From 3b8b726a1ce950a994c6855f909e0fe1ab2ab5ff Mon Sep 17 00:00:00 2001
From: Parfii-bot <parfionovichd@icloud.com>
Date: Sun, 3 May 2026 22:30:50 +0800
Subject: [PATCH] fix(release): decouple npm-publish + drop x86_64-darwin
 (v0.14.2 retry)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

v0.14.1 tag triggered Release workflow but npm-publish was SKIPPED
because Rust matrix entry x86_64-apple-darwin failed and release
job needs:[build-release, build-mcp-binary]; npm-publish needs:release.
Single Rust target failure → entire publish chain blocks. This was
the W3 Opus CI/build finding deferred from audit-batch-2.

Two fixes:

1. **Drop x86_64-apple-darwin from build-release matrix.**
   GitHub's `macos-latest` runner is now Apple Silicon (M1+); cross-compile
   to x86_64 needs an OpenSSL sysroot that the arm64 image doesn't ship.
   `openssl-sys 0.9.114` build fails with "Could not find openssl via
   pkg-config: pkg-config has not been configured to support
   cross-compilation". Apple Silicon mandatory for new Macs since 2020;
   x86 Mac is legacy. If a future user needs x86 darwin, re-add with
   `experimental: true` and `openssl-sys` features=["vendored"].

2. **Decouple `npm-publish` from `release`.**
   The npm package builds its own `dist/` from `_ts_packages/` — it does
   NOT consume Rust release tarballs. Previously `needs: release` meant a
   single Rust matrix failure blocked the npm publish even though the two
   are architecturally independent. Now `needs: []` (parallel with
   build-release matrix). KEIGIT_TOKEN-presence guard still gracefully
   skips when secret is absent.

Bump version 0.14.1 → 0.14.2 (v0.14.1 tag already exists from prior run).

After re-tag v0.14.2:
- build-release matrix: 3 targets (was 4) — should all succeed
- build-mcp-binary: 5 platforms (unchanged) — already passed in 0.14.1 run
- release job: produces GitHub Release with 3 Rust tarballs + 5 MCP binaries
- npm-publish job: runs in PARALLEL, publishes @keisei/mcp-server@0.14.2
  to keigit regardless of Rust matrix status

[FROM-JOURNAL: tasks.jsonl this session — v0.14.1 release run 25280711426
ran 14m wall, 8/9 jobs success, x86_64-darwin failed at openssl-sys
build, release+npm-publish skipped via needs-chain]

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml                 | 19 +++++++++++++++----
 _ts_packages/package-lock.json                |  2 +-
 _ts_packages/packages/mcp-server/package.json |  2 +-
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cd4ee3d..0388676 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,9 +28,14 @@ jobs:
           - os: ubuntu-24.04-arm
             target: aarch64-unknown-linux-gnu
             experimental: false
-          - os: macos-latest
-            target: x86_64-apple-darwin
-            experimental: false
+          # v0.14.2 fix (2026-05-03 first-publish run): macos-latest is now
+          # Apple Silicon (M1+); cross-compile x86_64-apple-darwin needs an
+          # OpenSSL sysroot that GitHub's macos-arm64 runners don't ship.
+          # Apple Silicon mandatory for new Macs since 2020; x86 Mac is
+          # legacy. Drop x86_64-apple-darwin per Wave 3 audit recommendation.
+          # If a future need arises, re-add with `experimental: true` and
+          # `OPENSSL_VENDORED=1` env, or use `openssl-sys` features=["vendored"]
+          # in a target-specific [target.'cfg(...)'.dependencies] block.
           - os: macos-latest
             target: aarch64-apple-darwin
             experimental: false
@@ -291,7 +296,13 @@ jobs:
 
   npm-publish:
     name: Publish npm packages to keigit.com
-    needs: release
+    # v0.14.2 fix (Wave 3 finding): npm publish only needs the TS workspace
+    # to build, NOT the Rust release tarballs. Decoupled from `release` so
+    # a single Rust matrix failure (e.g. cross-compile sysroot, transient
+    # apt-get) cannot block the npm publish chain. The job runs in parallel
+    # with build-release and is independent of build-mcp-binary too — it
+    # builds its own `dist/` from `_ts_packages/`.
+    needs: []
     runs-on: ubuntu-latest
     # Graceful skip: if KEIGIT_TOKEN secret is not configured, the first
     # step reports "skipped" and exits 0 — Rust-binary release above still
diff --git a/_ts_packages/package-lock.json b/_ts_packages/package-lock.json
index 13ac6ad..31898f0 100644
--- a/_ts_packages/package-lock.json
+++ b/_ts_packages/package-lock.json
@@ -3707,7 +3707,7 @@
     },
     "packages/mcp-server": {
       "name": "@keisei/mcp-server",
-      "version": "0.14.1",
+      "version": "0.14.2",
       "license": "Apache-2.0",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.0.0",
diff --git a/_ts_packages/packages/mcp-server/package.json b/_ts_packages/packages/mcp-server/package.json
index 2f7414a..2d14aa3 100644
--- a/_ts_packages/packages/mcp-server/package.json
+++ b/_ts_packages/packages/mcp-server/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@keisei/mcp-server",
-  "version": "0.14.1",
+  "version": "0.14.2",
   "description": "MCP server exposing KeiSeiKit Rust primitives as Model Context Protocol tools — published to keigit.com (Forgejo npm registry, public DNS)",
   "type": "module",
   "main": "./dist/index.js",