VibeFlow — Deploy Plan (git + npm)
Status of the package as verified by npm pack --dry-run:
@magicpro97/vibeflow@0.7.0, tarball 77 kB / unpacked 252 kB.- Ships only:
dist/cli.js(built),README.md,LICENSE,docs/**,package.json. - No
src/,test/,.vibeflow/,.env, or secrets in the tarball (thefilesallow-list +.gitignorekeep them out). Verified. bin: { vf: ./dist/cli.js },prepublishOnly: bun run build,publishConfig.access: public,engines.node >=18, MIT license,repository/homepage/bugsfields present.bun run check(typecheck+lint+test) green: 1285 tests, 100% line coverage.
⚠️ MUST CONFIRM before publishing
- Repository URL — I set
repository.urltogit+https://github.com/magicpro97/vibeflow.git(and matchinghomepage/bugs) as a placeholder. Confirm the real GitHub owner/repo and correct these three fields before publish, or the npm page links will 404. - npm scope
@vibeflow— publishing@magicpro97/vibeflowrequires that the@vibefloworg/scope exists on npm and you’re a member, OR rename to an unscoped/owned name. Confirm you own the scope (npm org ls vibeflow/ check npmjs.com).publishConfig.access:"public"is already set for a scoped public publish. - Version —
0.7.0is the current pre-1.0 release.release-pleaseis wired (PR #51 follow-up); the next version bump will be done by the release-please bot on merge tomain. Manual: bumppackage.json:version, runrelease-please-config.jsongeneration, tag.
Git deploy (do first)
- Create the GitHub repo (manual or
gh repo create <owner>/vibeflow --public --source=. --remote=origin). The user must rungh auth login/gh repo createthemselves (interactive auth) — suggest typing! gh repo create ...in the session so output lands here. - Add remote (if not via
gh):git remote add origin git@github.com:<owner>/vibeflow.git. - Push — current branch is
main, history is clean (8 logical commits, the throwaway “wip checkpoint” was already rewritten into feat/test/docs/chore commits). Push with upstream:git push -u origin main. (No force — nothing is published yet.) - Tag the release:
git tag vX.Y.Z && git push origin vX.Y.Z. - Optional: a GitHub Actions CI running
bun install && bun run checkon push/PR (the repo already has a.githooks/pre-commitgate locally; CI mirrors it). Defer unless wanted.
npm deploy (after git)
- Auth:
npm login(ornpm whoamito confirm) — user runs this (interactive). For CI, anNPM_TOKEN+npm publishstep. - Dry-run once more:
npm publish --dry-run— confirm the 77 kB tarball contents shown above. - Build is automatic:
prepublishOnlyrunsbun run build→dist/cli.js. Ensuredist/is NOT gitignored away from the publish (it’s infiles; npm builds it fresh via prepublishOnly, so a missing committeddist/is fine). - Publish:
npm publish(scope access already public). - Smoke-test the published bin: in a throwaway dir,
npx @magicpro97/vibeflow@0.7.0 doctor→ should print the environment check. Alsonpx @magicpro97/vibeflow doctor --probeif engines installed.
Pre-publish checklist (gate — all must hold)
-
repository/homepage/bugsURLs corrected to the real repo (item ⚠️1). -
@vibeflownpm scope owned/confirmed (item ⚠️2), or package renamed. -
bun run checkgreen (currently true: 1285 tests, 100% line coverage). -
npm pack --dry-runshows no src/test/secret files (currently true). -
git push -u origin mainsucceeded +vX.Y.Ztag pushed. -
LICENSEpresent (true) and README install line matches the final package name.
Verification (post-deploy)
npx @magicpro97/vibeflow@0.7.0 doctorexits 0 and prints the tool check.- The GitHub repo shows the 8-commit history; the npm page renders README + the docs links resolve.
git clone <repo> && cd vibeflow && bun install && bun run checkreproduces green from a fresh clone (proves the repo is self-contained, zero-runtime-deps).
Windows CI
Cross-platform support is enforced in three layers:
1. .gitattributes # forces LF for every source file (`* text=auto eol=lf`)
2. biome.json # formatter.lineEnding = "lf" — formatter normalises newlines
3. hook scripts # risk classification + path joins use path.sep, never `/` or `\`
The .gitattributes file pins line endings so Windows checkouts + autocrlf
cannot rewrite *.ts / *.js / *.json source. Biome’s lineEnding: "lf"
formatter is the second line of defence — any file that slips through is
normalised on bun run format. Hook scripts and risk classification
(src/agents/role-templates.ts, the vf hook runner) compose paths with
path.sep and split with path.split / path.relative, so glob/scope rules
behave identically on win32 and posix.
Notes
- Never auto-publish: git push + npm publish are out-of-this-tool actions with external blast radius — they require explicit user go-ahead and interactive auth (gh/npm login). This plan prepares everything; the user triggers the two publish commands.
- The
.vibeflow/runtime dir,.kiro/-tool config, and the tool-generatedAGENTS.md/.claude/are gitignored or intentionally committed per earlier decisions — none leak into the npm tarball.
Related: Master Spec · Self-Hosted Runner Edit this page on GitHub