax.
+- **No build step required for end users.** Phase 6 ships prebuilt wheels (Python), `.node` binaries (Node.js), `libsqlrite.{so,dylib,dll}` (for Go / C), and `@joaoh82/sqlrite-wasm` (browser) — no "install Rust first" tax.
 - **Examples track the engine.** Each sub-phase's commit lands the example alongside the binding itself, so the sample always works against the current library shape.

{sqlrite-0.1.6 → sqlrite-0.1.8}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "sqlrite"
-version = "0.1.6"
+version = "0.1.8"
 description = "Python bindings for SQLRite — a small, embeddable SQLite clone written in Rust."
 authors = [{ name = "Joao Henrique Machado Silva", email = "joaoh82@gmail.com" }]
 license = { text = "MIT" }

{sqlrite-0.1.6 → sqlrite-0.1.8}/sdk/python/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sqlrite-python"
-version = "0.1.6"
+version = "0.1.8"
 authors = ["Joao Henrique Machado Silva <joaoh82@gmail.com>"]
 edition = "2024"
 rust-version = "1.85"