Release and provenance notes
This project can be prepared for npm publication from the repository, but publication remains a separate maintainer-authorized action. Do not publish, tag, or bump versions as part of ordinary feature work unless the maintainer explicitly requests a release.
Package identity
npm package name:
@blurt-blockchain/blurt-mcp-serverRuntime bins after installation:
blurt-mcp-server
blurt-mcp-stdioPre-publish checks
Run the normal validation suite first:
npm run check:secrets
npm run docs:check
npm run typecheck
npm test
npm run build
npm run test:http
npm run test:liveThen verify package contents and bin metadata:
npm run pack:check
npm run smoke:packagepack:check is dry-run only. smoke:package creates a temporary tarball, verifies expected runtime/docs files and bin shebangs, then removes the tarball.
Publication
Publication is intentionally not automated in package scripts. When a maintainer approves a release, decide first:
- version bump and changelog impact;
- Git tag timing;
- npm account / organization access;
- OTP requirements;
- whether npm provenance is supported by the chosen CI path.
Then publish from a clean, validated commit using the selected release process.
Provenance / signing
npm provenance or signing should be enabled only when the real release pipeline supports it end-to-end. The repository currently prepares package metadata and pack validation, but does not pretend to produce a provenance attestation. This avoids false security claims.