fix(npm): ship README + LICENSE in the published wrapper package

[amondnet]

Problem

The published @pleaseai/csp package has no README — npm view @pleaseai/csp readme returns No README data found, so the npm page shows no documentation.

The generator (generate-platform-packages.mjs) writes only package.json + bin/csp.js into npm/dist/csp, so nothing renders on npmjs.com.

Fix

The generator now copies the repo-root README.md and LICENSE into the wrapper dir. npm always includes README.md/LICENSE in the tarball regardless of the files allowlist.

Verified with npm pack --dry-run on the generated wrapper:

npm notice Tarball Contents
npm notice 1.1kB  LICENSE
npm notice 20.6kB README.md
npm notice 2.8kB  bin/csp.js
npm notice 765B   package.json

Also refreshes the stale internal npm/README.md note (scaffold → live; drops the --provenance flag mention since OIDC Trusted Publishing generates provenance automatically).

Effect

Takes effect on the next release (the current 0.1.4 npm package keeps its missing README until re-published). The npm page will then render the full root README — including the npm/crates.io/coverage/Socket badges once #54 merges.

Test plan

• node --check + eslint clean
• npm pack --dry-run shows README.md + LICENSE in the tarball

---

Summary by cubic

Fixes missing docs on the @pleaseai/csp npm page by shipping README.md and LICENSE in the wrapper so npm renders docs. Also adds LICENSE to each platform package for license compliance.

• Bug Fixes
  • Generator (npm/scripts/generate-platform-packages.mjs) now copies repo-root README.md + LICENSE into the wrapper, and LICENSE into every platform package.
  • Verified with npm pack --dry-run; files are included in the tarball.
  • Takes effect on the next publish; updates npm/README.md to mark the wrapper as live and drop --provenance (OIDC Trusted Publishing handles provenance).

^{Written for commit 51d2f2c. Summary will update on new commits.}

Summary by CodeRabbit

• Documentation

  • Updated the npm documentation to reflect that the published @pleaseai/csp package is a Rust-binary wrapper and to clarify the release flow and publishing behavior.

• Packaging / Distribution

  • Included the repository README and LICENSE in the published npm packages, including the top-level wrapper, to improve visibility directly on the npm page.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f8ead7c1-36b6-4957-b0b3-55331df0d75e

📥 Commits

Reviewing files that changed from the base of the PR and between ebd8841 and 51d2f2c.

📒 Files selected for processing (1)

• npm/scripts/generate-platform-packages.mjs

---

📝 Walkthrough

Walkthrough

The generate-platform-packages.mjs script now resolves the repository root directory and copies README.md and LICENSE into both per-platform package directories and the wrapper package directory (npm/dist/csp/). The npm/README.md is updated to mark the wrapper as live since v0.1.4, document the asset-copy steps, and revise the release flow to use OIDC Trusted Publishing instead of an explicit --provenance flag.

Changes

npm Wrapper Asset Distribution

Layer / File(s)	Summary
Add repo root asset copying to generation script npm/scripts/generate-platform-packages.mjs	The script resolves the repository root path and copies the LICENSE file into each generated per-platform package directory. It also copies the root README.md and LICENSE into the wrapper output directory (dist/csp/) for publication.
Document live wrapper status and asset publishing npm/README.md	The wrapper status changes to "live" and documentation now describes the README.md and LICENSE copy behavior. The release flow section is updated to remove the explicit --provenance flag and clarify that provenance is generated automatically via npm Trusted Publishing (OIDC).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• pleaseai/code-search#42: Updates CI publishing flow to generate and publish platform/wrapper npm packages using the updated generate-platform-packages script with OIDC-based Trusted Publishing for provenance.

Poem

🐇 Hop hop, the wrapper's alive!
README and LICENSE now arrive,
Copied neat into the dist,
No provenance flag is missed—
OIDC does the trick,
Publishing smooth and quick! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding README and LICENSE files to the published npm wrapper package, which directly addresses the core issue of missing documentation on npmjs.com.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/npm-wrapper-readme

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[gemini-code-assist]

Code Review

This pull request transitions the npm distribution wrapper to 'live' status, updating the documentation to reflect npm Trusted Publishing and modifying the generation script to copy the repository's README.md and LICENSE into the wrapper package. The reviewer recommended extending this by also copying the LICENSE file into each platform-specific package to ensure compliance with enterprise license-checking tools.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cubic-dev-ai]

No issues found across 2 files

Architecture diagram

sequenceDiagram
    participant Repo as Repository Root
    participant Generator as generate-platform-packages.mjs
    participant Wrapper as npm/dist/csp
    participant Npm as npm Registry

    Note over Repo,Npm: Package Generation Flow

    Generator->>Generator: Read version & assets directory
    Generator->>Generator: Build wrapper package.json
    Generator->>Generator: Create bin/csp.js from template

    Generator->>Repo: Copy README.md
    Generator->>Repo: Copy LICENSE
    Repo-->>Generator: Files copied

    Generator->>Wrapper: Write package.json
    Generator->>Wrapper: Write bin/csp.js
    Generator->>Wrapper: Copy README.md
    Generator->>Wrapper: Copy LICENSE

    Note over Wrapper,Npm: Published Package Contents
    Wrapper-->>Npm: npm publish
    Note over Npm: Tarball includes:<br/>- package.json<br/>- bin/csp.js<br/>- README.md<br/>- LICENSE
    Npm->>Npm: Render README on package page

Loading

_{Re-trigger cubic}