diff --git a/.github/workflows/backfill-release-assets.yml b/.github/workflows/backfill-release-assets.yml
index c1c8088..dddb514 100644
--- a/.github/workflows/backfill-release-assets.yml
+++ b/.github/workflows/backfill-release-assets.yml
@@ -34,7 +34,7 @@ jobs:
     timeout-minutes: 30
     environment: release
     permissions:
-      contents: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -60,22 +60,20 @@ jobs:
           fetch-depth: 0
           ref: ${{ inputs.tag_name }}
 
-      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - name: Set up Vite+
+        uses: voidzero-dev/setup-vp@45e5c098f1095cc6b65fd92534603e7be70386c1 # v1
         with:
           node-version-file: ".node-version"
-
-      - name: Enable Corepack
-        run: corepack enable
+          cache: true
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: vp install
 
       - name: Build SEA binary
-        run: pnpm run build:sea
+        run: vp run build:sea
 
       - name: Verify SEA binary
-        run: pnpm run verify:sea
+        run: vp run verify:sea
 
       - name: Package release assets
         shell: pwsh
@@ -117,7 +115,7 @@ jobs:
     timeout-minutes: 30
     environment: release
     permissions:
-      contents: write
+      contents: read
 
     steps:
       - name: Create release bot token
@@ -133,22 +131,20 @@ jobs:
           fetch-depth: 0
           ref: ${{ inputs.tag_name }}
 
-      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - name: Set up Vite+
+        uses: voidzero-dev/setup-vp@45e5c098f1095cc6b65fd92534603e7be70386c1 # v1
         with:
           node-version-file: ".node-version"
-
-      - name: Enable Corepack
-        run: corepack enable
+          cache: true
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: vp install
 
       - name: Build SEA binary
-        run: pnpm run build:sea
+        run: vp run build:sea
 
       - name: Verify SEA binary
-        run: pnpm run verify:sea
+        run: vp run verify:sea
 
       - name: Package release assets
         shell: pwsh
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d5be762..cfcbdc8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,22 +25,20 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - name: Set up Vite+
+        uses: voidzero-dev/setup-vp@45e5c098f1095cc6b65fd92534603e7be70386c1 # v1
         with:
           node-version-file: ".node-version"
-
-      - name: Enable Corepack
-        run: corepack enable
+          cache: true
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: vp install
 
       - name: Verify repository
-        run: pnpm run verify
+        run: vp run verify
 
       - name: Smoke test packed install surface
-        run: pnpm run smoke:pack
+        run: vp run smoke:pack
 
   release:
     if: github.event_name == 'push' && github.ref == 'refs/heads/main' && !contains(github.event.head_commit.message, '[skip ci]')
@@ -51,9 +49,7 @@ jobs:
     timeout-minutes: 20
     environment: release
     permissions:
-      contents: write
-      issues: write
-      pull-requests: write
+      contents: read
     outputs:
       new_release_published: ${{ steps.semantic.outputs.new_release_published }}
       new_release_git_tag: ${{ steps.semantic.outputs.new_release_git_tag }}
@@ -75,19 +71,17 @@ jobs:
           fetch-depth: 0
           token: ${{ steps.release-bot.outputs.token }}
 
-      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - name: Set up Vite+
+        uses: voidzero-dev/setup-vp@45e5c098f1095cc6b65fd92534603e7be70386c1 # v1
         with:
           node-version-file: ".node-version"
-
-      - name: Enable Corepack
-        run: corepack enable
+          cache: true
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: vp install
 
       - name: Build package
-        run: pnpm run build
+        run: vp run build
 
       - name: Release package
         id: semantic
@@ -117,7 +111,7 @@ jobs:
     timeout-minutes: 30
     environment: release
     permissions:
-      contents: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -143,22 +137,20 @@ jobs:
           fetch-depth: 0
           ref: ${{ needs.release.outputs.new_release_git_tag }}
 
-      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - name: Set up Vite+
+        uses: voidzero-dev/setup-vp@45e5c098f1095cc6b65fd92534603e7be70386c1 # v1
         with:
           node-version-file: ".node-version"
-
-      - name: Enable Corepack
-        run: corepack enable
+          cache: true
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: vp install
 
       - name: Build SEA binary
-        run: pnpm run build:sea
+        run: vp run build:sea
 
       - name: Verify SEA binary
-        run: pnpm run verify:sea
+        run: vp run verify:sea
 
       - name: Package release assets
         shell: pwsh
@@ -199,7 +191,7 @@ jobs:
     timeout-minutes: 30
     environment: release
     permissions:
-      contents: write
+      contents: read
 
     steps:
       - name: Create release bot token
@@ -215,22 +207,20 @@ jobs:
           fetch-depth: 0
           ref: ${{ needs.release.outputs.new_release_git_tag }}
 
-      - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - name: Set up Vite+
+        uses: voidzero-dev/setup-vp@45e5c098f1095cc6b65fd92534603e7be70386c1 # v1
         with:
           node-version-file: ".node-version"
-
-      - name: Enable Corepack
-        run: corepack enable
+          cache: true
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: vp install
 
       - name: Build SEA binary
-        run: pnpm run build:sea
+        run: vp run build:sea
 
       - name: Verify SEA binary
-        run: pnpm run verify:sea
+        run: vp run verify:sea
 
       - name: Package release assets
         shell: pwsh
diff --git a/AGENTS.md b/AGENTS.md
index 471efaf..d3167a7 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -14,19 +14,20 @@ Development instructions for agents working on this repository.
 - [Overview](README.md)
 - [Contributing](CONTRIBUTING.md)
 - [Architecture](docs/ARCHITECTURE.md)
+- [Distribution](docs/DISTRIBUTION.md)
 
 ## Commands
 
 Primary:
 
-- `pnpm run verify`
+- `vp run verify`
 
 Focused:
 
-- `pnpm run check`
-- `pnpm run build`
-- `pnpm run test`
-- `pnpm run coverage`
+- `vp run check`
+- `vp run build`
+- `vp run test`
+- `vp run coverage`
 
 Runtime proofs:
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 780d5f9..ef07b53 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -21,13 +21,13 @@ vp config
 Start the local build watcher:
 
 ```bash
-pnpm run dev
+vp run dev
 ```
 
 Build the CLI once and try the shipped entrypoint:
 
 ```bash
-pnpm run build
+vp run build
 ./dist/bin.mjs describe
 ```
 
@@ -36,24 +36,20 @@ pnpm run build
 Run the main repository gate before opening or updating a pull request:
 
 ```bash
-pnpm run verify
+vp run verify
 ```
 
 Run focused checks when they match your change:
 
 ```bash
-pnpm run smoke:pack
-pnpm run build:sea
-pnpm run verify:sea
+vp run smoke:pack
+vp run build:sea
+vp run verify:sea
 ```
 
 ## Release Publishing
 
-GitHub Actions publishes from `main` through the protected `release` Environment.
-
-Keep `NPM_TOKEN`, `PUTIO_RELEASE_BOT_APP_ID`, and `PUTIO_RELEASE_BOT_PRIVATE_KEY` in that Environment with required reviewers and prevent self-review enabled. Pull request checks stay secretless and only run verify jobs.
-
-Release GitHub writes use `putio-release-bot` for version sync commits, `v*` tags, GitHub Releases, and binary asset uploads. Trusted put.io team members may push directly to `main`, but repository rules should block outsiders, force-pushes, and branch deletes where GitHub plan support allows.
+See [Distribution](docs/DISTRIBUTION.md) for release automation, credentials, and binary asset publishing.
 
 ## Development Notes
 
diff --git a/docs/DISTRIBUTION.md b/docs/DISTRIBUTION.md
new file mode 100644
index 0000000..202f8f2
--- /dev/null
+++ b/docs/DISTRIBUTION.md
@@ -0,0 +1,38 @@
+# Distribution
+
+## Delivery Model
+
+Every merge to `main` should already be releasable.
+
+GitHub Actions owns npm publishing, GitHub Releases, release assets, and Homebrew tap updates. The pipeline runs the repo's VitePlus commands before publishing:
+
+1. `vp install`
+2. `vp run verify`
+3. `vp run smoke:pack`
+4. `vp run build`
+5. `semantic-release`
+
+Binary asset jobs build from the published release tag after semantic-release creates it.
+
+## Release Environment
+
+Release jobs declare the protected GitHub Environment named `release`.
+
+Environment entries:
+
+- secrets: `NPM_TOKEN`, `PUTIO_RELEASE_BOT_PRIVATE_KEY`, `HOMEBREW_TAP_TOKEN`
+- variables: `PUTIO_RELEASE_BOT_APP_ID`
+- approval: none; releases are continuous after the `main` gate passes
+- refs: release branch/tag policy constrains what can publish
+
+Release GitHub writes use `putio-release-bot` for version sync commits, `v*` tags, GitHub Releases, and binary asset uploads.
+
+## Local Checks
+
+Before changing distribution wiring, validate the repo-local guardrails the workflow depends on:
+
+```bash
+vp install
+vp run verify
+vp run smoke:pack
+```