Last updated: 2026-06-09 21:05 HKT.
TokenDanceCode is on the Rust rewrite branch. The current release work is scaffolding for a Rust-first npm binary wrapper and package review plan; it is not a publish-ready candidate and it must not publish npm packages from automation.
- Version:
0.3.0-rs.0 - Status: release-plan scaffold only; Rust runtime parity and native package artifacts are still required.
- Public npm entry package:
@tokendance/code-cli
- Legacy contract packages, kept only until the Rust SDK bridge decision is finished:
@tokendance/code-core@tokendance/code-sdk
Run the public registry check before claiming a publish succeeded:
pnpm registry:next:checkCurrent result must be refreshed before any release-owner action. E404 is acceptable before the first publish and proves the packages are not visible on npm yet.
Run from the workspace root:
pnpm verify
pnpm release:rust:plan:check
pnpm smoke:rust-wrapper
git diff --checkFor now, pnpm verify intentionally stays Rust-only:
cargo fmt --all -- --check && cargo test --workspaceThe older pack and contract gates remain historical TypeScript-package checks until the Rust wrapper exists. Do not treat pnpm release:next:check as the Rust release gate yet.
pnpm smoke:gateway is an optional maintainer-only provider smoke. It requires explicit opt-in environment variables, never reads the project root .env, never runs npm publish, and must redact provider keys and base URLs from subprocess output.
Latest known local evidence, to be refreshed before a release decision:
pnpm verifyis the active Rust branch gate and runs Cargo formatting and workspace tests.pnpm release:rust:plan:checkverifies the Rust wrapper plan docs, checkspackages/cli/bin/tokendance.js, keepspnpm verifyon Cargo, and fails if package scripts include an npm publish command.pnpm smoke:rust-wrapperpacks@tokendance/code-cliinto a local tarball, installs it into a temp npm project without publishing, locates or builds the current-platformtokendanceRust binary, runstokendance --versionandtokendance doctor --json, and rejects tarball contents that include source/test/build-only paths, local workspace paths, token-like secrets, or npm auth config.
Use fresh command output as the source for current test counts.
The first Rust release should expose tokendance through @tokendance/code-cli. The npm package now contains a small JavaScript command shim plus metadata; the shim first delegates to a local built Rust binary from crates/tokendance-cli, then falls back to the planned platform-specific native package name.
Planned package shape:
packages/cli/bin/tokendance.jsis the cross-platform npmbinentry fortokendance; it forwards argv and stdio unchanged totarget/release/tokendance,target/debug/tokendance, or a future optional native package.packages/cli/package.jsonowns public CLI metadata, thebinmapping, and Rust-alignedbuild/testscripts.- The CLI package may later list optional native packages in
optionalDependenciesafter those packages and CI artifacts exist. - Optional native packages should be platform scoped, for example:
@tokendance/code-cli-win32-x64-msvc@tokendance/code-cli-darwin-arm64@tokendance/code-cli-darwin-x64@tokendance/code-cli-linux-x64-gnu@tokendance/code-cli-linux-arm64-gnu
The optional native packages must contain only the compiled binary, license/readme metadata, and the minimum npm manifest needed for install resolution. They must not publish Rust crate source, local build outputs, logs, secrets, or private examples.
Before promoting the wrapper from plan to release candidate:
- Build the Rust CLI in CI for every supported target.
- Generate platform-native npm packages from reviewed CI artifacts.
- Replace the current JavaScript shim placeholder with reviewed native-package artifact paths once CI produces them.
- Keep
pnpm smoke:rust-wrapperpassing for the wrapper package; it runstokendance --versionandtokendance doctor --jsonfrom a fresh temp project without publishing. - Extend the package privacy scan to platform-native package contents once those packages exist.
- Run the release-owner publish checklist outside this repository.
No package script may run npm publish, pnpm publish, or yarn npm publish. Publishing is a Manual release-owner action after package content review. Do not run publish commands from package source directories; source manifests may contain workspace-local development metadata until tarball contents are reviewed.
Before publishing:
- Confirm npm account and org access.
- Confirm registry is
https://registry.npmjs.org/. - Run
pnpm registry:next:check;E404is allowed for first publish, but the current candidate version must not already exist. - Run the current Rust release gates on a clean worktree.
- Review packed wrapper and optional native package contents.
- Create publish tarballs with
pnpm pack --pack-destinationand review each tarball path. - Release owner runs the private publish checklist from the operator secret store.
Public command shape:
npm publish "<tarballPath>" --access public --tag nextRun the publish command once per reviewed tarball. Keep token-bearing npm configuration outside this repository and out of logs.
After registry visibility is confirmed:
npm view @tokendance/code-core version dist-tags --json
npm view @tokendance/code-sdk version dist-tags --json
npm view @tokendance/code-cli version dist-tags --jsonThen test install in a fresh temp directory:
npm install @tokendance/code-sdk@next @tokendance/code-core@next
npm install -g @tokendance/code-cli@next
tokendance --version
tokendance doctor --jsonDo not print npm tokens in logs or docs. Rotate any token that was exposed outside the private secret store.