chore: deploy-audit cleanup — drop fictional deploy.sh, fix CHANGELOG, add release workflow (#56)

A deploy-readiness audit surfaced four stale/incorrect items in this repo;
this commit removes or repairs each.

Removed
-------
- scripts/deploy.sh — referenced a Dockerfile, a deployments/kubernetes/
  manifest, an internal/integration/ test package, and a k6 load-test
  script that never existed. tok is a Go library (AGENTS.md, .goreleaser.yml
  builds.skip: true); deployment is `go get`.
- /tokd entry in .gitignore — the ./server HTTP daemon never shipped.

Fixed
-----
- CHANGELOG.md:
  * 0.1.0 heading moved below [Unreleased] (Keep-a-Changelog ordering).
  * Stripped the backwards `compare/v1.1.0...0.1.0` diff link.
  * Stopped claiming we re-baselined `.release-please-manifest.json` and
    `scripts/install.sh` — neither file exists in this repo.
  * "HTTP server mode (tokd)" entry now documents that the daemon did not
    ship, matching the existing historical note under [0.29.0].
- .github/workflows/ci.yml: pin gosec to v2.22.4 (was v2.21.4), matching
  every other gosec invocation in the workflow + sibling repos.

Added
-----
- .github/workflows/release.yml: trigger goreleaser on `v*` tag pushes.
  The existing .goreleaser.yml builds source archives + SHA-256 checksums
  + SPDX SBOM (`builds.skip: true`) but had no workflow to invoke it.

Validation
----------
- go build ./... — clean
- go vet ./... — clean
- gofumpt -l . — clean
- goimports -l . — clean
- golangci-lint run --timeout=5m — 0 issues
- go test ./... -short — all pass
- govulncheck ./... — no vulnerabilities

Author: Patel230

.github/workflows/ci.yml

@@ -136,7 +136,7 @@ jobs:
       - name: gosec (advisory)
         continue-on-error: true
         run: |
-          go install github.com/securego/gosec/v2/cmd/gosec@v2.21.4
+          go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4
           gosec -exclude=G104,G301,G302,G304,G306 ./...
 
   # -------------------------------------------------------------------------

.github/workflows/release.yml

@@ -0,0 +1,40 @@
+# Release workflow for tok — Go LIBRARY.
+#
+# tok ships as a Go module (no binary). This workflow runs on a `v*` tag and
+# publishes a source archive, SHA-256 checksums, and an SBOM via goreleaser
+# (config: .goreleaser.yml — `builds.skip: true`, `source.enabled: true`).
+# Consumers depend on the tag via `go get github.com/GrayCodeAI/tok@vX.Y.Z`.
+
+name: release
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: write   # create GitHub Release + upload assets
+  id-token: write   # reserved for keyless cosign signing later
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0   # goreleaser needs full history for changelog
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: "1.26.4"
+          cache: true
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
+        with:
+          distribution: goreleaser
+          version: "v6.3.0"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -10,7 +10,6 @@ build/
 .artifacts/
 /cmd          # stray compiled binary — tok is library-only, no cmd/ package
 /tok          # local build of any sample binary
-/tokd         # local build of the optional HTTP server (server/)
 *.test        # `go test -c` compiled test binaries
 
 # Dev state

CHANGELOG.md

@@ -7,23 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 > **tok is a Go library**, not a CLI. Install with
 > `go get github.com/GrayCodeAI/tok` and import `github.com/GrayCodeAI/tok`.
-> An optional HTTP server (`tokd`) lives in `./server`
-> (`go run ./server -addr 127.0.0.1:8080`). CLI-style verbs such as
-> `tok compress` are exposed by [Hawk](https://github.com/GrayCodeAI/hawk),
-> which embeds this library. Older entries below mentioning CLI commands, shell
-> hooks, agent installers, or a TUI describe prototype work that did not ship in
+> CLI-style verbs such as `tok compress` are exposed by
+> [Hawk](https://github.com/GrayCodeAI/hawk), which embeds this library.
+> Older entries below mentioning CLI commands, shell hooks, agent installers,
+> a TUI, or an HTTP `tokd` server describe prototype work that did not ship in
 > the library; see the historical note under `[0.29.0]`.
 
-## [0.1.0](https://github.com/GrayCodeAI/tok/compare/v1.1.0...0.1.0) (2026-06-08)
+## [Unreleased]
 
 ### Changed
-- **Version re-baselined to `0.1.0`** across `.release-please-manifest.json`,
-  `CITATION.cff`, and `scripts/install.sh`, aligning tok with the rest of the
-  hawk-eco ecosystem (`hawk`, `eyrie`, `yaad`, `sight`, `inspect`).
+- **Version re-baselined to `0.1.0`** across `CITATION.cff` and the embedded
+  `Version` constant, aligning tok with the rest of the hawk-eco ecosystem
+  (`hawk`, `eyrie`, `yaad`, `sight`, `inspect`). No git tag has been cut yet.
 
-## [Unreleased]
+### Removed
+- `scripts/deploy.sh` — referenced a Dockerfile, k8s manifests, and an
+  `internal/integration/` package that never existed. tok is a Go library
+  (no binary, no HTTP server); deployment happens via `go get`.
 
-See [0.1.0] for the latest changes.
+## [0.1.0] (unreleased)
 
 ### Added
 - **Custom filter DSL** — define regex find/replace rules in a TOML file
@@ -41,9 +43,10 @@ See [0.1.0] for the latest changes.
   tokens first via a pluggable `PerplexityScorer` (zero-dependency heuristic
   default; experimental `OllamaScorer` available with `-tags experimental_ollama`).
   Opt-in.
-- **HTTP server mode (`tokd`)** — optional standalone server exposing
-  `POST /compress`, `POST /estimate`, and `GET /health` over HTTP for
-  cloud/agent use; the core library stays import-clean.
+- **HTTP server mode (`tokd`)** — _removed before release_. Earlier work
+  on a standalone HTTP server lived in `./server` but did not ship; the
+  core library exposes no HTTP surface. See the historical note in
+  `[0.29.0]` for context.
 - **Compression-quality benchmark harness** (`benchmarks/quality`) — offline
   harness reporting compression ratio, char retention, and a ROUGE-1
   lexical-fidelity proxy against an LLMLingua-style baseline arm.