feat: publish blind-fill MCP as shellgate-secrets npm package

.github/workflows/ci.yml

@@ -53,3 +53,44 @@ jobs:
       - run: npm test
         env:
           VAULT_ENCRYPTION_KEY: ${{ secrets.VAULT_ENCRYPTION_KEY }}
+
+  check-shellgate-secrets:
+    name: Check shellgate-secrets package
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for package changes
+        id: changes
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            BASE=${{ github.event.pull_request.base.sha }}
+          else
+            BASE=${{ github.event.before }}
+          fi
+          if git diff --name-only "$BASE" HEAD | grep -q '^packages/shellgate-secrets/src/'; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Verify npm version is bumped
+        if: steps.changes.outputs.changed == 'true'
+        run: |
+          LOCAL_VERSION=$(node -p "require('./packages/shellgate-secrets/package.json').version")
+          NPM_VERSION=$(npm view shellgate-secrets version 2>/dev/null || echo "0.0.0")
+          if [ "$LOCAL_VERSION" = "$NPM_VERSION" ]; then
+            echo "::error::packages/shellgate-secrets/src/ has code changes but the version ($LOCAL_VERSION) still matches what's on npm."
+            echo ""
+            echo "To fix this:"
+            echo "  1. Bump the version:  cd packages/shellgate-secrets && npm version patch"
+            echo "  2. Publish to npm:    cd packages/shellgate-secrets && npm publish"
+            echo "  3. Commit and push the updated package.json"
+            echo ""
+            echo "Use 'npm version minor' or 'npm version major' instead of 'patch' for larger changes."
+            exit 1
+          else
+            echo "Version bumped: $NPM_VERSION -> $LOCAL_VERSION"
+          fi

.github/workflows/publish.yml

@@ -10,8 +10,41 @@ env:
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
+  check-shellgate-secrets:
+    name: Verify shellgate-secrets version
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for unpublished package changes
+        run: |
+          LAST_TAG=$(git log --all --oneline --source --remotes --format='%H' -1 -- packages/shellgate-secrets/src/ 2>/dev/null || echo "")
+          if [ -z "$LAST_TAG" ]; then
+            echo "No changes to shellgate-secrets detected"
+            exit 0
+          fi
+          LOCAL_VERSION=$(node -p "require('./packages/shellgate-secrets/package.json').version")
+          NPM_VERSION=$(npm view shellgate-secrets version 2>/dev/null || echo "0.0.0")
+          if git diff --name-only "${{ github.event.before }}" HEAD | grep -q '^packages/shellgate-secrets/src/'; then
+            if [ "$LOCAL_VERSION" = "$NPM_VERSION" ]; then
+              echo "::error::packages/shellgate-secrets/src/ has code changes but the version ($LOCAL_VERSION) still matches what's on npm."
+              echo ""
+              echo "To fix this:"
+              echo "  1. Bump the version:  cd packages/shellgate-secrets && npm version patch"
+              echo "  2. Publish to npm:    cd packages/shellgate-secrets && npm publish"
+              echo "  3. Commit and push the updated package.json"
+              echo ""
+              echo "Use 'npm version minor' or 'npm version major' instead of 'patch' for larger changes."
+              exit 1
+            fi
+          fi
+          echo "shellgate-secrets version OK: $LOCAL_VERSION"
+
   publish:
     name: Build & Push
+    needs: check-shellgate-secrets
     runs-on: ubuntu-latest
     permissions:
       contents: read

.gitignore

@@ -25,4 +25,3 @@ vite.config.ts.timestamp-*
 .idea/
 .worktrees/
 .playwright-mcp/
-.playwright-mcp/

Dockerfile

@@ -14,7 +14,6 @@ COPY --from=builder /app/build ./build
 COPY --from=builder /app/package.json ./
 COPY --from=builder /app/package-lock.json ./
 COPY --from=builder /app/drizzle ./drizzle
-COPY --from=builder /app/src/local-mcp ./local-mcp
 RUN npm ci --omit=dev
 RUN apk add --no-cache curl
 HEALTHCHECK --interval=30s --timeout=10s --start-period=60s CMD curl -sf http://localhost:3000/health || exit 1