Created April 21, 2026 by GPT 5.4-high Reviewed April 21, 2026 by Atmosfearful

• Publish through an npm organization, not a single personal account.
• Require passkey 2FA for npm and GitHub admins.
• Keep the maintainer/admin list small and review it regularly.

• Protect main and require pull requests for changes.
• Prevent direct pushes, force pushes, and branch deletion on main.
• Require passing CI before merge.
• Require signed commits.

• Publish only from CI, never from a maintainer workstation.
• Use npm trusted publishing with GitHub Actions OIDC.
• Do not use long-lived npm publish tokens.
• Restrict publishing to the npm environment defined in the workflow.

• Grant id-token: write only to the publish job.
• Pin Bun and Node versions in CI.
• Commit the lockfile and install with frozen lockfile mode.
• Run the full test suite before any publish step.
• Verify the actual npm tarball from npm pack, not just source execution.
• Install and smoke-test the packed tarball under the runtime users actually use.
• Fail the release if the tag version and package.json version do not match.

• Enforce a 7-day minimum release age for newly resolved dependencies via bunfig.toml.
• This package does not use consumer lifecycle scripts such as postinstall.
• Bun does not execute installed dependency lifecycle scripts by default.

• Publish npm packages with npm publish --provenance.
• Attach checksums for standalone binaries and other release artifacts.