Skip to main content
Public packages must be published from CI with provenance enabled. Manual local publishes are not acceptable for release builds. The planned release contract is declared in npm-release-manifest.json. That file names the public packages, publish order, npm commands, provenance requirements, and blockers. It is a release contract, not proof that npm publication has happened. The CLI command boundary is declared in public-cli-surface-contract.json. That file marks the public artifact lane separately from hosted publisher commands and legacy builder commands. The selected artifact-only CLI cut is declared in artifact-cli-cut-contract.json: @budscollab/cli exposes budsui from dist/sdk.js, and the release workflow builds it with pnpm --filter @budscollab/cli build:sdk. The public repo slice includes .github/workflows/npm-publish.yml as the guarded CI provenance publish template. The workflow checks publicNpmReady, runs pnpm validate:sdk-distribution, builds the packages, checks pnpm verify:npm:local, and uses npm publish --provenance. The release verifier is scripts/verify-npm-release.mjs. It supports pnpm verify:npm:local before publishing and pnpm verify:npm:published https://registry.npmjs.org after publication to confirm that the exact package versions are visible on npm. Initial package names:
  • @budscollab/sdk-contract
  • @budscollab/cli, exposing the budsui binary
  • create-budscollab-app, exposing npm create budscollab-app
Release requirements:
  • CI-controlled publish workflow at .github/workflows/npm-publish.yml.
  • npm provenance enabled.
  • package order follows npm-release-manifest.json.
  • versioned changelog entry.
  • generated package artifacts validated with pnpm validate:sdk-distribution.
  • local npm release package contract validated with pnpm verify:npm:local.
  • published package versions verified with pnpm verify:npm:published https://registry.npmjs.org.
  • no private BudsCollab runtime imports.
  • public artifact commands separated from hosted publisher and legacy builder commands.
  • no secrets or non-example .env files.
Current status: publicNpmPublished is false. Do not claim public npm install works until the public repo manifest is marked ready, CI provenance publishing has run successfully, and the packages are actually published from the release workflow. Registry install still requires separate BudsCollab publisher verification, stored review evidence, artifact signing, and install policy.