Release: Add npm publishing and update documentation (#719)

* Changes required by Gorelase version > 2

* npm-publish script supports conditional publishing.

If gorelease in not in "Release" mode, npm packages are not pushed, so we can avoid multitudes of snapshot packages being pushed to public registry

* Create npm packages after goreleaser via a hook script

The hook runs after. If goreaser is not in release mode, npm will build in dry-run mode, so the packages are not pushed to registry

* Update documentation with NPM installation instructions

* Switch npm package scope to @kosli

* Fix: Add the missing bin/kosli JS Shim

* Fix:  Token Variable Mismatch

* Fix: Silent Postinstall Failures

* Update npm/README.md

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

* refactor(npm-publish): replace sed/perl with jq and harden publish script

- Use jq instead of sed/perl for JSON version updates (portable across
  macOS and Linux, handles JSON correctly)
- Separate pack and publish into two distinct phases so all packages are
  packed before any are published
- Add npm_publish_with_retry with exponential backoff (3 attempts)
- Fail fast with clear error messages on pack or publish failure

* Fix: Frontmatter formatting

* Consistent formatting of package.json files

* Include npm packages in binary provenance processing

* Add directory and engines specification to packages

* Documention updates:

- npx is not supported
- package @kosli/cli should be used to install

* Fix three issues in npm postinstall and publish script

- postinstall: exit 1 on unsupported platform to match bin/kosli shim behaviour
- npm-publish.sh: use process substitution instead of pipe to while loop so set -e catches failures inside the loop
- npm-publish.sh: fix out-of-scope max_attempts variable in publish error message

* Update scripts/npm-publish.sh

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

* Integrate npm package build and publish into GoReleaser pipeline

- Copy each platform binary into its npm package dir via per-build post hooks
- Run npm-publish.sh after release (dry-run on snapshots) via after hook
- Clean npm bin dirs and tarballs before each build via before hooks

* Update scripts/npm-publish.sh

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

* Update scripts/npm-publish.sh

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

* Update scripts/npm-publish.sh

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

* Update scripts/npm-publish.sh

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

* Add --provenance flag to npm publish when running in GitHub Actions

* Fix temp file leak and add npm provenance in GitHub Actions

- Clean up temp file on jq/mv failure for wrapper package.json update,
  consistent with the platform loop
- Pass --provenance to npm publish when running in GitHub Actions

* Added distribution: goreleaser-pro and GORELEASER_KEY: ${{ secrets.KOSLI_GORELEASERPRO }} — that's the standard way the goreleaser-action picks up the pro license.

* Add npm installation test job to install-script-tests workflow

- Test npm install -g @kosli/cli on all 6 supported platforms
- Trigger on release (published) to test newly published packages
- Also trigger on push/PR to npm/**, .goreleaser.yml, and scripts/npm-publish.sh

* Select npm tag snapshot for now

* Removed macos-13. macos-13 is the only GitHub-hosted x64 macOS runner but it's not available in all GitHub org configuration

* Refine dry-run condition in npm-publish script for clarity

* Add prepack scripts to fail fast when binary is missing

npm pack silently succeeds even if the binary is absent, producing a
broken package. Each platform package now checks for bin/kosli (or
bin/kosli.exe on Windows) before packing; the wrapper also checks for
install.js.

* Exclude node_modules from package.json search in npm-publish script

* Refactor binary validation in postinstall script to use fs.accessSync for executable check  to  address @dangrondahl  ai review kosli version false negatives in install.js

---------

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

Author: AlexKantor87

docs.kosli.com/assets/metadata.json

@@ -1 +1 @@
-{"currentversion": "v2.14.0"}
+{"currentversion": "v2.15.0"}

docs.kosli.com/content/client_reference/kosli_evaluate_input.md

@@ -0,0 +1,89 @@
+---
+title: "kosli evaluate input"
+beta: false
+deprecated: false
+summary: "Evaluate a local JSON input against a Rego policy."
+---
+
+# kosli evaluate input
+
+## Synopsis
+
+```shell
+kosli evaluate input [flags]
+```
+
+Evaluate a local JSON input against a Rego policy.
+Read JSON from a file or stdin and evaluate it against a Rego policy.
+The input file should contain the raw JSON object your policy expects —
+not the wrapper produced by `--show-input`. Use `jq '.input'` to extract
+the policy input from a `--show-input --output json` capture.
+
+The policy must use `package policy` and define an `allow` rule.
+An optional `violations` rule (a set of strings) can provide human-readable denial reasons.
+The command exits with code 0 when allowed and code 1 when denied.
+
+When `--input-file` is omitted, JSON is read from stdin.
+
+## Flags
+| Flag | Description |
+| :--- | :--- |
+|    -h, --help  |  help for input  |
+|    -i, --input-file string  |  [optional] Path to a JSON input file. Reads from stdin if omitted.  |
+|    -o, --output string  |  [defaulted] The format of the output. Valid formats are: [table, json]. (default "table")  |
+|    -p, --policy string  |  Path to a Rego policy file to evaluate against the input.  |
+|        --show-input  |  [optional] Include the policy input data in the output.  |
+
+
+## Flags inherited from parent commands
+| Flag | Description |
+| :--- | :--- |
+|    -a, --api-token string  |  The Kosli API token.  |
+|    -c, --config-file string  |  [optional] The Kosli config file path. (default "kosli")  |
+|        --debug  |  [optional] Print debug logs to stdout. A boolean flag https://docs.kosli.com/faq/#boolean-flags (default false)  |
+|    -H, --host string  |  [defaulted] The Kosli endpoint. (default "https://app.kosli.com")  |
+|        --http-proxy string  |  [optional] The HTTP proxy URL including protocol and port number. e.g. 'http://proxy-server-ip:proxy-port'  |
+|    -r, --max-api-retries int  |  [defaulted] How many times should API calls be retried when the API host is not reachable. (default 3)  |
+|        --org string  |  The Kosli organization.  |
+
+
+## Examples Use Cases
+
+These examples all assume that the flags  `--api-token`, `--org`, `--host`, (and `--flow`, `--trail` when required), are [set/provided](https://docs.kosli.com/getting_started/install/#assigning-flags-via-environment-variables). 
+
+##### capture trail data for local policy iteration
+
+```shell
+kosli evaluate trail TRAIL --flow FLOW 
+	--policy allow-all.rego 
+	--show-input --output json | jq '.input' > trail-data.json
+
+```
+
+##### then iterate on your policy locally
+
+```shell
+kosli evaluate input 
+	--input-file trail-data.json 
+	--policy policy.rego
+
+```
+
+##### evaluate and show the data passed to the policy
+
+```shell
+kosli evaluate input 
+	--input-file trail-data.json 
+	--policy policy.rego 
+	--show-input 
+	--output json
+
+```
+
+##### read input from stdin
+
+```shell
+cat trail-data.json | kosli evaluate input 
+	--policy policy.rego
+```
+

docs.kosli.com/content/client_reference/kosli_evaluate_trail.md

@@ -14,7 +14,7 @@ kosli evaluate trail TRAIL-NAME [flags]
 ```
 
 Evaluate a trail against a policy.
-Fetch a single trail from Kosli and evaluate it against a Rego policy using OPA.
+Fetch a single trail from Kosli and evaluate it against a Rego policy.
 The trail data is passed to the policy as `input.trail`.
 
 Use `--attestations` to enrich the input with detailed attestation data

docs.kosli.com/content/client_reference/kosli_evaluate_trails.md

@@ -14,7 +14,7 @@ kosli evaluate trails TRAIL-NAME [TRAIL-NAME...] [flags]
 ```
 
 Evaluate multiple trails against a policy.
-Fetch multiple trails from Kosli and evaluate them together against a Rego policy using OPA.
+Fetch multiple trails from Kosli and evaluate them together against a Rego policy.
 The trail data is passed to the policy as `input.trails` (an array), unlike
 `evaluate trail` which passes `input.trail` (a single object).
 

docs.kosli.com/content/legacy_ref/v2.12.0/_index.md

@@ -1,7 +1,7 @@
 ---
 title: v2.12.1
 bookCollapseSection: true
-weight: 603
+weight: 604
 ---
 
 # v2.12.1

docs.kosli.com/content/legacy_ref/v2.12.0/kosli_expect_deployment.md

@@ -1,7 +1,7 @@
 ---
 title: v2.13.0
 bookCollapseSection: true
-weight: 602
+weight: 603
 ---
 
 # v2.13.0