Commits on Apr 18, 2026

1. publish: ship aube on npm as @endevco/aube (#12) …

   ## Summary
   
   - Add a preinstall-based npm distribution alongside the existing
   mise/cargo/curl paths. Root package is `@endevco/aube`; six per-platform
   subs are `@endevco/aube-<os>-<arch>` (darwin-arm64, darwin-x64,
   linux-x64, linux-arm64, win32-x64, win32-arm64).
   - New standalone workflow
   [`publish-npm.yml`](.github/workflows/publish-npm.yml) triggers on
   `release: published` (and `workflow_dispatch` for reruns). Decoupled
   from `release-plz.yml` so an npm hiccup never blocks crates.io or the
   GitHub release.
   - Auth via npm **Trusted Publishing (OIDC)** — no `NPM_TOKEN` secret.
   
   ## How it works
   
   At install time, `@endevco/aube`'s [`preinstall`
   script](npm/installArchSpecificPackage.js) spawns `npm install --no-save
   @endevco/aube-<os>-<arch>@<version>` and hardlinks (falling back to
   copy) the three binaries (`aube`, `aubr`, `aubx`) from the sub-package's
   `bin/` into the root's `./bin/`. Shape mirrors
   [`@jdxcode/mise`](https://www.npmjs.com/package/@jdxcode/mise) — no
   runtime JS shim and no `optionalDependencies` sprawl in
   `package-lock.json`. Note this means `--ignore-scripts` and fully
   offline caches won't work; those users keep the mise/cargo paths.
   
   The multicall dispatch from [#6](#6)
   works through npm because the preinstall creates three named files, so
   `aubr` invoked via npm's bin wrapper sees `argv[0]` ending in `aubr` and
   routes to `run`.
   
   At release time, [`npm/scripts/publish.mjs`](npm/scripts/publish.mjs)
   downloads each `aube-<tag>-<target>.{tar.gz,zip}` from the
   just-published GitHub release, extracts the binaries, stages a
   platform-scoped `package.json` with correct `os`/`cpu`/`bin`, and `npm
   publish`es each sub-package. Root publishes last so its preinstall can
   resolve every sub. Auto-picks the `next` dist-tag for pre-releases
   (`1.0.0-beta.1` → `next`) and `latest` for stable. `DRY_RUN=1`,
   `SKIP_ROOT=1`, and `SKIP_PLATFORMS=1` env flags exist for manual
   recovery.
   
   ## Why OIDC
   
   npm's Trusted Publishing (GA mid-2025) exchanges a short-lived GitHub
   OIDC token for a one-shot npm publish token. No long-lived secret to
   rotate or leak, and the publish is provenance-signed. Requires npm ≥
   11.5.1 — the workflow upgrades to `npm@latest` before publishing to
   avoid drift with the version Node 24 ships.
   
   ## Pre-merge setup
   
   On [npmjs.com/org/endevco](https://www.npmjs.com/org/endevco) → Settings
   → Trusted Publishers, add an org-level trusted publisher:
   - Repo: `endevco/aube`
   - Workflow: `.github/workflows/publish-npm.yml`
   - Environment: (blank)
   
   Org-level config covers all new `@endevco/*` packages, so the first
   release auto-covers root + 6 subs.
   
   ## Limitations / follow-ups
   
   - `aube` (unscoped) is taken on npm by a year-old placeholder
   (`estjs/aube`, 1 version, never updated). If you want the unscoped name,
   file an [npm dispute](https://docs.npmjs.com/policies/disputes) —
   unrelated to this PR.
   - No Alpine / musl package yet. Linux users on glibc distros get
   `linux-<arch>`; muslc users will hit the glibc binary and fail. Adding
   `linux-x64-musl` / `linux-arm64-musl` needs corresponding Rust release
   targets first.
   - Retrying after partial publish failure: same-version republishes
   return 403. Recovery is running the workflow manually with
   `SKIP_PLATFORMS=1` (or vice versa) to publish only what hasn't shipped.
   
   ## Test plan
   
   - [x] Built `aube`, `aubr`, `aubx` locally; staged a fake
   `@endevco/aube-darwin-arm64` sub-package under `node_modules/`; ran the
   link logic and confirmed each bin dispatches to the right subcommand via
   `argv[0]` basename (`aubr --help` → `run`'s help, `aubx --help` →
   `dlx`'s help).
   - [x] `npm pack --dry-run` on the root package — tarball contains only
   `installArchSpecificPackage.js` + `package.json` (README copied in by
   publish script at release time).
   - [x] `npm pack --dry-run` on a hand-staged platform package — contains
   `bin/{aube,aubr,aubx}`, `package.json` with correct `os`/`cpu`,
   `README.md`.
   - [ ] End-to-end first publish under `1.0.0-beta.X` with `next`
   dist-tag, then `npm install -g @endevco/aube@next` from a clean machine.
   Runs for real on the next release.
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   
   <!-- CURSOR_SUMMARY -->
   ---
   
   > [!NOTE]
   > **Medium Risk**
   > Adds a new release-triggered GitHub Actions workflow and
   `preinstall`-driven npm packaging/publishing logic, which can impact
   release automation and end-user installation behavior if misconfigured.
   > 
   > **Overview**
   > Adds npm distribution for `aube` by introducing a root `@endevco/aube`
   package that installs a platform-specific `@endevco/aube-<os>-<arch>`
   subpackage at `preinstall` time and links/copies the native
   `aube`/`aubr`/`aubx` binaries into `./bin`.
   > 
   > Introduces a new `publish-npm` GitHub Actions workflow that runs on
   `release: published` (or manual tag input) and uses npm Trusted
   Publishing (OIDC) to download release artifacts, stage per-platform npm
   packages, and publish them before publishing the root package.
   Documentation is updated to mention `npm install -g @endevco/aube` as an
   install option.
   > 
   > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
   cf71251. Bugbot is set up for automated
   code reviews on this repo. Configure
   [here](https://www.cursor.com/dashboard/bugbot).</sup>
   <!-- /CURSOR_SUMMARY -->
   
   ---------
   
   Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

   

   jdx and claude authored Apr 18, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for 98df790
   • Browse repository at this point

   Copy the full SHA

   98df790 View commit details

   Browse the repository at this point in the history

2. release: use cross + rustls-tls for linux targets (#15) …

   ## Summary
   
   - The `aarch64-unknown-linux-gnu` upload-assets job in [run
   24613265153](https://github.com/endevco/aube/actions/runs/24613265153)
   failed with `fatal error: openssl/opensslconf.h: No such file or
   directory` — `openssl-sys` (pulled in by reqwest's `native-tls` feature)
   couldn't find aarch64 OpenSSL headers. `setup-cross-toolchain-action`
   installs `aarch64-linux-gnu-gcc` but points it at a stub sysroot that
   lacks the arch-specific openssl config.
   - Switch reqwest to `rustls-tls` (pure Rust) so TLS no longer depends on
   system libraries, and run Linux builds through `cross` so the per-target
   Docker image also gives us an older, more portable glibc — matching how
   fnox ships Linux binaries.
   - `Identity::from_pkcs8_pem` is native-tls-only. The per-registry
   client-cert path now concatenates cert+key into a combined PEM buffer
   and calls `Identity::from_pem`, which works under rustls.
   
   ## Changes
   
   - `Cargo.toml` — reqwest: `default-features = false`, add `rustls-tls`
   - `crates/aube-registry/Cargo.toml` — drop now-redundant `native-tls`
   feature override
   - `crates/aube-registry/src/client.rs` — switch
   `Identity::from_pkcs8_pem` → `Identity::from_pem` with combined cert+key
   PEM
   - `.github/workflows/release.yml` — add `build-tool` matrix column
   (`cross` for Linux, `cargo` elsewhere); remove
   `setup-cross-toolchain-action` (the action installs cross itself)
   
   ## Test plan
   
   - [ ] `cargo build` passes locally
   - [ ] `cargo clippy --all-targets -- -D warnings` clean
   - [ ] New release run uploads all six target archives, including
   `aarch64-unknown-linux-gnu`
   - [ ] Linux binaries run on a distro with older glibc (cross uses an
   older base image than ubuntu-latest)
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   
   <!-- CURSOR_SUMMARY -->
   ---
   
   > [!NOTE]
   > **Medium Risk**
   > Medium risk because it changes the TLS backend for all HTTP calls and
   modifies the release build pipeline for Linux targets, which could
   affect network compatibility and artifact portability.
   > 
   > **Overview**
   > **Switches HTTP TLS from system OpenSSL to pure-Rust `rustls`.**
   Workspace `reqwest` is rebuilt with `default-features = false` and
   `rustls-tls` (dropping `native-tls`/OpenSSL dependencies), and
   `aube-registry` removes its `native-tls` override; `Cargo.lock` updates
   accordingly.
   > 
   > **Updates registry client mTLS handling and release builds.**
   Per-registry client cert/key loading now concatenates cert+key into a
   single PEM and uses `reqwest::Identity::from_pem` for rustls
   compatibility, and the release workflow builds Linux targets via `cross`
   (matrix `build-tool`) while keeping `cargo` elsewhere and removing the
   cross toolchain setup step.
   > 
   > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
   e214e23. Bugbot is set up for automated
   code reviews on this repo. Configure
   [here](https://www.cursor.com/dashboard/bugbot).</sup>
   <!-- /CURSOR_SUMMARY -->
   
   ---------
   
   Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

   

   jdx and claude authored Apr 18, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for 0107088
   • Browse repository at this point

   Copy the full SHA

   0107088 View commit details

   Browse the repository at this point in the history

3. v1.0.0-beta.2: Multicall shims and new install methods

   

   jdx authored Apr 18, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for 16ded6f
   • Browse repository at this point

   Copy the full SHA

   16ded6f View commit details

   Browse the repository at this point in the history