npm-release-manifest.json. That
file names the public packages, publish order, npm commands, provenance
requirements, and blockers. It is a release contract, not proof that npm
publication has happened.
The CLI command boundary is declared in public-cli-surface-contract.json.
That file marks the public artifact lane separately from hosted publisher
commands and legacy builder commands.
The selected artifact-only CLI cut is declared in
artifact-cli-cut-contract.json: @budscollab/cli exposes budsui from
dist/sdk.js, and the release workflow builds it with
pnpm --filter @budscollab/cli build:sdk.
The public repo slice includes .github/workflows/npm-publish.yml as the
guarded CI provenance publish template. The workflow checks
publicNpmReady, runs pnpm validate:sdk-distribution, builds the packages,
checks pnpm verify:npm:local, and uses npm publish --provenance.
The release verifier is scripts/verify-npm-release.mjs. It supports
pnpm verify:npm:local before publishing and
pnpm verify:npm:published https://registry.npmjs.org after publication to
confirm that the exact package versions are visible on npm.
Initial package names:
@budscollab/sdk-contract@budscollab/cli, exposing thebudsuibinarycreate-budscollab-app, exposingnpm create budscollab-app
- CI-controlled publish workflow at
.github/workflows/npm-publish.yml. - npm provenance enabled.
- package order follows
npm-release-manifest.json. - versioned changelog entry.
- generated package artifacts validated with
pnpm validate:sdk-distribution. - local npm release package contract validated with
pnpm verify:npm:local. - published package versions verified with
pnpm verify:npm:published https://registry.npmjs.org. - no private BudsCollab runtime imports.
- public artifact commands separated from hosted publisher and legacy builder commands.
- no secrets or non-example
.envfiles.
publicNpmPublished is false. Do not claim public npm install
works until the public repo manifest is marked ready, CI provenance publishing
has run successfully, and the packages are actually published from the release
workflow.
Registry install still requires separate BudsCollab publisher verification,
stored review evidence, artifact signing, and install policy.