From 614cfd6ddceb7825a1e26a98e14eb8ef360e12f9 Mon Sep 17 00:00:00 2001
From: Brian Love <brian@liveloveapp.com>
Date: Fri, 1 May 2026 10:10:29 -0700
Subject: [PATCH 1/2] chore(workflow): upgrade npm CLI for trusted publishing
 OIDC support

The 0.0.2 publish workflow run failed with 'error retrieving identity
token' on @ngaf/licensing and @ngaf/partial-json, and a 404 on
@ngaf/a2ui. Root cause: actions/setup-node@v6.3.0 with node-version: 22
ships npm 10.9.2, which has partial OIDC code paths but doesn't fully
implement the trusted-publishing flow against npm registry's OIDC
endpoint.

npm 11.5.1+ is required for trusted publishing. Adding 'npm install -g
npm@latest' before the publish step bumps the runner to a current
release.

Sources:
- https://philna.sh/blog/2026/01/28/trusted-publishing-npm/
- https://github.com/npm/cli/issues/8730
- https://docs.npmjs.com/trusted-publishers/

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index eef1883eb..7272a60c1 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -29,6 +29,12 @@ jobs:
 
       - run: npm ci
 
+      # Trusted publishing requires npm CLI 11.5.1+. Node 22's bundled npm
+      # is 10.x which has partial OIDC support but doesn't fully implement
+      # the trusted-publishing flow against npm registry's OIDC endpoint.
+      - name: Upgrade npm to support trusted publishing
+        run: npm install -g npm@latest
+
       - name: Lint, test, build publishable projects
         run: npx nx run-many -t lint,test,build --projects=$NPM_PUBLISHABLE_PROJECTS --skip-nx-cache
 

From eef99bde3b944e8366416d5afc50cc27c61e479a Mon Sep 17 00:00:00 2001
From: Brian Love <brian@liveloveapp.com>
Date: Fri, 1 May 2026 11:14:01 -0700
Subject: [PATCH 2/2] ci: expand Library job to cover all 7 publishable libs

Previously only verified @ngaf/langgraph on each PR. A regression in
chat, ag-ui, render, a2ui, partial-json, or licensing could land
unnoticed. Switch to nx run-many across the publishable group.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2578df232..bd67fbc87 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,8 @@ jobs:
   library:
     name: Library — lint / test / build
     runs-on: ubuntu-latest
+    env:
+      LIBS: chat,langgraph,ag-ui,render,a2ui,partial-json,licensing
     steps:
       - uses: actions/checkout@v6.0.2
       - uses: actions/setup-node@v6.3.0
@@ -17,9 +19,9 @@ jobs:
           node-version: 22
           cache: npm
       - run: npm ci
-      - run: npx nx lint langgraph
-      - run: npx nx test langgraph --coverage
-      - run: npx nx build langgraph --configuration=production
+      - run: npx nx run-many -t lint --projects=$LIBS
+      - run: npx nx run-many -t test --projects=$LIBS --coverage
+      - run: npx nx run-many -t build --projects=$LIBS --configuration=production
 
   website:
     name: Website — lint / build