fix(publish): resolve catalog:/workspace:* protocols + use npm pack

[byapparov]

Summary

The publish pipeline shipped `@aictrl/cli@0.3.3` with unresolved `workspace:*` deps and `@aictrl/util@1.2.16` with unresolved `catalog:` deps. Both are Bun-only protocols — plain `npm install` rejects them with `EUNSUPPORTEDPROTOCOL`. This silently broke the AI Review workflow on every PR for ~4 weeks (#72) and any downstream npm consumer.

Root cause

Two interacting bugs:

1. `bun pm pack` ignores in-place package.json edits. `publish.yml`'s "Strip bundled deps" step ran a `node -e ...` that deleted `pkg.dependencies`, `pkg.devDependencies`, `pkg.peerDependencies`, `pkg.exports`, and `pkg.type` before pack — but every one of those fields survived to the published tarball. Verified by extracting `aictrl-cli-0.3.3.tgz` and inspecting its `package.json`: `type`, `exports`, `dependencies` (with `workspace:*`), `devDependencies`, `peerDependencies` all present. `bun pm pack` reads workspace deps from the workspace lockfile/manifest snapshot, not from the on-disk `package.json`.

2. No `catalog:` resolver anywhere in the pipeline. `@aictrl/util` ships `{ zod: 'catalog:' }` because the strip-everything approach (only run on CLI) doesn't apply to packages that actually need runtime deps. The `catalog:` protocol comes from Bun's centralized version pinning; npm has no equivalent and rejects it.

Evidence:

```bash
$ npm view @aictrl/cli@0.3.3 dependencies
{ '@aictrl/plugin': 'workspace:', '@aictrl/sdk': 'workspace:', '@aictrl/util': 'workspace:*', ... }

$ npm view @aictrl/util@latest dependencies
{ zod: 'catalog:' }

$ npm install @aictrl/cli@latest
npm error code EUNSUPPORTEDPROTOCOL
npm error Unsupported URL Type "workspace:": workspace:*
```

Fix

`publish-if-new.sh`

• Add a catalog:/workspace: resolver before pack. Reads root `package.json > workspaces.catalog` for catalog deps, uses `AICTRL_VERSION` env for sibling workspace deps. Covers `dependencies`, `optionalDependencies`, `peerDependencies`, `devDependencies` fields.
• Fail-loud if a catalog dep has no catalog entry, or if `workspace:*` is hit without `AICTRL_VERSION`. No silent fallback.
• Replace `bun pm pack` with `npm pack` — `npm pack` reads only the on-disk `package.json`, so both the resolver above and the existing "Strip bundled deps" step in `publish.yml` actually take effect.

`publish.yml`

• In Build Packages, expose stripped `AICTRL_VERSION` (no `v` prefix) to subsequent steps via `$GITHUB_ENV` so the resolver can see it. One-line change.
• New post-publish smoke test step: in a scratch dir on the runner, `npm install @aictrl/cli@$AICTRL_VERSION`, with CDN-aware retry (5 × 30s). Fails loud on `EUNSUPPORTEDPROTOCOL` immediately (no retry — won't help). Catches the entire bug class.

Local verification

Resolver against `packages/util/package.json`:
```
"zod": "catalog:" → "zod": "4.1.8" ✓
"typescript": "catalog:" → "typescript": "5.8.2" ✓
"@types/bun": "catalog:" → "@types/bun": "1.3.9" ✓
```

Resolver against `v0.3.3:packages/cli/package.json` with `AICTRL_VERSION=0.3.4`:
```
"@aictrl/plugin": "workspace:" → "0.3.4" ✓
"@aictrl/sdk": "workspace:" → "0.3.4" ✓
"@aictrl/util": "workspace:*" → "0.3.4" ✓
"@octokit/rest": "catalog:" → resolved from root catalog ✓
```
`npm pack` produced a valid `aictrl-cli-0.3.3.tgz`.

Fail-loud path verified: with `AICTRL_VERSION` unset on a CLI package.json that still has workspace deps, the resolver exits with `::error::dependencies[@aictrl/plugin] is workspace:* but AICTRL_VERSION env var is not set` and no tarball is produced.

End-to-end validation plan

The publish workflow only runs on `release: published` events, so this can't be exercised in CI on the PR itself. Validation steps after merge:

1. Cut a release `v0.3.4` (just for this fix).
2. Watch the workflow logs:
   • `::notice::resolved Bun-only protocol deps in @aictrl/util@1.2.16` should appear.
   • Smoke test step should print `::notice::npm install @aictrl/cli@0.3.4 succeeded on attempt N` and exit green.
3. From any clean dir: `mkdir /tmp/t && cd /tmp/t && npm init -y && npm install @aictrl/cli@0.3.4` — should succeed.
4. (Recommended) `npm deprecate @aictrl/cli@0.3.3 "Broken: workspace:* deps, use 0.3.4+. See Publish: @aictrl/cli@0.3.3 ships unresolved workspace:* deps → npm install fails with EUNSUPPORTEDPROTOCOL #72"` and same for `@aictrl/util@1.2.16` so existing `@latest` resolvers get a warning instead of a silent install failure.

Once 0.3.4 is on npm, the `Aictrl AI Review` workflow on this repo (which does `npm install @aictrl/cli@latest`) will start passing again.

Test plan

• Resolver outputs concrete semver for `catalog:` deps (verified against `packages/util/package.json`)
• Resolver outputs concrete semver for `workspace:*` deps when `AICTRL_VERSION` is set (verified against v0.3.3 CLI manifest)
• Resolver fails loud when a catalog dep has no catalog entry
• Resolver fails loud on `workspace:*` without `AICTRL_VERSION`
• `npm pack` produces a valid tarball after the resolver runs
• YAML lint clean on the updated publish.yml
• Bash syntax clean on the updated publish-if-new.sh
• End-to-end: smoke test passes on a real release cut (only verifiable on merge + tag)

Related

• Publish: @aictrl/cli@0.3.3 ships unresolved workspace:* deps → npm install fails with EUNSUPPORTEDPROTOCOL #72 — the parent bug
• Publish workflow: fail loud on npm auth errors instead of silently tolerating them #51 — sibling fix (fail-loud on `npm publish` auth errors); same theme of silent-failure publish bugs
• fix(run): exit non-zero on session.error so CI wrappers see failures #71 — `aictrl run` exit-code fix; merged but currently un-installable due to Publish: @aictrl/cli@0.3.3 ships unresolved workspace:* deps → npm install fails with EUNSUPPORTEDPROTOCOL #72
• aictrl-dev/aictrl#2058 — downstream impact (parent prod investigation; same AI Review workflow there)

Closes #72

🤖 Generated with Claude Code