fix: remove --provenance for private repo publish

[NiveditJain]

Summary

• --provenance requires the source repo to be public. npm returns E422 for private repos.
• Remove --provenance and the id-token: write permission for now.
• Re-add both once the repo goes public.

To re-trigger after merge

1. Delete the existing v0.0.1-beta.1 release on GitHub
2. Recreate it with the same tag pointing to the new main commit

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added optional telemetry tracking during package installation and uninstallation (can be disabled via FAILPROOFAI_TELEMETRY_DISABLED=1 environment variable)
  • Enhanced uninstall process with automatic cleanup of configuration entries

• Chores

  • Updated publishing workflow configuration

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Free

Run ID: ac90f33e-fe97-457c-8c80-99c780909ea4

📥 Commits

Reviewing files that changed from the base of the PR and between 6db955e and 407611f.

📒 Files selected for processing (6)

• .github/workflows/publish.yml
• package.json
• scripts/install-telemetry.mjs
• scripts/launch.ts
• scripts/postinstall.mjs
• scripts/preuninstall.mjs

---

📝 Walkthrough

Walkthrough

The pull request introduces npm package lifecycle hooks integrated with PostHog telemetry tracking. A new telemetry module provides install/uninstall event tracking with stable instance identification. Postinstall registers hooks and sends telemetry; preuninstall cleans up hook entries from Claude Code settings and sends uninstall telemetry. Minor CI/CD and filesystem path adjustments included.

Changes

Cohort / File(s)	Summary
Telemetry Infrastructure scripts/install-telemetry.mjs	New module implementing PostHog telemetry with stable distinct_id derivation (checks instance file, falls back to machine identifiers or random UUID). Exports trackInstallEvent() with environment variable opt-out, payload enrichment, 5-second timeout, and no explicit error handling.
Package Lifecycle Scripts scripts/postinstall.mjs, scripts/preuninstall.mjs	Postinstall checks hooks configuration and Claude Code settings, prints warning if mismatch detected, sends package_installed telemetry with platform/arch info. Preuninstall removes failproofai hook entries from three Claude settings paths, filters by marker field, and sends package_uninstalled telemetry; all cleanup errors suppressed.
Configuration & Workflow package.json, .github/workflows/publish.yml	Package.json adds postinstall and preuninstall lifecycle script commands. Publish workflow removes id-token: write permission and --provenance flag from npm publish command.
Application Code scripts/launch.ts	Start mode now uses absolute filesystem path computed from module location instead of relative path for .next/standalone/server.js execution.

Sequence Diagrams

sequenceDiagram
    actor npm as npm (install)
    participant hooks as postinstall.mjs
    participant telemetry as install-telemetry.mjs
    participant storage as ~/.failproofai/
    participant claude as ~/.claude/settings.json
    participant posthog as PostHog API

    npm->>hooks: trigger postinstall hook
    hooks->>hooks: check INIT_CWD context
    hooks->>storage: read hooks-config.json
    hooks->>claude: inspect for failproofai entries
    hooks->>hooks: compute hostname HMAC-SHA256
    hooks->>telemetry: trackInstallEvent("package_installed", {platform, arch, ...})
    telemetry->>storage: read/create instance-id
    telemetry->>telemetry: derive distinct_id
    telemetry->>posthog: fetch POST to /capture (5s timeout)
    posthog-->>telemetry: response (fire-and-forget)
    telemetry-->>hooks: resolve
    hooks-->>npm: complete

Loading

sequenceDiagram
    actor npm as npm (uninstall)
    participant hooks as preuninstall.mjs
    participant claude as ~/.claude/settings.json<br/>.claude/settings.json<br/>.claude/settings.local.json
    participant telemetry as install-telemetry.mjs
    participant storage as ~/.failproofai/
    participant posthog as PostHog API

    npm->>hooks: trigger preuninstall hook
    hooks->>hooks: check INIT_CWD context
    loop for each settings path
        hooks->>claude: read JSON (deduped paths)
        hooks->>hooks: filter hooks with __failproofai_hook__ marker
        hooks->>hooks: prune empty arrays/objects
        hooks->>claude: write if modified (best-effort)
    end
    hooks->>telemetry: trackInstallEvent("package_uninstalled", {...})
    telemetry->>storage: read instance-id
    telemetry->>posthog: fetch POST to /capture (5s timeout, awaited)
    posthog-->>telemetry: response
    telemetry-->>hooks: resolve (suppress errors)
    hooks-->>npm: complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Poem

🐰 Hops through install and uninstall with glee,
Telemetry whispers to PostHog, "Here I be!"
Instance IDs hashed, hooks are cleaned and neat,
Lifecycle magic makes the workflow complete! ✨

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}