This is the checklist for cutting a public release of WhatTheAgent. The first time you run through it (going from "unpublished pre-1.0" to "public on npm + GitHub") is the longest; subsequent releases are mostly the "Cut a release" section.
- Make the repo public.
- Set the repo description to: Local-first capability discovery for AI agent workspaces. Find what your skills, MCP servers, and scripts can actually do — and which combinations are dangerous.
- Set the repo website to your npm or docs URL.
- Add topics:
ai-agent,agent-security,mcp,claude,codex,cursor,openclaw,hermes,security,cli,sast. - Enable Issues, Discussions, and Security advisories in repo settings.
- Confirm the
.github/ISSUE_TEMPLATE/andPULL_REQUEST_TEMPLATE.mdload correctly when filing a fresh issue / PR. - Add a branch-protection rule on
main: require PRs, require status checks (CI), require up-to-date branches. - Add a
LICENSE(already present — MIT).
- Create an npm account if you don't have one.
- Enable two-factor authentication on npm (
npm profile enable-2fa auth-and-writes). - Run
npm whoamito confirm you're logged in. - Run
npm pack --dry-runand confirm onlydist/,examples/,readme/,skills/,README.md, andLICENSEare included (already configured inpackage.jsonfiles).
- Replace the placeholder author email in
package.jsonwith one that's safe to be public — npm displays it. - If you'd rather not expose your personal email, create a project email or alias and use it consistently in
package.json,SECURITY.md, andCODE_OF_CONDUCT.md.
For each release, in order:
WhatTheAgent uses Semantic Versioning. Pre-1.0 means schema changes are allowed, but call them out clearly.
0.1.0— first publish.0.1.1— bug fix only, no schema or CLI surface change.0.2.0— schema or CLI flag change. BumpschemaVersionif a JSON output changed.1.0.0— schema and CLI surface declared stable.
- Move everything under
## [Unreleased]into a new dated heading:## [X.Y.Z] - YYYY-MM-DD. - Add a fresh empty
## [Unreleased]block above it. - Update the link references at the bottom.
npm install
npm run typecheck
npm test
npm run build
npm run scan:example # smoke test on examples/risky-agent
npm run understand:example
npm pack --dry-runAll four must be clean. The smoke tests catch regressions the unit tests don't.
npm version patch # or minor / major — bumps package.json + creates a tag
git push origin main
git push --tags
npm publish # 2FA prompt- Go to Releases → Draft a new release.
- Pick the tag you just pushed.
- Title:
v<version>. - Description: paste the matching CHANGELOG section. The animated demo SVG and mascot will render in the release page automatically if you embed them.
npm install -g whattheagent@<version>
wta --version # should print <version>
wta understand examples/risky-agent --output /tmp/wta-release-checkIf anything's off, unpublish within 72 hours (npm unpublish whattheagent@<version>) and ship a .1 patch. After 72 hours, npm only allows deprecation, not unpublish.
- Update any external docs / blog posts.
- Post in
#open-sourceon relevant Discords / Slacks if you have any. - If this release fixes a tracked issue, comment on the issue and close it.
- Don't push a tag without
npm publish. A v0.1.0 tag with no npm artifact looks broken. - Don't publish without 2FA. npm has been a supply-chain attack vector twice in the last two years.
- Don't include a hand-edited
dist/. Theprepackscript inpackage.jsonrunsnpm run buildfor you. Trust it. - Don't bump
schemaVersioncasually. Downstream consumers (the chat skill, CI parsers) read it. Bump it only when something actually breaks compatibility, and document the break inCHANGELOG.md. - Don't change
package.json'sfilesarray carelessly. It's the difference between shipping the dist and shipping yournode_modules.
# Show what would actually be published.
npm pack --dry-run | tail -50
# Verify the binary works directly from a clean install.
docker run --rm -it -v "$PWD":/work -w /work node:20 bash -lc \
'npm install -g whattheagent && wta understand examples/risky-agent --chat'
# Generate a fresh demo screenshot for a release post.
wta understand examples/risky-agent --output /tmp/release && \
open /tmp/release/report.html