feat: distribute lumen binary via npm optional dependencies#47
Merged
Conversation
Fixes a race condition where the MCP connection timed out (94ms) on first launch after an upgrade because run.sh was downloading the binary at startup time. - Add scripts/npm-publish.sh: downloads release binaries from GitHub, verifies sha256 checksums, and publishes @ory/lumen-<platform> packages plus the @ory/lumen wrapper with optionalDependencies - Add npm/lumen.js: JS shim that resolves the installed platform package and execs the binary (used as the wrapper's bin entry) - Update scripts/run.sh: probe the npm sibling package path (../lumen-<os>-<arch>/bin/lumen) before falling back to download, so npm-installed plugins find the binary without any network call - Add publish-npm CI job to release-please.yml: runs after goreleaser on ubuntu-latest with NODE_AUTH_TOKEN from NPM_TOKEN secret Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
aeneasr
added a commit
that referenced
this pull request
Mar 17, 2026
)" This reverts commit 6c382af.
aeneasr
added a commit
that referenced
this pull request
Mar 17, 2026
) * Revert "feat: distribute lumen binary via npm optional dependencies (#47)" This reverts commit 6c382af. * fix: add curl timeout and progress bar to binary download Add --max-time 300, --retry 3 --retry-delay 2, and --progress-bar to the curl invocation in run.sh. Previously, a slow or stalled download would hang indefinitely and silently, potentially causing MCP server startup timeouts on first install. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
run.shdownloaded the binary at MCP startup time, but the MCP connection timed out after 94ms before the download completedoptionalDependenciesso it arrives at install time, not startup time — the same pattern used by esbuild, Biome, etc.Changes
scripts/npm-publish.sh: Downloads release binaries from GitHub, verifies sha256 checksums against goreleaser'schecksums.txt, and publishes@ory/lumen-<platform>packages + the@ory/lumenwrapper withoptionalDependenciesnpm/lumen.js: JS shim used as the wrapper'sbinentry — resolves the installed platform package and execs the binaryscripts/run.sh: Probes the npm sibling package path (../lumen-<os>-<arch>/bin/lumen) before falling back to download, so npm-installed plugins find the binary with no network call at startup.github/workflows/release-please.yml: Addspublish-npmjob that runs after goreleaser onubuntu-latestusingNODE_AUTH_TOKENfromNPM_TOKENsecretTest plan
NPM_TOKENsecret to theory/lumenrepo (requires org admin)@ory/lumen@<version>to npm registry🤖 Generated with Claude Code