chore(release): public launch hardening for @unbrained/pm-cli

[unbraind]

Summary

• switch package distribution to scoped npm package @unbrained/pm-cli with calendar SemVer-compatible versioning (YYYY.M.D[-N])
• add release safety tooling and CI gates (version:check, security:scan, packaged npx smoke) plus release workflow tag/sequence enforcement and GitHub release automation
• update release/install contributor docs and lock contracts with integration tests so launch behavior stays deterministic

Test plan

• node scripts/release-version.mjs check --tag v2026.3.9 --verify-next
• pnpm security:scan
• pnpm build
• pnpm typecheck
• pnpm test
• node scripts/run-tests.mjs coverage
• pnpm smoke:npx

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Free

Run ID: f214f130-65af-4595-8f81-c13c45231e3c

📥 Commits

Reviewing files that changed from the base of the PR and between 7b9a0ec and b4e4876.

📒 Files selected for processing (24)

• .agents/pm/chores/pm-1h88.md
• .agents/pm/chores/pm-1hm2.md
• .agents/pm/history/pm-1h88.jsonl
• .agents/pm/history/pm-1hm2.jsonl
• .github/ISSUE_TEMPLATE/bug-report.yml
• .github/PULL_REQUEST_TEMPLATE.md
• .github/workflows/ci.yml
• .github/workflows/nightly.yml
• .github/workflows/release.yml
• AGENTS.md
• CHANGELOG.md
• CONTRIBUTING.md
• PRD.md
• README.md
• docs/RELEASING.md
• package.json
• scripts/check-secrets.mjs
• scripts/install.ps1
• scripts/install.sh
• scripts/release-version.mjs
• scripts/smoke-npx-from-pack.mjs
• tests/integration/ci-workflow-contract.spec.ts
• tests/integration/help-readme-contract.spec.ts
• tests/integration/release-readiness-contract.spec.ts

---

Summary by CodeRabbit

Release Notes

• New Features

  • Added calendar-based version validation
  • Added credential leak detection in workflows
  • Added npx smoke test execution
  • Automatic GitHub release notes generation

• Documentation

  • Added release process documentation

• Chores

  • Rebranded package to @unbrained/pm-cli
  • Bumped version to 2026.3.9
  • Enhanced CI and release workflows with quality gates

Walkthrough

This pull request prepares version 2026.3.9 for public release by rebranding the package from pm-cli to @unbrained/pm-cli, implementing calendar-based versioning, adding release management scripts, and introducing CI/CD guardrails for version validation, secret scanning, and smoke testing.

Changes

Cohort / File(s)	Summary
Package Metadata & Configuration package.json, scripts/install.sh, scripts/install.ps1	Updated default package name to @unbrained/pm-cli, bumped version to 2026.3.9, changed author to "unbrained", added publishConfig with public access, and introduced four new scripts: version:check, version:next, security:scan, and smoke:npx.
Release Management Scripts scripts/release-version.mjs, scripts/check-secrets.mjs, scripts/smoke-npx-from-pack.mjs	Added three new scripts: release-version.mjs validates calendar SemVer format (YYYY.M.D) and guards version tags; check-secrets.mjs scans tracked files for credential patterns; smoke-npx-from-pack.mjs automates npx tarball smoke testing without publishing.
CI/CD Workflows .github/workflows/ci.yml, .github/workflows/nightly.yml, .github/workflows/release.yml	Added version policy checks, secret leak scans, and smoke tests to CI and nightly builds; release workflow now includes environment configuration, GitHub release creation, and upgraded permissions for content write access.
GitHub Templates .github/ISSUE_TEMPLATE/bug-report.yml, .github/PULL_REQUEST_TEMPLATE.md	Updated bug report version placeholder to 2026.3.9 and added three new PR checklist items for version check, security scan, and smoke test verification.
Core Documentation README.md, CHANGELOG.md, PRD.md, AGENTS.md, CONTRIBUTING.md, docs/RELEASING.md	Updated all package references from pm-cli to @unbrained/pm-cli; added new docs/RELEASING.md detailing calendar versioning policy and release checklist; updated CHANGELOG with release versioning and CI/CD guardrails; added RELEASING.md link to CONTRIBUTING.
Release Task Artifacts .agents/pm/chores/pm-1h88.md, .agents/pm/chores/pm-1hm2.md, .agents/pm/history/pm-1h88.jsonl, .agents/pm/history/pm-1hm2.jsonl	Added release chore and hardening task metadata with comprehensive lifecycle documentation, test scopes, acceptance criteria, and state transitions (created, claimed, in_progress, closed, released).
Contract Tests tests/integration/ci-workflow-contract.spec.ts, tests/integration/help-readme-contract.spec.ts, tests/integration/release-readiness-contract.spec.ts	Updated workflow expectations to verify new steps (version:check, security:scan, smoke:npx); added calendar date validation; extended package.json and script verification; added checks for new release infrastructure files and public publishConfig.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Git as Git / Tag
    participant GH as GitHub Actions
    participant NPM as npm Registry
    participant GHR as GitHub Releases
    
    Dev->>Dev: pnpm version:check
    activate Dev
    Note over Dev: Validate tag & version policy
    deactivate Dev
    
    Dev->>Dev: pnpm security:scan
    activate Dev
    Note over Dev: Scan for credential leaks
    deactivate Dev
    
    Dev->>Dev: pnpm smoke:npx
    activate Dev
    Note over Dev: Test npx tarball locally
    deactivate Dev
    
    Dev->>Git: Commit & tag (v2026.3.9)
    Git->>GH: Trigger release workflow
    
    GH->>GH: Verify version tag & policy
    GH->>GH: Run security scan
    GH->>GH: Test npx smoke
    GH->>NPM: npm publish `@unbrained/pm-cli`
    NPM-->>GH: Success
    
    GH->>GHR: Create GitHub release w/ notes
    GHR-->>GH: Release published
    GH-->>Dev: Workflow complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hi @unbraind! 👋

Your private repo does not have access to Sourcery.

Please upgrade to continue using Sourcery ✨

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly hardens the release process for the @unbrained/pm-cli project in preparation for its public launch. It establishes a clear and robust versioning strategy, integrates critical security and quality checks into the continuous integration pipeline, and automates the release workflow to ensure consistency and reliability. These changes are foundational for maintaining a secure and predictable public distribution of the CLI.

Highlights

• Scoped npm package and Calendar Versioning: The project's npm package identity has been switched to @unbrained/pm-cli to prevent naming conflicts, and a new calendar-based versioning policy (YYYY.M.D[-N]) has been adopted for releases.
• Enhanced Release Safety and CI Gates: New tooling and CI gates have been introduced, including version:check for calendar SemVer policy enforcement, security:scan for credential leak detection, and smoke:npx for verifying packaged executables. The release workflow now includes tag/version consistency checks and GitHub release automation.
• Updated Documentation and Contracts: Contributor documentation, including CONTRIBUTING.md and README.md, has been updated to reflect the new release procedures and scoped package. Integration tests have been expanded to lock in these new behaviors and policies.

Changelog

• CHANGELOG.md
  • Switched npm package identity to scoped publish target @unbrained/pm-cli.
  • Implemented calendar SemVer-compatible versioning (YYYY.M.D or YYYY.M.D-N).
  • Updated installer defaults to target @unbrained/pm-cli.
  • Added automated version policy enforcement script (scripts/release-version.mjs).
  • Added tracked-file credential leak scanner (scripts/check-secrets.mjs).
  • Added packaged npx smoke test (scripts/smoke-npx-from-pack.mjs).
  • Configured release workflow to use GitHub release Environment, validate version sequencing, and create GitHub Releases.

Ignored Files

• Ignored by pattern: .github/workflows/** (3)
  • .github/workflows/ci.yml
  • .github/workflows/nightly.yml
  • .github/workflows/release.yml

Activity

• A new chore item pm-1h88 was created to cut the public release, claimed by maintainer-agent, and its status was set to in_progress.
• A chore item pm-1hm2 for release hardening was created, claimed by maintainer-agent, and its status was set to in_progress.
• Files, tests, and documentation related to release hardening were linked to the pm-1hm2 chore.
• Evidence of release hardening validations passing was recorded as a comment on pm-1hm2.
• The pm-1hm2 chore was closed with a reason indicating completion of release management hardening.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request implements significant release hardening and prepares the project for a public production launch. Key changes include switching the npm package name from pm-cli to @unbrained/pm-cli and updating the versioning scheme to a calendar-based SemVer (YYYY.M.D or YYYY.M.D-N). New scripts were added to enforce this version policy (release-version.mjs), scan for credential leaks (check-secrets.mjs), and perform npx smoke tests (smoke-npx-from-pack.mjs). The CI/CD workflows, particularly the release pipeline, have been updated to integrate these new checks, enforce the version policy, use a dedicated GitHub release environment, and automate GitHub Release creation. Documentation, including CHANGELOG.md, README.md, CONTRIBUTING.md, AGENTS.md, and PRD.md, has been updated to reflect the new package name, versioning policy, and release procedures. Installer scripts (install.sh, install.ps1) now default to the scoped package. Additionally, a new chore (pm-1h88) was created to track the final public release execution, and a previous chore (pm-1hm2) detailing the release hardening tasks was marked as closed, indicating the completion of these preparatory steps.