fix(publish): remove dangerous --skip-checks flag and add comprehensive validation

BREAKING: CI publish workflow now runs full test suite before publishing

## Critical Security Fix

The publish:ci script was using --skip-checks which bypassed:
- Test suite validation
- Lint/type checking
- Code quality checks

This created a dangerous path where broken code could be published to npm,
potentially costing thousands in incident response and reputation damage.

## Changes

**publish:ci script**:
- Changed from --skip-checks to --skip-git
- Now only skips git-specific checks (safe in CI)
- Still runs full test + lint validation

**provenance.yml workflow**:
- setup-script now runs: test && check && build
- Ensures full validation before publish step
- Build artifacts validated before npm publish

**scripts/publish.mjs**:
- Removed CI restriction on --skip-build
- Added validateBuildArtifacts() function
- Validates dist/index.js, dist/index.d.ts, types/ exist
- Updated help text to clarify validation behavior
- Removed unused CI constant

## Safety Guarantees

CI publish will now FAIL if:
- ✗ Any test fails
- ✗ Lint/type errors exist
- ✗ Build artifacts missing
- ✗ Version already published

The --skip-build flag is safe because:
- setup-script builds first
- Artifact validation ensures build succeeded
- Fails immediately with clear error if missing

## What We Skip (and Why It's Safe)

--skip-git: Safe because CI runs on clean checkouts with branch protection
--skip-build: Safe because setup-script already built, we validate artifacts

Author: jdalton

.github/workflows/provenance.yml

@@ -29,5 +29,5 @@ jobs:
       dist-tag: ${{ inputs.dist-tag }}
       package-name: '@socketsecurity/sdk'
       publish-script: 'publish:ci'
-      setup-script: 'pnpm run build'
+      setup-script: 'pnpm test --all && pnpm check --all && pnpm build'
       use-trusted-publishing: true

package.json

@@ -48,7 +48,7 @@
     "prepare": "husky",
     "prepublishOnly": "echo 'ERROR: Use GitHub Actions workflow for publishing' && exit 1",
     "publish": "node scripts/publish.mjs",
-    "publish:ci": "node scripts/publish.mjs --skip-checks --skip-build --tag ${DIST_TAG:-latest}",
+    "publish:ci": "node scripts/publish.mjs --skip-git --skip-build --tag ${DIST_TAG:-latest}",
     "claude": "node scripts/claude.mjs",
     "test": "node scripts/test.mjs",
     "type": "tsgo --noEmit -p .config/tsconfig.check.json",

scripts/publish.mjs

@@ -18,7 +18,6 @@ const logger = getDefaultLogger()
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 const rootPath = path.join(__dirname, '..')
 const WIN32 = process.platform === 'win32'
-const CI = !!process.env.CI
 
 // Simple inline logger.
 const log = {
@@ -236,6 +235,37 @@ async function runPrePublishChecks(options = {}) {
   return true
 }
 
+/**
+ * Validate that build artifacts exist.
+ */
+async function validateBuildArtifacts() {
+  log.step('Validating build artifacts')
+
+  // Check for main entry point.
+  const distIndex = path.join(rootPath, 'dist', 'index.js')
+  if (!existsSync(distIndex)) {
+    log.error('Missing dist/index.js')
+    return false
+  }
+
+  // Check for type definitions.
+  const distIndexDts = path.join(rootPath, 'dist', 'index.d.ts')
+  if (!existsSync(distIndexDts)) {
+    log.error('Missing dist/index.d.ts')
+    return false
+  }
+
+  // Check for types directory.
+  const typesDir = path.join(rootPath, 'types')
+  if (!existsSync(typesDir)) {
+    log.error('Missing types/ directory')
+    return false
+  }
+
+  log.success('Build artifacts validated')
+  return true
+}
+
 /**
  * Build the project.
  */
@@ -464,7 +494,7 @@ async function main() {
       logger.log('  --dry-run      Perform a dry-run without publishing')
       logger.log('  --force        Force publish even with warnings')
       logger.log('  --skip-checks  Skip pre-publish checks')
-      logger.log('  --skip-build   Skip build step (not allowed in CI)')
+      logger.log('  --skip-build   Skip build step (validates artifacts exist)')
       logger.log('  --skip-git     Skip git status checks')
       logger.log('  --skip-tag     Skip git tag push')
       logger.log('  --complex      Use complex multi-package flow')
@@ -480,13 +510,6 @@ async function main() {
       return
     }
 
-    // Check CI restrictions.
-    if (CI && values['skip-build']) {
-      log.error('--skip-build is not allowed in CI')
-      process.exitCode = 1
-      return
-    }
-
     printHeader('Publish Runner')
 
     // Get current version.
@@ -515,6 +538,14 @@ async function main() {
         process.exitCode = 1
         return
       }
+    } else {
+      // Validate that build artifacts exist when skipping build.
+      const artifactsExist = await validateBuildArtifacts()
+      if (!artifactsExist && !values.force) {
+        log.error('Build artifacts missing - run pnpm build first')
+        process.exitCode = 1
+        return
+      }
     }
 
     // Publish.