Skip to content

Release and provenance notes

This project can be prepared for npm publication from the repository, but publication remains a separate maintainer-authorized action. Do not publish, tag, or bump versions as part of ordinary feature work unless the maintainer explicitly requests a release.

Package identity

npm package name:

text
@blurt-blockchain/blurt-mcp-server

Runtime bins after installation:

text
blurt-mcp-server
blurt-mcp-stdio

Pre-publish checks

Run the normal validation suite first:

bash
npm run check:secrets
npm run docs:check
npm run typecheck
npm test
npm run build
npm run test:http
npm run test:live

Then verify package contents and bin metadata:

bash
npm run pack:check
npm run smoke:package

pack:check is dry-run only. smoke:package creates a temporary tarball, verifies expected runtime/docs files and bin shebangs, then removes the tarball.

Publication

Publication is intentionally not automated in package scripts. When a maintainer approves a release, decide first:

  • version bump and changelog impact;
  • Git tag timing;
  • npm account / organization access;
  • OTP requirements;
  • whether npm provenance is supported by the chosen CI path.

Then publish from a clean, validated commit using the selected release process.

Provenance / signing

npm provenance or signing should be enabled only when the real release pipeline supports it end-to-end. The repository currently prepares package metadata and pack validation, but does not pretend to produce a provenance attestation. This avoids false security claims.