Tighten the v1.1.0 release package boundary#32
Merged
GsCommand merged 1 commit intoMar 21, 2026
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
v1.1.0) is the canonical shipped package surface and legacyv1.0.0is retained only as historical repo material.files/exports, checksum tooling, validation scripts, and docs describe the exact same shipped boundary.Description
package.jsonto only the current-line artifacts and metadata:schemas/v1.1.0/,examples/v1.1.0/,manifest.json,checksums.txt,LICENSE,README.md, and added package-rootindex.jsas the entrypoint and export; removed repo-wide wildcard schema/example exports.index.jsthat re-exportsschemas/v1.1.0/index.jsonso the package root resolves to the current line viaindex.js.v1.0.0ashistorical-repo-only(no longer treated as part of the shipped surface). (manifest.json).scripts/generate-checksums.mjs,scripts/validate-integrity.mjs,scripts/validate-all.mjs) so they includeLICENSE,README.md, andindex.jsamong checksum targets and assert the packagefiles/exports reflect the canonical published boundary..github/workflows/validate.yml) to run the aggregatenpm run validate, regenerate checksums, and runnpm pack --dry-runto verify the publish surface.README.md,POLICY.md,SPEC.md,SECURITY_PROVENANCE.md,ONBOARDING.md, andreleases/v1.1.0.md, explicitly describingv1.0.0as repository-only historical material.Testing
npm install(succeeded).npm run generate:checksumsto regeneratechecksums.txt(succeeded and wrote 45 entries).sha256sum -c checksums.txt(succeeded).npm test(which runsnpm run validate→validate:schemas,validate:examples,validate:integrity) and all validation checks passed (succeeded).npm pack --dry-runto inspect the packed publish surface and confirmed the tarball contains only the narrowed v1.1.0 payload plus expected metadata (succeeded).Codex Task