diff --git a/npm/README.md b/npm/README.md index 07b9fb0..baab28d 100644 --- a/npm/README.md +++ b/npm/README.md @@ -1,11 +1,11 @@ -# npm distribution wrapper (Rust migration scaffold) +# npm distribution wrapper -> Status: **scaffold** — authored for ADR-0003 / track `rust-rewrite-20260618` -> (T023). Not yet wired into the live publish. The published `@pleaseai/csp` -> package on npm is still produced from the TypeScript build (root `package.json`, -> `dist/cli.mjs`). Cut over to this wrapper only when the Rust binary reaches full -> runtime parity and the Rust release pipeline (`.github/workflows/release-rust.yml`) -> is producing verified `csp-` assets. +> Status: **live** (since v0.1.4). The published `@pleaseai/csp` package is the +> Rust-binary wrapper generated from this directory by +> `scripts/generate-platform-packages.mjs` and published via npm Trusted +> Publishing in `.github/workflows/release-please.yml`. The generator ships the +> repo-root `README.md` + `LICENSE` inside the wrapper so the npm page renders +> docs. This internal note documents the layout; it is not published. ## Goal @@ -37,11 +37,13 @@ follows the [Biome](https://github.com/biomejs/biome) distribution model: per-platform package directories from the built `csp-` assets and the release version, ready to `npm publish --provenance` each one. -## Release flow (once activated) +## Release flow 1. `release-rust.yml` builds `csp-` binaries + checksums. 2. `node npm/scripts/generate-platform-packages.mjs ` - materializes `npm/dist//` for each platform. + materializes `npm/dist//` for each platform (and the wrapper, with the + repo-root `README.md` + `LICENSE` copied in). 3. Publish each platform package, then the wrapper, with - `npm publish ./ --provenance --access public` (CI: `id-token: write`). - Per repo policy, use `npm publish` for provenance — not `bun publish`. + `npm publish ./ --access public` (CI: `id-token: write`). Auth is npm + Trusted Publishing (OIDC) — no token, and provenance is generated + automatically, so no `--provenance` flag is needed. diff --git a/npm/scripts/generate-platform-packages.mjs b/npm/scripts/generate-platform-packages.mjs index 616a58a..5cdab9b 100644 --- a/npm/scripts/generate-platform-packages.mjs +++ b/npm/scripts/generate-platform-packages.mjs @@ -38,6 +38,9 @@ if (!version || !assetsDir) { const distRoot = join(npmRoot, 'dist') mkdirSync(distRoot, { recursive: true }) +// Repo root holds the README + LICENSE shipped inside the published packages. +const repoRoot = resolve(npmRoot, '..') + const base = JSON.parse(readFileSync(join(npmRoot, 'csp', 'package.json'), 'utf8')) // Generate a package per target whose asset is present. A missing asset is @@ -71,6 +74,10 @@ for (const t of TARGETS) { const dest = join(outDir, t.binary) copyFileSync(src, dest) chmodSync(dest, 0o755) + // Ship LICENSE in each platform package too — these are published + // independently, and license-compliance scanners (FOSSA, Snyk, …) look for a + // LICENSE file in every package directory. + copyFileSync(join(repoRoot, 'LICENSE'), join(outDir, 'LICENSE')) generated.push(t) process.stdout.write(`wrote ${t.pkg}@${version} (${t.asset} -> ${t.binary})\n`) } @@ -91,4 +98,10 @@ const wrapperDir = join(distRoot, 'csp') mkdirSync(join(wrapperDir, 'bin'), { recursive: true }) writeFileSync(join(wrapperDir, 'package.json'), `${JSON.stringify(wrapper, null, 2)}\n`) copyFileSync(join(npmRoot, 'csp', 'bin', 'csp.js'), join(wrapperDir, 'bin', 'csp.js')) + +// Ship the user-facing README + LICENSE in the published wrapper so the npm +// package page renders docs (without these, npm shows "No README data found"). +// npm always includes README.md / LICENSE regardless of the `files` allowlist. +copyFileSync(join(repoRoot, 'README.md'), join(wrapperDir, 'README.md')) +copyFileSync(join(repoRoot, 'LICENSE'), join(wrapperDir, 'LICENSE')) process.stdout.write(`wrote wrapper @pleaseai/csp@${version}\n`)