Publish to npm
Publish an api2cli-generated CLI to the npm registry so users can install it with
or run it with
.
Phase 1: Pre-flight
Run these checks silently. Only stop if auth is missing.
Auth
- If it succeeds: note the username, continue.
- If it fails: tell the user to run first. Stop and wait until they confirm.
Resolve package name
Read
from
. Determine the publish name:
- If has template placeholders (), derive the name from the directory name (e.g. → ).
- Run :
- 404 (not found): this is a first-time publish. Name is available; use it.
- "Unpublished": the name is frozen for 24 hours after unpublish. Ask the user to pick a different name or wait. Check alternatives like , , etc.
- Returns a version owned by the same npm user: this is a repeat publish.
- Returns a version owned by someone else: the name is taken. Switch to automatically.
Resolve version
- First-time publish: use the version already in .
- Repeat publish: read the currently published version, increment the patch number (e.g. → ). If the user explicitly asked for a minor or major bump, use that instead.
Phase 2: Validate package.json
Fix
so it's npm-ready. See
references/package-checklist.md for details.
Apply silently:
- and match resolved values
- key matches the npm package name and points to
- is
["dist/index.js", "README.md"]
- is
Apply and mention briefly:
- — set if missing or placeholder
- — read from
git remote get-url origin
- — default to if missing
- — add if shebang is
Name changes
If the npm package name differs from the scaffold name, update
and
key in
, all command references in
, and
. Do a thorough search — partial find-and-replace easily misses references in code blocks.
Phase 3: Audit README for npm consumers
Before building, read the README and check it makes sense to a stranger who found this package on npmjs.com — not a monorepo contributor.
Required sections
The README must have all of the following. If any are missing or wrong, rewrite them:
-
Install section at the top with:
npm i -g <name>
# or
npx <name> --help
-
Usage section using the final npm package name as the command (e.g.
breweries-cli breweries list
), not internal dev invocations like
,
, or
.
-
No absolute local paths — scan for
,
,
, or any path that only exists on the author's machine. Remove or replace with generic instructions.
-
No monorepo-internal instructions — remove any steps that require cloning the repo, running
at a workspace root, using
, or cd-ing into a sub-package. Move these to a
section at the bottom if needed.
Angle bracket escaping
npm's markdown renderer strips bare
as HTML tags. Check all option descriptions and replace unescaped angle brackets:
- Bad:
--format <text|json|csv|yaml>
- Good: where is one of: , , ,
- Or: wrap in a code block where angle brackets are safe
Phase 4: Build
- If build fails: STOP. Show the error. Do not continue. Help fix the build if possible, then retry.
After building, verify the shebang survived:
It must be
. If missing, prepend it:
bash
echo '#!/usr/bin/env bun' | cat - dist/index.js > dist/tmp && mv dist/tmp dist/index.js
chmod +x dist/index.js
Phase 5: Verify
- is included
- No , , , token files, or large compiled binaries leaked in
- Total tarball size is under 200KB (typical for a bundled JS CLI). If larger, warn the user and check in package.json
Then show the pack summary as a final sanity check:
bash
npm pack --dry-run 2>&1 | head -30
Ask the user: "Does the README look right for an npm package page?" before continuing.
Phase 6: Confirm and publish
Present one summary for confirmation:
Ready to publish:
<name>@<version> (first-time / update)
account: <npm-username>
files: dist/index.js, README.md, package.json (<size>)
install: npm i -g <name>
npx: npx <name> --help
Ask: "Publish?"
If user confirms, tell them to run this command in their terminal:
bash
cd <cli-directory> && npm publish --access public
The agent cannot run
itself because npm's 2FA requires interactive browser authentication. The user must run the command, which will:
- Show "Authenticate your account at: "
- Open their browser to authenticate (passkey, OTP, etc.)
- Complete the publish
If publish fails, read the error and help the user resolve it.
Phase 7: Done
After successful publish, report:
https://www.npmjs.com/package/<name>
Updating an existing npm package
When the user asks to "update npm" or "publish a new version":
- Bump version in (patch by default, e.g. → ). Do not use (it creates git tags).
- Rebuild:
- Verify shebang: must be
- Verify pack: — confirm files and size look correct
- Tell user to publish in their terminal:
cd <cli-directory> && npm publish --access public
If the update includes a name change (e.g. renaming the command), follow the Name Changes checklist in Phase 2 before building.
Do NOT
- Do not publish if the build failed.
- Do not run from the agent shell — it requires interactive browser auth. Always tell the user to run it in their terminal.
- Do not retry or handle 2FA programmatically.
- Do not publish files outside and unless the user explicitly asks.
- Do not run (creates git tags); bump version in directly.
- Do not include the compiled standalone binary () in the published package — it is 50MB+ and not needed for npm consumers.