v0.1 W5: distribution wiring (npm shim + maturin + GitHub Actions release)#15
Merged
Merged
Conversation
…ease)
Replaces the 0.0.0 placeholders on npm/PyPI with release-ready scaffolding
and adds the tag-push pipeline that publishes binaries to all four
channels (cargo, npm, PyPI, GitHub Releases).
npm restructure (biome-style):
- main package moves to npm/klasp/ with a ~50-line bin/klasp.js shim that
resolves the per-platform binary via require.resolve and execs it via
spawnSync — no install-time download, no postinstall script
- five per-platform sub-packages declared as optionalDependencies of the
main package: @klasp-dev/klasp-{darwin-arm64, darwin-x64, linux-x64-gnu,
linux-arm64-gnu, win32-x64}; each carries os/cpu fields so npm picks
exactly one on every install
- per-platform binaries are .gitignore'd in the source tree; the release
workflow drops them in at publish time
PyPI restructure (Hatchling -> maturin):
- pyproject.toml switches build-backend to maturin with bindings = "bin"
and manifest-path = "../klasp/Cargo.toml"; no PyO3, no Python source
- old pypi/src/klasp/__init__.py removed
- locally-verified: maturin build produces a wheel like
klasp-0.0.0-py3-none-macosx_11_0_arm64.whl with the binary in
<distname>.data/scripts/
Cargo workspace:
- klasp-core and klasp-agents-claude flip from publish=false to
publishable, with documentation/readme/keywords/categories filled in
- path-only deps gain version specifiers ({ path = "...", version = "..." })
so cargo publish accepts them when the registry lookup runs
Release pipeline (.github/workflows/release.yml):
- prepare-version derives X.Y.Z from the v-prefixed tag and surfaces it
to every downstream job
- build-binaries matrix on the five v0.1 targets uploads each binary as
a workflow artifact
- publish-npm stages the binaries into the per-platform sub-packages,
bumps versions in lockstep via scripts/bump-npm-versions.mjs, then
publishes per-platform sub-packages FIRST and the main package LAST
so optionalDependencies always resolve
- publish-pypi rebuilds wheels via PyO3/maturin-action per target,
collects them, and uploads to PyPI via pypa/gh-action-pypi-publish
(OIDC by default, PYPI_TOKEN fallback)
- publish-cargo publishes klasp-core, then klasp-agents-claude, then
klasp, with a 30s pause between each so the registry index catches up
- github-release packages binaries as tarballs (zip on Windows) and
attaches them with auto-generated release notes
CI updates (.github/workflows/ci.yml):
- npm publish --dry-run now runs in npm/klasp/ (the new main-package
location); per-platform packages are not dry-run'd because their
binaries only land at release time
- pypi-validate now drives maturin build instead of pyproject-build to
match the new backend; rust toolchain added to the job
Closes #5
Contributor
Author
Code review🟢 Approve — no merge-blocking issues. Two parallel Opus agents reviewed the PR (one diff-only, one with full file context). The diff-only pass found no high-signal bugs. The file-context pass surfaced seven below-blocker observations — all real, none meeting the merge-blocking bar (compile-fail / wrong-regardless-of-inputs / CLAUDE.md violation). They're worth tracking as Step 10 follow-ups. SummaryThe PR converts the Critical issuesNone. Suggestions (below the merge-blocking bar — candidates for the Step 10 follow-up issue)
What looks good
Security / Performance / Tests
Deferred (per author's note)
Verdict🟢 Approve. Ship it. The seven below-blocker observations will land in a follow-up issue per Step 10 — none are merge blockers. CI: 7/7 ✓ · Mergeable: ✓ · Step 11 prerequisites: pending (waiting on Step 10 remediation comment). 🤖 Generated by agentic-flow Step 06 ( |
Contributor
Author
Review remediation + simplify passFindings → fixes
No fix commits added during review remediation; review verdict was 🟢 Approve at the merge-blocking bar.
|
11 tasks
liam-ai-reality
added a commit
that referenced
this pull request
May 4, 2026
The original `[#1, W1]` ... `[#5, W5]` brackets were issue numbers, not PR numbers, and GitHub auto-link rules resolve `#N` to PRs first — readers landing on those refs got the build-plan issue rather than the merge commits. Replace with the actual PR numbers, sourced from the merge log: W1 → no PR (direct push to main; reference the SHA `5740eb3` instead) W2 → #10 W3 → #11 W4 → #13 W5 → #15 W6-7 → #17 (this PR) The W3 follow-ups merge `[#14]` was already correct. Co-Authored-By: claude-flow <ruv@ruv.net>
liam-ai-reality
added a commit
that referenced
this pull request
May 4, 2026
* feat(dogfood): install klasp gate on klasp's own repo Run `klasp init` + `klasp install --agent claude_code` against this worktree and commit the resulting gate files so worktrees and remote agents inherit the install. The klasp.toml is the canonical v0.1 reference example: cargo check + cargo clippy -D warnings on commit+push, cargo test --workspace on push only. .gitignore gains scoped un-ignore rules (`!/.claude/settings.json`, `!/.claude/hooks/klasp-gate.sh`) so only the repo-root .claude/ gate artifacts are tracked; subdirectory .claude/ folders (e.g. agent worktree state) stay ignored. Verified end-to-end: - clean tree: gate exits 0, no stderr - clippy-failing change: gate exits 2, structured findings on stderr - klasp install run twice = no diff (idempotent) - klasp doctor: all checks passed Closes the W6 dogfood deliverable from #6. * docs(recipes): add v0.1 recipes guide Worked klasp.toml [[checks]] blocks for the six tools the v0.1 launch demo and most users will actually run: pre-commit, fallow, pytest, cargo, ESLint/Biome, ruff. Each recipe is paired with two-three sentences on why the chosen flags / triggers fit a klasp gate. The Patterns section up top covers the cross-cutting decisions every config faces — commit vs push triggers, ${KLASP_BASE_REF} usage, monorepo limitations (full discovery is a v0.2.5 deliverable per design.md §14 and roadmap.md §v0.2.5), and fail-open semantics. The "What's next" section points at v0.2's named recipes (`type = "pre_commit"`, `type = "fallow"`, etc.) so users adopting verbose v0.1 shell shapes know the upgrade path. Part of #6. * docs(release): v0.1.0 changelog + flip README placeholder Add CHANGELOG.md with the v0.1.0 entry enumerating every closed v0.1-labelled issue (W1 #1, W2 #2, W3 #3 + follow-ups #14, W4 #4 + follow-up #13, W5 #5 + follow-up #15, and W6-7 #6) under a single release heading. The Out-of-scope section restates v0.2+ deferrals (Codex, named recipes, parallel execution, monorepo discovery) so the launch story is honest about what users get and what they don't. README.md gets three small updates: status flips from "name-reservation placeholder" to "v0.1 ships when v0.1.0 tag is pushed" with a caveat that a `klasp --version` check is the right way to confirm a real install (vs the lingering 0.0.0 placeholder); the docs list grows pointers to recipes.md and CHANGELOG.md; and the repository-layout table drops the *(planned)* qualifiers now that all three crates ship. The user pushes the v0.1.0 tag from main themselves; this commit only prepares the changelog + README so the release is documented when they do. Closes #6. * feat(gate): set KLASP_BASE_REF env var for shell checks Threads a merge-base ref through `RepoState` and exports it as `KLASP_BASE_REF` on every `ShellSource` child. Computes the value via `git merge-base @{upstream} HEAD`, falling back to `origin/main`, `origin/master`, then `HEAD~1` — the canonical "branch divergence point" lookup for diff-aware tools. This matches the contract design.md §3.5 already commits to and the `klasp.toml` / docs/recipes.md examples already reference. Without it, copying the recipes (`pre-commit run --from-ref ${KLASP_BASE_REF}`, `fallow audit --base ${KLASP_BASE_REF}`) silently substitutes empty strings and the diff-aware tools lint the entire tree. Wiring: - klasp-core: `RepoState` gains a `base_ref: String` field. Plugins read it directly; the gate runtime constructs it. - klasp/git.rs: new `compute_base_ref()` helper with three-level fallback chain. Two unit tests against a real `tempdir` git repo cover the no-remote (`HEAD~1`) and clone-with-upstream paths. - klasp/sources/shell.rs: spawn-time `.env("KLASP_BASE_REF", ...)`. New unit test asserts a child running `printf "$KLASP_BASE_REF"` echoes the configured value. - klasp/tests/gate_flow.rs: end-to-end test spawns the binary against a real two-commit git repo, runs a check that writes `$KLASP_BASE_REF` to a sentinel file, asserts the captured value is the expected `HEAD~1` fallback. Touches `klasp/src/sources/shell.rs` (locked file in the W6-7 brief) because the env-var injection is precisely what the gate was designed to hand off to the source — implementing it elsewhere would route around the only `Command::new(...)` call in v0.1. The same file was already touched post-W3 lock by #14 for child-process cleanup. Refs: docs/design.md §3.5, docs/recipes.md §`${KLASP_BASE_REF}`. Co-Authored-By: claude-flow <ruv@ruv.net> * docs(changelog): correct PR references for v0.1.0 entries The original `[#1, W1]` ... `[#5, W5]` brackets were issue numbers, not PR numbers, and GitHub auto-link rules resolve `#N` to PRs first — readers landing on those refs got the build-plan issue rather than the merge commits. Replace with the actual PR numbers, sourced from the merge log: W1 → no PR (direct push to main; reference the SHA `5740eb3` instead) W2 → #10 W3 → #11 W4 → #13 W5 → #15 W6-7 → #17 (this PR) The W3 follow-ups merge `[#14]` was already correct. Co-Authored-By: claude-flow <ruv@ruv.net> * docs(recipes): defer verdict_path mention to v0.2 (not in v0.1 schema) The previous wording claimed "the ConfigV1 schema reserves the `verdict_path` field for this transition; ignore it for now." Reality: `klasp_core::CheckSourceConfig::Shell` has no such field — a user who copy-pasted `verdict_path = "..."` into their klasp.toml hit a serde parse error rather than a "this is reserved, not yet implemented" no-op. Reword to honestly defer JSON-output parsing to v0.2's named recipes (`type = "fallow"`, `type = "pytest"`) and tell the user to fall back on the check tool's exit code in v0.1. Co-Authored-By: claude-flow <ruv@ruv.net> --------- Co-authored-by: claude-flow <ruv@ruv.net>
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the
0.0.0placeholders on npm/PyPI with release-ready scaffolding and adds the tag-push pipeline that publishes binaries to all four channels (cargo, npm, PyPI, GitHub Releases). Source manifests stay at0.0.0until av0.1.0[-rc.N]tag bumps them viascripts/bump-source-versions.mjsat release time.Closes #5.
Three areas changed
1. npm restructure (biome-style,
npm/klasp/main + 5 per-platform stubs)@klasp-dev/klasp-${platform}-${arch}from a static map,require.resolvesklasp(orklasp.exeon Windows) inside it, thenspawnSync({ stdio: "inherit" })s it and exits with the child's code. The error path (no matching package, install missing optional deps) writes a clear stderr message and exits1.package.jsoncarriesos,cpu, and (on linux)libc: ["glibc"]. Win32 usesklasp.exeformainandbin. Each ships a.gitignorethat hides the staged binary from the working tree — the release workflow drops the binary in at publish time.npm/{package.json,index.js,README.md}were the single-package placeholder; removed in the same commit.2. PyPI restructure (Hatchling → maturin with
bindings = "bin")pypi/pyproject.tomlswaps[build-system] build-backend = "hatchling.build"for"maturin", declares[tool.maturin] bindings = "bin", and pointsmanifest-path = "../klasp/Cargo.toml". No PyO3, no Python source — the wheel is a vehicle for the compiled binary.pypi/src/klasp/__init__.pyremoved.maturin build --release --out distproducesklasp-0.0.0-py3-none-macosx_11_0_arm64.whlwith the binary atklasp-0.0.0.data/scripts/klasp.twine checkpasses.3. Release workflow (
.github/workflows/release.yml)Six job groups, all triggered on
push: tags: ['v*']:prepare-version— derivesX.Y.Zfromv0.1.0and exports it as a job output for every downstream consumer.build-binaries— matrix on the five v0.1 targets (macos-14, macos-13, ubuntu-latest, ubuntu-24.04-arm, windows-latest); each runsscripts/bump-source-versions.mjs, builds--release --bin klasp, and uploads the binary as a workflow artifact.publish-npm— stages binaries into per-platform packages, bumps versions in lockstep viascripts/bump-npm-versions.mjs, then publishes the per-platform sub-packages FIRST and the main package LAST. This ordering is the whole reason for the structure:optionalDependenciesmust already exist on the registry when the main package's metadata references them.publish-pypi+publish-pypi-collect—PyO3/maturin-action@v1rebuilds wheels per target (manylinux2014 on Linux, native everywhere else); collected wheels go up viapypa/gh-action-pypi-publish@release/v1. Defaults to OIDC trusted publishing; falls back toPYPI_TOKEN.publish-cargo—klasp-core→klasp-agents-claude→klasp, withsleep 30between to let the crates.io index catch up.github-release— packages each binary intoklasp-${tag}-${triple}.{tar.gz,zip}and usessoftprops/action-gh-release@v2with auto-generated notes; flagsprereleaseautomatically when the tag contains-rc/-alpha/-beta.Publish-order dependency (called out explicitly because reviewers asked):
per-platform npm → main npm → PyPI wheels → cargo crates → GitHub ReleaseThe
cargoordering is also load-bearing:klasp-coremust publish first, thenklasp-agents-claude(which now declaresklasp-core = { path = "...", version = "0.0.0" }), then theklaspbinary crate.publish = falsewas removed from the two library crates; both gotdescription/readme/keywords/categories/documentationso crates.io accepts them.CI updates
npm-validatenow runs innpm/klasp/(the main package). Per-platform sub-packages aren't dry-run'd — their binaries are gitignored, so the dry-run would fail today.pypi-validatenow drivesmaturin buildinstead ofpyproject-build. The job gainsdtolnay/rust-toolchain@stableandSwatinem/rust-cache@v2to match.Quality bar (local, on macos-14 / aarch64-apple-darwin)
cargo check --all-targets— cleancargo fmt --all -- --check— cleancargo clippy --all-targets --workspace -- -D warnings— no issuescargo test --workspace— 114 passed, 5 ignored (no W3/W4 regressions)(cd npm/klasp && npm publish --dry-run --access public)— packages 3 files (bin/klasp.js,package.json,README.md); registry-side rejection on0.0.0is the only error(cd pypi && uvx --from "maturin>=1.7,<2.0" maturin build --release --out dist)— producesklasp-0.0.0-py3-none-macosx_11_0_arm64.whl;twine checkpassescargo publish -p klasp-core --dry-run --allow-dirty— packages cleanlypyyaml.safe_loadDecisions worth flagging
aarch64-unknown-linux-gnu: native runner overcross. Usedubuntu-24.04-arm(already in the per-PR CI from W4) instead ofcrosscontainers or QEMU. Native arm64 builds are faster, produce wheels with cleaner.sodeps, and remove a moving Docker dependency. If the GitHub-hosted arm runners ever go away, the workflow can swap tocrosswithout changing matrix shape.PYPI_TOKENas fallback.pypa/gh-action-pypi-publishaccepts an emptypassword:when OIDC is configured on pypi.org. Until the trusted publisher is registered, populatingsecrets.PYPI_TOKENkeeps it working without a workflow change. Once OIDC is wired, the secret can be removed.2014. Default for ruff/maturin distributions; covers every glibc Linux distro of practical interest.2_28would shrink the binary but lose support for older RHEL/Ubuntu LTS bases — not worth it for v0.1.bump-source-versions.mjs. Cargo's0.1.0-rc.1and PyPI's0.1.0rc1aren't the same string. The script normalises only insidepypi/pyproject.tomlso the same git tag drives both registries.bump-npm-versions.mjswalksnpm/*/package.jsonand rewrites JSON;bump-source-versions.mjsdoes targeted regex onCargo.tomlandpyproject.toml. Different file formats, different replacement strategies — combining them would tangle two unrelated jobs.klasp-core/klasp-agents-claudenewly publishable. Previouslypublish = false. The crates need to be on crates.io for the binary crate'scargo publishto accept them. Documented their public surface as v0.1's plugin contract (per design.md §3 / §8).Smoke test
I have not pushed
v0.1.0-rc.1from this branch — the tag should land onmainafter merge so the release artefacts attribute correctly. Once merged, pushv0.1.0-rc.1to fire the workflow. The expected outcome:cargo install klasp@0.1.0-rc.1resolves cleanly after the cargo job lands the three cratesnpm i -g @klasp-dev/klasp@0.1.0-rc.1installs the main package; npm picks one optional dep based on host platform;klasp --versionprintsklasp 0.1.0-rc.1pip install klasp==0.1.0rc1(PEP 440 normalised) installs the wheel;klasp --versionprintsklasp 0.1.0-rc.1If the first attempt fails, retag
v0.1.0-rc.2and iterate. Tags are cheap; npm/PyPI/cargo all supportskip-existingsemantics so partial failures don't block re-runs.Out of scope (explicit)
klasp/src/sources/shell.rs,klasp/tests/gate_flow.rs,klasp/src/git.rs— owned by issue Follow-ups from PR #11 review (W3 gate runtime) #12.klasp-core/*,klasp-agents-claude/*source code — only manifests touched.docs/,README.md— no doc updates in W5.Test plan
v0.1.0-rc.1and verify all five release-workflow job groups go greengit worktree, runcargo install klasp@0.1.0-rc.1and confirmklasp --versionnpm i -g @klasp-dev/klasp@0.1.0-rc.1and confirmklasp --versionpip install klasp==0.1.0rc1and confirmklasp --version🤖 Generated with claude-flow