Release candidate preflight
Source 0.1.33 retains the release evidence ledger introduced in 0.1.21 before promotion to 1.0.0-rc.1. Its purpose is to prevent a version from being labelled as a candidate on the basis of a partial local build only.
Controlled boundaries
The preflight covers four independent categories:
- the Bun lockfile exactly matches the direct dependencies in
package.json; - the twelve Playwright baselines referenced by the tests are present and hashed;
- the npm tarball, its manifest and SHA-256 match the source version;
- the manual accessibility and artifact review is complete.
The canonical plan is stored in:
release/rc-plan.jsonThe manual review is recorded in:
release/manual-accessibility-review.jsonBoth files belong to the complete development archive and are excluded from the npm package.
Verify the lockfile
bun run lockfile:checkThis check compares the dependencies and devDependencies groups from package.json with the root workspace in bun.lock, then verifies that every direct dependency has a resolved package entry.
After any dependency change:
bun install
bun run lockfile:check
bun install --frozen-lockfileDo not hand-edit package resolutions. The lockfile diff must be produced by Bun and reviewed before commit.
Prepare the manual review
In release/manual-accessibility-review.json, use a generic role rather than a personal name, for example qa-accessibility-reviewer. The review covers at least:
- keyboard-only navigation;
- browser zoom at 200%;
- reflow at 320 CSS pixels;
- NVDA with Chromium;
- custom-theme contrast;
- inspection of the tarball, manifest and bundle reports.
Each check must be passed, or exceptionally not-applicable with a justification in notes. The overall outcome must be passed, and reviewedSourceVersion must match package.json.
Generate the evidence ledger
After the quality gate, browser tests and package creation:
bun run pack:artifact
bun run release:evidence:createThe following file is generated:
.artifacts/release-candidate-evidence.jsonIt contains SHA-256 hashes for package.json, bun.lock, the public API manifest, the RC plan and the manual review, plus hashes for screenshots and the npm tarball. GitHub Actions metadata is included when available.
Generation does not claim that the release is ready. It emits status: "blocked" while prerequisites are missing and lists every blocker.
Strict verification
bun run release:evidence:verifyThe command fails if sources, screenshots or the package changed after evidence generation, if the lockfile is incomplete, if manual review is pending, or if the npm artifact no longer matches its manifest.
The complete gate is:
bun run release:candidate:checkRun it only after visual baseline inspection and completion of the manual review. A successful result means that source 0.1.33 is ready for promotion to 1.0.0-rc.1; the version change and publication remain separate explicit actions.
Final locks before 1.0.0-rc.1
Preparing 1.0.0-rc.1 now requires four complementary pieces of evidence: a stable GitHub Actions matrix over three passes, manual accessibility review, Theme Builder/IconPicker bundle review, and integration in a distinct business application. The Final 1.0 locks page details the files to fill and the commands to run.
The persisted schema and theme migration contract is not a functional blocker anymore. Any future evolution must go through the public migration registry.