The v0.3.0 release is ready (M4 work complete locally) but is not yet published to npm.
State of the work
All four roadmap milestones are complete. Branch main (commit 9356514) contains M1–M3: responsive margin/inline display, collision-aware stacking, drop-in fallback when no .has-sidenotes ancestor, @media print stylesheet, hover/focus cue, CI workflow.
M4 work was uncommitted at the time this issue was opened (machine being decommissioned). If the local work wasn't pushed before the machine was wiped, the following must be re-derived from tasks/todo.md (which is also local; preserve it first if possible):
CHANGELOG.md (new) — Keep-a-Changelog format covering 0.1.0, 0.2.0, 0.2.1, 0.3.0
package.json — version bump 0.1.0 → 0.3.0
recipes/plain-html.md, recipes/eleventy.md, recipes/astro.md, recipes/hugo.md (new)
.github/workflows/publish.yml (new) — tag-triggered npm publish with --provenance --access public
README.md — install section flipped (npm/CDN primary, from-source secondary), new "Integration recipes" section between Quickstart and Attributes, M4 marked ✅ in roadmap, "What's in v0.3" → "What's in v0.3.0"
CLAUDE.md — milestone summary refreshed to "all four milestones complete at v0.3.0"
site/index.html footer — "v0.3, milestone 3 of 4" → "v0.3.0"
tasks/todo.md — v0.3.0 / M4 record with full breakdown of the above
What's blocking publish
npm publish --access public got past the bundle assembly stage (tarball at 17.5 kB, 16 files including LICENSE, README, dist, src, package.json — all correct) but returned 403 Forbidden:
Two-factor authentication or granular access token with bypass 2fa enabled is required to publish packages.
The npm account does not have a TOTP authenticator app configured. The "one-time codes" the account receives are sign-in verification codes sent by email, not publish-time OTPs (npm requires either TOTP, webauthn, or a granular access token with bypass-2FA).
Security note
A granular access token was generated during troubleshooting and inadvertently shared in a chat conversation. Revoke it before anything else — npmjs.com → Settings → Access Tokens → find the recently-issued side-note token → Revoke.
Resolution plan (for fresh machine)
- Revoke the leaked token (link above)
- Clone the repo and confirm M4 work is present on
main. If not, re-derive from the list above (the tasks/todo.md v0.3.0 section has full text for each file)
- Generate a fresh granular access token at npmjs.com:
- Name: anything memorable (e.g.
side-note publish)
- Expiration: pick a sensible date (e.g. 1 year)
- Packages and scopes → "Only select packages" →
side-note
- Permissions: Read and write
- Check "Allow this token to bypass two-factor authentication"
- Store the token locally:
echo "//registry.npmjs.org/:_authToken=npm_xxxxxxxxxxxxxx" >> ~/.npmrc
Use the global ~/.npmrc, NOT a repo-level .npmrc (the latter would ship with the package).
- Add the same token as a GitHub repo secret named
NPM_TOKEN (Settings → Secrets and variables → Actions → New repository secret). This powers the tag-triggered publish workflow at .github/workflows/publish.yml for v0.3.1+.
- Publish v0.3.0:
- Manual:
npm ci && npm run build && npm publish --access public
- Workflow-driven:
git tag v0.3.0 && git push --tags (fires publish.yml)
- Verify at https://www.npmjs.com/package/side-note
- Smoke test:
npm i side-note in a throwaway directory, confirm <script type="module">import "side-note"</script> registers the custom element
Reference
- Browser support / API surface / behaviour: see README on
main
- Prior milestone history and design decisions: see
tasks/todo.md and CHANGELOG.md
The v0.3.0 release is ready (M4 work complete locally) but is not yet published to npm.
State of the work
All four roadmap milestones are complete. Branch
main(commit9356514) contains M1–M3: responsive margin/inline display, collision-aware stacking, drop-in fallback when no.has-sidenotesancestor,@media printstylesheet, hover/focus cue, CI workflow.M4 work was uncommitted at the time this issue was opened (machine being decommissioned). If the local work wasn't pushed before the machine was wiped, the following must be re-derived from
tasks/todo.md(which is also local; preserve it first if possible):CHANGELOG.md(new) — Keep-a-Changelog format covering 0.1.0, 0.2.0, 0.2.1, 0.3.0package.json— version bump 0.1.0 → 0.3.0recipes/plain-html.md,recipes/eleventy.md,recipes/astro.md,recipes/hugo.md(new).github/workflows/publish.yml(new) — tag-triggered npm publish with--provenance --access publicREADME.md— install section flipped (npm/CDN primary, from-source secondary), new "Integration recipes" section between Quickstart and Attributes, M4 marked ✅ in roadmap, "What's in v0.3" → "What's in v0.3.0"CLAUDE.md— milestone summary refreshed to "all four milestones complete at v0.3.0"site/index.htmlfooter — "v0.3, milestone 3 of 4" → "v0.3.0"tasks/todo.md— v0.3.0 / M4 record with full breakdown of the aboveWhat's blocking publish
npm publish --access publicgot past the bundle assembly stage (tarball at 17.5 kB, 16 files including LICENSE, README, dist, src, package.json — all correct) but returned 403 Forbidden:The npm account does not have a TOTP authenticator app configured. The "one-time codes" the account receives are sign-in verification codes sent by email, not publish-time OTPs (npm requires either TOTP, webauthn, or a granular access token with bypass-2FA).
Security note
A granular access token was generated during troubleshooting and inadvertently shared in a chat conversation. Revoke it before anything else — npmjs.com → Settings → Access Tokens → find the recently-issued
side-notetoken → Revoke.Resolution plan (for fresh machine)
main. If not, re-derive from the list above (thetasks/todo.mdv0.3.0 section has full text for each file)side-note publish)side-note~/.npmrc, NOT a repo-level.npmrc(the latter would ship with the package).NPM_TOKEN(Settings → Secrets and variables → Actions → New repository secret). This powers the tag-triggered publish workflow at.github/workflows/publish.ymlfor v0.3.1+.npm ci && npm run build && npm publish --access publicgit tag v0.3.0 && git push --tags(firespublish.yml)npm i side-notein a throwaway directory, confirm<script type="module">import "side-note"</script>registers the custom elementReference
maintasks/todo.mdandCHANGELOG.md