Operations

npm Publishing

Package ownership, dry runs, provenance, and smoke testing.

This page is for maintainers preparing MeshKit package publication. It is not part of the normal adopter path.

User-facing docs should point developers to install @meshkit/meshkit first, then runtime, Core, CLI, or MCP packages only when needed.

Publishing Checklist

Before publishing:

Confirm package names use the @meshkit/* scope.
Confirm package metadata matches the release plan.
Build all packages.
Run dry-pack and dry-publish checks.
Run post-publish smoke checks against packed artifacts.
Confirm docs examples use scoped imports.
Confirm no token, .npmrc, private key, or credential leaks into logs or packages.

Evidence Commands

npm pack --workspaces --dry-run
npm run publish:dry
npm run postpublish:smoke

Use the repository release scripts that match the current package manager and release process.

Redaction Rules

Never capture:

npm tokens
.npmrc
registry auth headers
provider tokens
private keys
wallet controls
decrypted MeshKit content

Safe to capture:

package name
package version
tarball filename
file list summary
command exit code
sanitized smoke-test output

Docs Coupling

Any release that changes user behavior must update:

Install
Version compatibility
Roadmap status
Reference pages affected by the API change
Migration notes when behavior is breaking

Next Steps

Live Validation

Opt-in validation commands for real provider environments.

Version Compatibility

Supported Node, package, and runtime compatibility.

On this page

Publishing Checklist Evidence Commands Redaction Rules Docs Coupling Next Steps