chore: finalize 0.1.1 release surfaces

[Boulea7]

Summary\n- tighten npm-first release gating so GitHub Release does not publish before npm is ready\n- refresh landing pages, docs hubs, contributing guide, and release checklist for the 0.1.1 public release path\n- add a tracked CHANGELOG and fix dependabot label noise\n\n## Verification\n- pnpm verify:release\n- pnpm test:docs-contract\n- pnpm pack:check\n- pnpm test:tarball-install-smoke\n\n## Notes\n- no remaining low-risk changes need to be absorbed from origin/fix/release-windows-and-ci-hardening\n- final npm release still needs a valid credential path: repo NPM_TOKEN or local npm login

Summary by Sourcery

Tighten the release workflow around npm publication readiness and update public-facing docs and tests for the 0.1.1 release path.

Enhancements:

• Add an npm preflight step in the release workflow that validates credentials, package ownership, and publication status before proceeding, and gate npm publish on this outcome.
• Track CHANGELOG.md in the published package and repository as the canonical changelog source.
• Clarify docs hub structure and contributor guidance around localized landing pages and documentation entry points.
• Retune Dependabot labeling to use the enhancement label for dependency and workflow updates instead of a generic dependencies label.

Documentation:

• Refresh all localized README landing pages to describe npm as the primary install path while keeping GitHub Release tarballs and source installs as documented alternatives, and remove stale 0.1.1-specific wording.
• Tighten the release checklist documentation around npm token requirements, registry preflight, and manual npm publish fallbacks for failed automation.
• Improve docs hub introductions and navigation copy across languages to better guide readers to the right depth and architecture overviews.

Tests:

• Extend the docs contract test suite to assert the presence and content of the changelog, updated release workflow behavior, refined README wording, and release checklist expectations.

---

Summary by cubic

Enforces npm-first publication for the 0.1.1 release by gating GitHub Releases on an npm preflight and publishing to npm before attaching the release asset. Refreshes install/docs, adds a tracked CHANGELOG.md, and reduces Dependabot label noise.

• New Features

  • Add npm preflight to .github/workflows/release.yml (require NPM_TOKEN, run npm whoami, check version/ownership; set publish_mode and fail fast if not ready).
  • Publish to npm before creating the GitHub Release asset; if the version is already on npm, skip publish and continue.
  • Use the same packed tarball for both the GitHub Release asset and npm publish.

• Refactors

  • Make npm the primary install path across landing pages/docs and remove time-limited wording.
  • Tighten docs/release-checklist.md: require the token, run registry preflight, treat missing token as a stop, and document a manual maintainer fallback.
  • Add CHANGELOG.md, include it in package.json, and stop ignoring it.
  • Label Dependabot PRs as enhancement.
  • Extend docs-contract tests to cover the new copy, changelog presence, and release gating/order.

^{Written for commit 2aba3c9. Summary will update on new commits.}

Summary by CodeRabbit

• New Features

  • CHANGELOG.md now available documenting release history.
  • Added npm global installation option as standard install path.

• Documentation

  • Updated README files emphasizing local Markdown memory management and cross-session context.
  • Refined project positioning to highlight Codex-first, Markdown-first local memory capabilities.
  • Updated documentation hub guidance to direct users to most relevant entry points.
  • Enhanced release procedures and checklist documentation with updated verification steps and manual fallback processes.

[sourcery-ai]

Reviewer's Guide

Tightens the release workflow to gate GitHub Releases on npm readiness, refreshes multi-language landing/docs hubs and release checklist for the 0.1.1 public npm path, introduces a tracked CHANGELOG, adjusts docs-contract tests accordingly, and retags Dependabot updates as enhancements.

Sequence diagram for npm-gated GitHub release workflow

sequenceDiagram
  actor Maintainer
  participant GitHubRepo
  participant Actions as GitHubActions_ReleaseWorkflow
  participant npm as npmRegistry
  participant GHRel as GitHubReleases

  Maintainer->>GitHubRepo: Push vX.Y.Z tag
  GitHubRepo-->>Actions: Trigger release workflow

  Actions->>Actions: verify_release_version
  Actions->>Actions: pnpm_verify_release
  Actions->>Actions: pnpm_pack_release
  Actions->>Actions: set tarball_path

  Actions->>npm: npm_preflight (NODE_AUTH_TOKEN present?)
  alt Missing NPM_TOKEN
    Actions->>Actions: write npm_not_configured summary
    Actions-->>Maintainer: Job fails before any public release action
  else NPM_TOKEN present
    Actions->>npm: npm_whoami
    alt Target_version_already_published
      Actions->>npm: npm_view package_version
      Actions->>Actions: set publish_mode=already-published
      Actions->>Actions: write npm_already_published summary
      Actions->>GHRel: Create GitHub Release and upload tarball
      Actions-->>Maintainer: Workflow completes without npm_publish
    else Target_version_not_published
      Actions->>npm: npm_view package_name
      alt Package_exists_and_token_has_access
        Actions->>npm: npm_access_list_packages
        Actions->>Actions: set publish_mode=publish
        Actions->>Actions: write npm_can_publish_new_version summary
        Actions->>GHRel: Create GitHub Release and upload tarball
        Actions->>npm: npm_publish tarball_path
        Actions-->>Maintainer: GitHub Release and npm package published from same tarball
      else Package_absent_or_unexpected_error
        alt Package_absent_404
          Actions->>Actions: set publish_mode=publish
          Actions->>Actions: write first_publish summary
          Actions->>GHRel: Create GitHub Release and upload tarball
          Actions->>npm: npm_publish tarball_path
          Actions-->>Maintainer: First npm publish and GitHub Release from same tarball
        else Unexpected_npm_error
          Actions->>Actions: log_error_and_fail
          Actions-->>Maintainer: Job fails before any public release action
        end
      end
    end
  end

Loading

File-Level Changes

Change	Details	Files
Harden npm-first release workflow so GitHub Release is coordinated with npm publication status and credentials.	Replace simple NPM_TOKEN presence check with a full npm preflight step that reads package name/version, validates NODE_AUTH_TOKEN, and writes status to the step summary and outputs. Run npm whoami and query the registry to detect already-published versions, token access to existing packages, and first-publish scenarios, setting a publish_mode output accordingly. Treat missing NPM_TOKEN as a hard failure that stops the workflow before any public release action, with guidance for manual publish from the built tarball. Update the Publish to npm step condition to trigger only when publish_mode is publish, ensuring GitHub Releases are not created as an automated path when npm publish is misconfigured.	.github/workflows/release.yml
Refresh README landing pages and docs hubs in all languages to reflect the 0.1.1 public npm path and clarify install routes and positioning.	Update Chinese, English, Japanese, and Traditional Chinese READMEs to describe the tool as a Codex-first, Markdown-first local memory tool with clearer positioning around continuity and local control. Reorder and reword install sections so npm install --global codex-auto-memory is presented as the primary/quickest path, with GitHub Release tarball and source install framed as versioned artifact and contributor flows. Remove stale, time-limited wording about the package not being on npm yet and old wrapper-first messaging, and adjust doc links (architecture overview naming, docs hub links). Clarify docs hub intro copy in all languages to be task-oriented navigation, and update references to architecture/overview docs and reading order hints.	README.ja.md README.md README.zh-TW.md README.en.md docs/README.ja.md docs/README.zh-TW.md docs/README.en.md docs/README.md
Tighten contributor guidance and release checklist around docs ownership, localization, and npm-first release requirements.	Simplify CONTRIBUTING by replacing the old product-contract section with a concise "What to optimize for" list that emphasizes continuity and trustworthy review surfaces. Update docs ownership section to reflect four landing pages and four docs hubs, explicitly listing their roles and the key deep-dive docs, and remove "bilingual public-doc setup" phrasing. Revise the release checklist to treat missing Actions NPM_TOKEN as a stop condition, require an npm registry preflight, and describe a manual maintainer fallback path that uses the same pnpm pack:release tarball and is recorded in release notes.	CONTRIBUTING.md docs/release-checklist.md
Expand the docs-contract test suite to enforce the new release/docs posture and presence of the changelog and npm preflight behavior.	Add checks that CHANGELOG.md exists, contains the main header and the 0.1.1 section, and is included in the files array published in package.json. Update expectations around README content to assert removal of 0.1.1-specific and pre-npm wording while still enforcing presence of key install and docs-hub links. Assert the updated release workflow naming and behavior ("Preflight npm release", npm whoami, absence of the old "Detect npm publish availability" string). Add expectations for the release checklist to include guidance on NPM_TOKEN secret, manual fallback, and to omit now-invalid old guidance. Ensure CONTRIBUTING no longer mentions the old bilingual public-doc setup line and still references key test commands.	test/docs-contract.test.ts package.json
Introduce and ship a maintained CHANGELOG for release history and reclassify Dependabot labels.	Add a new CHANGELOG.md tracking 0.1.0 and 0.1.1 with sections for Release, Docs, and Product changes, making the repository self-describing for release notes. Include CHANGELOG.md in the packaged files list in package.json so it is distributed with the npm package. Retarget Dependabot PR labels from dependencies to enhancement (plus github-actions where applicable) to better reflect the repo’s labeling scheme and reduce label noise.	CHANGELOG.md .github/dependabot.yml package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates release automation with enhanced preflight npm version checks, introduces a CHANGELOG.md file, restructures documentation across multiple language versions to emphasize Markdown-first local memory and npm global installation, and updates related tests to validate the new workflow and documentation expectations.

Changes

Cohort / File(s)	Summary
Release Automation .github/workflows/release.yml, .github/dependabot.yml	Enhanced npm preflight logic now extracts package metadata, queries npm registry for version conflicts, validates token presence and publish permissions, and gates publishing on a publish_mode output. Dependabot labeling updated from "dependencies" to "enhancement".
Release Documentation CHANGELOG.md, docs/release-checklist.md	New CHANGELOG.md added documenting versions 0.1.1 and 0.1.0. Release checklist reframed to require NPM_TOKEN verification, preflight npm validation steps, and fallback manual publishing procedure if automation fails.
Primary READMEs (Multi-language) README.md, README.en.md, README.ja.md, README.zh-TW.md	Repositioned project focus to emphasize local Markdown-based memory (MEMORY.md, topic files) for cross-session context. Added explicit npm install --global codex-auto-memory install path. Removed prior npm publication status disclaimers. Narrowed positioning to "Codex-first, Markdown-first" local memory tool.
Documentation Hub Navigation docs/README.md, docs/README.en.md, docs/README.ja.md, docs/README.zh-TW.md	Updated navigation guidance to direct readers to choose entry points based on current task rather than document depth. Adjusted link labels and clarified reading order recommendations.
Project Governance CONTRIBUTING.md	Removed explicit product-contract section and replaced with "What to optimize for" focusing on cross-session context and memory readability. Updated docs structure guidance from bilingual setup to four-language hub (Chinese, Traditional Chinese, English, Japanese).
Package Configuration & Source Control package.json, .gitignore	Added CHANGELOG.md to package files array for distribution. Removed CHANGELOG.md from .gitignore to allow version control.
Test Assertions test/docs-contract.test.ts	Added assertions validating CHANGELOG.md presence and format, new preflight npm steps (npm whoami, Preflight npm release), and manual npm fallback procedure documentation. Updated expectations to disallow prior npm-availability wording and enforce version-already-published checks.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• PR #30: Modifies .github/workflows/release.yml and .github/dependabot.yml for release automation and dependency labeling; overlaps with this PR's workflow and GitHub configuration changes.
• PR #36: Updates .github/workflows/release.yml to strengthen npm publish preflight checks and conditional publishing logic; directly related to the enhanced version-gating mechanism introduced here.

Poem

🐰 A changelog takes shape, memory files shine,
Markdown-first, version gates align,
Npm global install sees the light,
Preflight checks keep releases tight—
Hoppy hops! The memory tool takes flight! 🚀📝

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and specifically describes the main focus of the pull request: finalizing release surfaces for version 0.1.1.
Description check	✅ Passed	The description is comprehensive and well-structured, covering all required template sections with clear details about changes, validation steps, and known requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch closeout/release-0.1.1-finalize

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The new Preflight npm release step does a lot of inline shell/Node work with duplicated constants (e.g., registry URL, temp paths); consider moving this logic into a small script or composite action so it’s easier to maintain and test in isolation.
• npm whoami failures in the preflight step will currently just hard-fail the job; you might want to catch that case explicitly and add a more actionable GITHUB_STEP_SUMMARY message so maintainers understand what went wrong with the token or registry auth.
• The docs-contract tests are tightly coupled to exact wording in READMEs and the release checklist (e.g., checking for specific phrases like 'Preflight npm release'); consider relaxing these to assert on structure or key concepts instead so routine copy edits don’t cause unnecessary test churn.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new `Preflight npm release` step does a lot of inline shell/Node work with duplicated constants (e.g., registry URL, temp paths); consider moving this logic into a small script or composite action so it’s easier to maintain and test in isolation.
- `npm whoami` failures in the preflight step will currently just hard-fail the job; you might want to catch that case explicitly and add a more actionable `GITHUB_STEP_SUMMARY` message so maintainers understand what went wrong with the token or registry auth.
- The `docs-contract` tests are tightly coupled to exact wording in READMEs and the release checklist (e.g., checking for specific phrases like 'Preflight npm release'); consider relaxing these to assert on structure or key concepts instead so routine copy edits don’t cause unnecessary test churn.

## Individual Comments

### Comment 1
<location path=".github/workflows/release.yml" line_range="115" />
<code_context>
+            exit 1
           fi

+          npm whoami
+
+          if npm view "${PACKAGE_NAME}@${PACKAGE_VERSION}" version --registry https://registry.npmjs.org >/tmp/npm-version.txt 2>/tmp/npm-version.err; then
</code_context>
<issue_to_address>
**suggestion (bug_risk):** `npm whoami` failure will abort the step without providing a structured summary for token/permission issues.

If `npm whoami` fails (invalid token, missing permissions, registry outage), the step exits non‑zero and the workflow stops before writing any `GITHUB_STEP_SUMMARY` guidance. Consider wrapping this in a check that captures stderr and prints a clearer message (e.g., distinguishing auth vs. registry errors), similar to the later `npm view` handling.

```suggestion
          if ! npm whoami >/tmp/npm-whoami.txt 2>/tmp/npm-whoami.err; then
            WHOAMI_ERR="$(cat /tmp/npm-whoami.err || true)"

            {
              echo "## npm authentication / registry check failed"
              echo
              echo "\`\`\`text"
              printf '%s\n' "$WHOAMI_ERR"
              echo "\`\`\`"
              echo
              if printf '%s' "$WHOAMI_ERR" | grep -Ei 'ENEEDAUTH|EACCES|E401|E403|token' >/dev/null 2>&1; then
                echo "- npm reported an authentication or permission error when running \`npm whoami\`."
                echo "- Verify that the \`NPM_TOKEN\` secret is set correctly and that it has permission to access the registry."
              elif printf '%s' "$WHOAMI_ERR" | grep -Ei 'ENOTFOUND|EAI_AGAIN|ECONNREFUSED|network|ETIMEDOUT' >/dev/null 2>&1; then
                echo "- npm reported a network or registry connectivity error when running \`npm whoami\`."
                echo "- Check npm registry availability and network connectivity from the GitHub Actions runner."
              else
                echo "- \`npm whoami\` failed for an unexpected reason."
                echo "- Inspect the error above and \`npm\` output logs for more details."
              fi
              echo
              echo "The workflow will stop before attempting \`npm publish\`. Fix the issue and re-run the release workflow."
            } >> "$GITHUB_STEP_SUMMARY"

            printf 'npm whoami failed:\n%s\n' "$WHOAMI_ERR" >&2
            exit 1
          fi
```
</issue_to_address>

### Comment 2
<location path="CHANGELOG.md" line_range="28" />
<code_context>
+
+### Product
+
+- expanded reviewer, dream, and session continuity surfaces across the CLI and public docs
</code_context>
<issue_to_address>
**issue (typo):** “dream” here likely a typo or wrong term in the list of surfaces.

"Dream" seems inconsistent with the surrounding terms and may be a typo or incorrect surface name. Please update it to the intended term (e.g., "team", "stream", or another existing product surface) for clarity and accuracy.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (bug_risk): npm whoami failure will abort the step without providing a structured summary for token/permission issues.

If npm whoami fails (invalid token, missing permissions, registry outage), the step exits non‑zero and the workflow stops before writing any GITHUB_STEP_SUMMARY guidance. Consider wrapping this in a check that captures stderr and prints a clearer message (e.g., distinguishing auth vs. registry errors), similar to the later npm view handling.

Suggested change

	npm whoami
	if ! npm whoami >/tmp/npm-whoami.txt 2>/tmp/npm-whoami.err; then
	WHOAMI_ERR="$(cat /tmp/npm-whoami.err || true)"
	{
	echo "## npm authentication / registry check failed"
	echo
	echo "\`\`\`text"
	printf '%s\n' "$WHOAMI_ERR"
	echo "\`\`\`"
	echo
	if printf '%s' "$WHOAMI_ERR" | grep -Ei 'ENEEDAUTH|EACCES|E401|E403|token' >/dev/null 2>&1; then
	echo "- npm reported an authentication or permission error when running \`npm whoami\`."
	echo "- Verify that the \`NPM_TOKEN\` secret is set correctly and that it has permission to access the registry."
	elif printf '%s' "$WHOAMI_ERR" | grep -Ei 'ENOTFOUND|EAI_AGAIN|ECONNREFUSED|network|ETIMEDOUT' >/dev/null 2>&1; then
	echo "- npm reported a network or registry connectivity error when running \`npm whoami\`."
	echo "- Check npm registry availability and network connectivity from the GitHub Actions runner."
	else
	echo "- \`npm whoami\` failed for an unexpected reason."
	echo "- Inspect the error above and \`npm\` output logs for more details."
	fi
	echo
	echo "The workflow will stop before attempting \`npm publish\`. Fix the issue and re-run the release workflow."
	} >> "$GITHUB_STEP_SUMMARY"
	printf 'npm whoami failed:\n%s\n' "$WHOAMI_ERR" >&2
	exit 1
	fi

[sourcery-ai]

issue (typo): “dream” here likely a typo or wrong term in the list of surfaces.

"Dream" seems inconsistent with the surrounding terms and may be a typo or incorrect surface name. Please update it to the intended term (e.g., "team", "stream", or another existing product surface) for clarity and accuracy.

[cubic-dev-ai]

No issues found across 16 files

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 133-152: The preflight Node check currently only tests for the
presence of PACKAGE_NAME in the parsed /tmp/npm-access.json map but not whether
the token has write rights; update the inline node -e script (the block that
reads /tmp/npm-access.json and uses packageName from process.env) to safely
parse the file inside a try/catch, validate the file is non-empty, and then
verify that access[packageName] === "read-write" (fail with console.error and
process.exit(1) if missing or not "read-write"). Ensure JSON.parse errors and
empty/malformed /tmp/npm-access.json are caught and produce a clear error
message and non-zero exit.

In `@docs/README.zh-TW.md`:
- Line 13: The README link label "技術概覽（English / 简体中文）" mismatches its target
(currently only ./architecture.en.md); update the Markdown link for the
architecture entry so the label matches the destination—either add a second link
to the Simplified Chinese file (e.g., include ./architecture.zh-CN.md alongside
./architecture.en.md) or change the label to only "English" to match
./architecture.en.md; locate the architecture link text in README.zh-TW.md and
adjust the link target(s) and/or label accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 229553da-c333-4810-bb2d-7f548c6f9141

📥 Commits

Reviewing files that changed from the base of the PR and between 64ac9eb and 2aba3c9.

📒 Files selected for processing (16)

• .github/dependabot.yml
• .github/workflows/release.yml
• .gitignore
• CHANGELOG.md
• CONTRIBUTING.md
• README.en.md
• README.ja.md
• README.md
• README.zh-TW.md
• docs/README.en.md
• docs/README.ja.md
• docs/README.md
• docs/README.zh-TW.md
• docs/release-checklist.md
• package.json
• test/docs-contract.test.ts

💤 Files with no reviewable changes (1)

• .gitignore

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What JSON shape does npm access list packages --json return in npm 10 and npm 11, and does it require a user/scope argument?

💡 Result:

The command npm access list packages --json returns an object where keys are package names and values are their associated access permissions (e.g., "read-only" or "read-write") for the specified user, scope, or scope:team. This format is consistent across npm 10 and npm 11, as the npm-access documentation and underlying libnpmaccess library (which powers the CLI) describe the output as a mapping of packages to permissions. It requires a user/scope argument: the syntax is npm access list packages [||scope:team] []. The argument identifies whose packages to list (user, organization/scope, or team). Without it, the command operates on the current working directory's package if present, but typically requires the specifier for listing multiple packages. Example inferred from libnpmaccess.lsPackages: {"@zkat/scope/pkg1": "read-write", "@zkat/scope/pkg2": "read-only"}. No significant changes between npm 10 (v10 docs) and npm 11 (v11 docs); both support --json flag and same synopsis.

Citations:

• 1: https://docs.npmjs.com/cli/v10/commands/npm-access
• 2: https://docs.npmjs.com/cli/v11/commands/npm-access
• 3: https://github.com/npm/cli
• 4: https://github.com/npm/libnpmaccess

---

🏁 Script executed:

#!/bin/bash
# Check npm documentation and test command behavior
npm --version
echo "---"
npm help access 2>&1 | grep -A 20 "list packages"

Repository: Boulea7/Codex-Auto-Memory

Length of output: 79

---

🏁 Script executed:

#!/bin/bash
# Test npm access list packages command behavior
echo "=== Testing: npm access list packages --json (no args) ==="
npm access list packages --json 2>&1 || echo "Exit code: $?"
echo ""
echo "=== Testing: npm access list packages --json with --no-description ==="
npm access list packages --json --no-description 2>&1 || echo "Exit code: $?"

Repository: Boulea7/Codex-Auto-Memory

Length of output: 1141

---

🏁 Script executed:

#!/bin/bash
# Check the release workflow file to understand full context
cd .github/workflows 2>/dev/null || cd . 
if [ -f "release.yml" ]; then
  echo "=== Lines 105-160 of release.yml ==="
  sed -n '105,160p' release.yml
else
  echo "File not found, searching for release.yml"
  find . -name "release.yml" -type f
fi

Repository: Boulea7/Codex-Auto-Memory

Length of output: 2763

---

Permission check only validates presence, not publish-write access.

npm access list packages --json returns a map like { "pkg": "read-only" | "read-write" }. The current check !(packageName in access) only verifies the package exists in the token's accessible set, not that the token has write permission. A token with read-only grant on an existing package (e.g., inherited org membership access, or misconfigured automation token) passes preflight but fails later at npm publish. Check should verify grant === "read-write":

🛡️ Suggested fix

             PACKAGE_NAME="${PACKAGE_NAME}" node -e '
               const fs = require("node:fs");
               const packageName = process.env.PACKAGE_NAME;
               const access = JSON.parse(fs.readFileSync("/tmp/npm-access.json", "utf8"));
-              if (!(packageName in access)) {
-                console.error(`Package ${packageName} already exists on npm and is not publishable with the current token.`);
+              const grant = access[packageName];
+              if (grant !== "read-write") {
+                console.error(`Package ${packageName} already exists on npm and is not publishable with the current token (grant: ${grant ?? "none"}).`);
                 process.exit(1);
               }
             '

Also add error handling for JSON.parse() — if /tmp/npm-access.json is empty or malformed, it throws an uncaught exception instead of a clear error message. Wrap with try/catch or validate the file is non-empty first.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 133 - 152, The preflight Node
check currently only tests for the presence of PACKAGE_NAME in the parsed
/tmp/npm-access.json map but not whether the token has write rights; update the
inline node -e script (the block that reads /tmp/npm-access.json and uses
packageName from process.env) to safely parse the file inside a try/catch,
validate the file is non-empty, and then verify that access[packageName] ===
"read-write" (fail with console.error and process.exit(1) if missing or not
"read-write"). Ensure JSON.parse errors and empty/malformed /tmp/npm-access.json
are caught and produce a clear error message and non-zero exit.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Link label and destination mismatch at architecture entry.

Line 13 claims “English / 简体中文” but links only to ./architecture.en.md. This can mislead first-time readers looking for Chinese content.

Suggested doc fix

-- [技術概覽（English / 简体中文）](./architecture.en.md)
+- [技術概覽（English）](./architecture.en.md)
+- [技術概覽（简体中文）](./architecture.md)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- [技術概覽（English / 简体中文）](./architecture.en.md)
	- [技術概覽（English）](./architecture.en.md)
	- [技術概覽（简体中文）](./architecture.md)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/README.zh-TW.md` at line 13, The README link label "技術概覽（English /
简体中文）" mismatches its target (currently only ./architecture.en.md); update the
Markdown link for the architecture entry so the label matches the
destination—either add a second link to the Simplified Chinese file (e.g.,
include ./architecture.zh-CN.md alongside ./architecture.en.md) or change the
label to only "English" to match ./architecture.en.md; locate the architecture
link text in README.zh-TW.md and adjust the link target(s) and/or label
accordingly.