Problem
An OSS hygiene audit across all 12 packages in the Charter monorepo found four gaps that affect npm discoverability, supply-chain trust, and npm metadata quality:
keywords missing on all 12 packages — the npm search algorithm uses keywords heavily; packages without them are effectively invisible to keyword search.publishConfig.provenance: true missing on all 12 packages — the release workflow already publishes with --provenance, but without this field in package.json the attestation doesn't attach to npm package metadata. Downstream consumers can't verify supply chain via npm audit signatures.author field missing on 11/12 packages — only @stackbilt/cli has it. Accountability and trust gap.- Root
package.json missing engines field — all 12 packages correctly declare "node": ">=18.0.0", but the workspace root does not.
What's already correct (do not touch)
repository.directory (all correct), exports map (proper ESM/CJS), sideEffects: false, per-package engines, files whitelist, bugs, homepage, license, publishConfig.access: "public".
Changes
For each of the 12 packages (types, core, adf, git, classify, validate, drift, blast, surface, policies, ci, cli):
- Add
"keywords" array (3–5 terms: "governance", "charter", "typescript" as baseline, plus 1–2 package-specific terms)
- Add
"provenance": true to existing publishConfig block
- Add
"author": "Stackbilt LLC" (or leave cli as-is, it already has it)
Root package.json:
- Add
"engines": { "node": ">=18.0.0" }
Also in this PR:
- Create root
.npmignore blocking *.test.ts, *.spec.ts, __tests__/, tsconfig*.json, *.tsbuildinfo, *.map as defense-in-depth alongside files whitelists.
Why now
This is part of the v0.13 OSS polish initiative. These changes are split-stable — all 11 governance packages carry forward unchanged to any future @stackbilt/build split. @stackbilt/cli keywords/description scoped to governance surface only (not the commercial commands, which are moving).
Acceptance
npm info @stackbilt/cli shows keywords, provenance, and author fields after next publishnpm audit signatures resolves attestation for all 12 packages- Root
package.json has engines field
Problem
An OSS hygiene audit across all 12 packages in the Charter monorepo found four gaps that affect npm discoverability, supply-chain trust, and npm metadata quality:
keywordsmissing on all 12 packages — the npm search algorithm uses keywords heavily; packages without them are effectively invisible to keyword search.publishConfig.provenance: truemissing on all 12 packages — the release workflow already publishes with--provenance, but without this field in package.json the attestation doesn't attach to npm package metadata. Downstream consumers can't verify supply chain vianpm audit signatures.authorfield missing on 11/12 packages — only@stackbilt/clihas it. Accountability and trust gap.package.jsonmissingenginesfield — all 12 packages correctly declare"node": ">=18.0.0", but the workspace root does not.What's already correct (do not touch)
repository.directory(all correct),exportsmap (proper ESM/CJS),sideEffects: false, per-packageengines,fileswhitelist,bugs,homepage,license,publishConfig.access: "public".Changes
For each of the 12 packages (
types,core,adf,git,classify,validate,drift,blast,surface,policies,ci,cli):"keywords"array (3–5 terms:"governance","charter","typescript"as baseline, plus 1–2 package-specific terms)"provenance": trueto existingpublishConfigblock"author": "Stackbilt LLC"(or leave cli as-is, it already has it)Root
package.json:"engines": { "node": ">=18.0.0" }Also in this PR:
.npmignoreblocking*.test.ts,*.spec.ts,__tests__/,tsconfig*.json,*.tsbuildinfo,*.mapas defense-in-depth alongsidefileswhitelists.Why now
This is part of the v0.13 OSS polish initiative. These changes are split-stable — all 11 governance packages carry forward unchanged to any future
@stackbilt/buildsplit.@stackbilt/clikeywords/description scoped to governance surface only (not the commercial commands, which are moving).Acceptance
npm info @stackbilt/clishowskeywords,provenance, andauthorfields after next publishnpm audit signaturesresolves attestation for all 12 packagespackage.jsonhasenginesfield