> ## Documentation Index
> Fetch the complete documentation index at: https://docs.budscollab.com/llms.txt
> Use this file to discover all available pages before exploring further.

# npm provenance and signing

> Release requirements before publishing BudsCollab SDK packages.

Public packages must be published from CI with provenance enabled. Manual local
publishes are not acceptable for release builds.

The planned release contract is declared in `npm-release-manifest.json`. That
file names the public packages, publish order, npm commands, provenance
requirements, and blockers. It is a release contract, not proof that npm
publication has happened.
The CLI command boundary is declared in `public-cli-surface-contract.json`.
That file marks the public artifact lane separately from hosted publisher
commands and legacy builder commands.
The selected artifact-only CLI cut is declared in
`artifact-cli-cut-contract.json`: `@budscollab/cli` exposes `budsui` from
`dist/sdk.js`, and the release workflow builds it with
`pnpm --filter @budscollab/cli build:sdk`.
The public repo slice includes `.github/workflows/npm-publish.yml` as the
guarded CI provenance publish template. The workflow checks
`publicNpmReady`, runs `pnpm validate:sdk-distribution`, builds the packages,
checks `pnpm verify:npm:local`, and uses `npm publish --provenance`.
The release verifier is `scripts/verify-npm-release.mjs`. It supports
`pnpm verify:npm:local` before publishing and
`pnpm verify:npm:published https://registry.npmjs.org` after publication to
confirm that the exact package versions are visible on npm.

Initial package names:

* `@budscollab/sdk-contract`
* `@budscollab/cli`, exposing the `budsui` binary
* `create-budscollab-app`, exposing `npm create budscollab-app`

Release requirements:

* CI-controlled publish workflow at `.github/workflows/npm-publish.yml`.
* npm provenance enabled.
* package order follows `npm-release-manifest.json`.
* versioned changelog entry.
* generated package artifacts validated with `pnpm validate:sdk-distribution`.
* local npm release package contract validated with `pnpm verify:npm:local`.
* published package versions verified with
  `pnpm verify:npm:published https://registry.npmjs.org`.
* no private BudsCollab runtime imports.
* public artifact commands separated from hosted publisher and legacy builder
  commands.
* no secrets or non-example `.env` files.

Current status: `publicNpmPublished` is `false`. Do not claim public npm install
works until the public repo manifest is marked ready, CI provenance publishing
has run successfully, and the packages are actually published from the release
workflow.

Registry install still requires separate BudsCollab publisher verification,
stored review evidence, artifact signing, and install policy.
