chore: update audit report and technical specifications

- Enhance AUDIT_REPORT.md with package publishing safeguards and npm dry-run details.
- Add npm audit and publish dry-run checks to TECHNICAL_SPEC.md.

feat: improve package.json configuration

- Set sideEffects to false for better tree-shaking.
- Include prepack and prepublishOnly scripts for build and verification.
- Add publishConfig for public access and registry.

docs: add CHANGELOG, CONTRIBUTING, LICENSE, SECURITY, and PUBLISHING documentation

- Create CHANGELOG.md to document notable changes.
- Establish CONTRIBUTING.md for local setup and development rules.
- Add LICENSE file with MIT License terms.
- Introduce SECURITY.md for reporting vulnerabilities and security notes.
- Create PUBLISHING.md checklist for npm publication and distribution.

Author: MADEVAL

CHANGELOG.md

@@ -0,0 +1,17 @@
+# Changelog
+
+All notable changes to FingerprintJS by BotBlocker are documented here.
+
+## 0.1.0 - 2026-05-14
+
+### Added
+
+- Stable visitor identity with identity/report-only component separation.
+- Browser, collector, policy, storage, and server package entry points for ESM and CommonJS.
+- Script-tag browser builds with `FingerprintJSBotBlocker` global.
+- Bot evidence, private-mode indicators, tamper evidence, and browser capability reporting.
+- Replay protection, server-only hash mode, backend verifier, and pluggable network risk adapter.
+- Stability/drift monitor and use-case presets for privacy-first, analytics, login risk, checkout risk, bot defense, and fraud defense workflows.
+- Explainable report and dense ID analysis report formats.
+- Browser demo, debug inspector, Node example, technical spec, audit report, and version policy.
+- Full verification gate with build, typecheck, 100% Node coverage, Playwright browser tests, and bundle size check.

CONTRIBUTING.md

@@ -0,0 +1,31 @@
+# Contributing
+
+## Local Setup
+
+```bash
+npm ci
+npm run verify
+```
+
+`npm run verify` is the required quality gate before a change is submitted. It builds all package entry points, validates declarations, runs Node tests with 100% coverage, runs Playwright browser tests, and checks the browser bundle size budget.
+
+## Development Rules
+
+- Keep browser runtime code dependency-free.
+- Keep server-only verification code out of the browser entry point.
+- Do not add volatile or risk-only signals to the default visitor ID hash unless the version policy is updated.
+- Prefer adding report-only evidence over changing identity inputs.
+- Update TypeScript declarations, docs, tests, and generated `dist/` artifacts when public APIs change.
+- Keep examples in English and runnable from a local checkout.
+
+## Release Readiness
+
+Before publishing, run:
+
+```bash
+npm run verify
+npm pack --dry-run
+npm publish --dry-run
+```
+
+Review the dry-run file list and confirm that no local-only files are included in the package.

LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2026 Yevhen Leonidov
+Copyright (c) 2026 BotBlocker
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -224,6 +224,10 @@ The debug inspector in [examples/inspector.html](examples/inspector.html) accept
 
 Additional docs:
 
+- [CHANGELOG.md](CHANGELOG.md)
+- [CONTRIBUTING.md](CONTRIBUTING.md)
+- [SECURITY.md](SECURITY.md)
 - [docs/TECHNICAL_SPEC.md](docs/TECHNICAL_SPEC.md)
 - [docs/VERSION_POLICY.md](docs/VERSION_POLICY.md)
-- [docs/AUDIT_REPORT.md](docs/AUDIT_REPORT.md)
+- [docs/AUDIT_REPORT.md](docs/AUDIT_REPORT.md)
+- [docs/PUBLISHING.md](docs/PUBLISHING.md)

SECURITY.md

@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are provided for the latest published minor version of `@botblocker/fingerprintjs`.
+
+## Reporting A Vulnerability
+
+Do not open a public issue for a suspected vulnerability. Report security concerns through the private contact channel published at https://botblocker.top.
+
+Please include:
+
+- affected package version;
+- affected runtime or browser;
+- minimal reproduction steps;
+- expected and observed behavior;
+- whether the issue affects client identity, replay protection, server verification, or report integrity.
+
+## Security Notes
+
+FingerprintJS by BotBlocker is a client signal and backend verification SDK. Browser-collected signals are evidence, not proof. Production enforcement should combine client results with backend replay checks, server hash mode, rate limits, account state, and network intelligence.
+
+Replay protection and server hash mode require a private server secret. Do not expose that secret to browser code, client bundles, logs, or analytics events.

dist/browser/fingerprintjs-botblocker.min.js

@@ -14,6 +14,8 @@ This audit covers FingerprintJS by BotBlocker source code, package metadata, gen
 - Browser tests run against Chromium, Firefox, and WebKit through Playwright.
 - The minified browser bundle is checked against a 65 KB budget.
 - CI runs install, browser setup, and `npm run verify` on push and pull request.
+- Package publishing is guarded by `prepack` build and `prepublishOnly` verification scripts.
+- npm package dry-run includes only intended package, build, docs, examples, security, license, and release files.
 
 ## Current Feature Coverage
 
@@ -81,7 +83,7 @@ FingerprintJS by BotBlocker is suitable as a client-side signal layer for [BotBl
 
 1. Calibrate bot and private-mode scoring against real product traffic before automated enforcement.
 2. Keep the 65 KB bundle budget under review as additional risk signals are added.
-3. Add release automation when publishing credentials and release policy are defined.
+3. Add release automation with npm provenance when publishing credentials and release policy are defined.
 4. Expand browser stability fixtures for product-specific flows and target browser versions.
 5. Run a production observation window before changing default identity collector membership.
 6. Connect the backend network adapter to a production IP intelligence provider before using proxy/VPN/datacenter evidence for enforcement.

docs/AUDIT_REPORT.md

@@ -0,0 +1,55 @@
+# Publishing Checklist
+
+Use this checklist for npm publication and public distribution.
+
+## One-Time Setup
+
+1. Confirm package ownership for the `@botblocker` npm scope.
+2. Confirm the public repository URL and add it to `package.json` when available.
+3. Configure npm 2FA for publish operations.
+4. Prefer publishing from CI with npm provenance enabled when the release workflow is ready.
+5. Confirm the security contact channel at https://botblocker.top.
+
+## Pre-Release Checks
+
+```bash
+npm ci
+npm run verify
+npm audit --omit=dev
+npm pack --dry-run
+npm publish --dry-run
+```
+
+Expected quality gate:
+
+- build succeeds;
+- TypeScript declarations compile;
+- Node coverage is 100% for lines, branches, and functions;
+- Playwright tests pass in Chromium, Firefox, and WebKit;
+- minified browser bundle stays under the configured budget;
+- production dependency audit reports zero vulnerabilities;
+- package dry-run includes only intended files.
+
+## Versioning
+
+- Patch release: compatible API and no intentional default identity hash change.
+- Minor release: new API, new report-only signals, or documented identity hash changes.
+- Major release: breaking API, package export changes, or incompatible result schema changes.
+
+If default identity inputs change, document the migration impact in `CHANGELOG.md` and `docs/VERSION_POLICY.md`.
+
+## Publish
+
+```bash
+npm version patch
+npm publish --access public
+```
+
+Use `minor` or `major` instead of `patch` when the versioning rules require it.
+
+## Post-Release
+
+1. Install the package in a clean temporary project.
+2. Test ESM import, CommonJS require, and the `@botblocker/fingerprintjs/server` subpath.
+3. Download the browser bundle from the published package and run the browser demo.
+4. Tag the release in git and attach a short release note based on `CHANGELOG.md`.

docs/PUBLISHING.md

@@ -285,4 +285,6 @@ Recommended backend payload:
 - TypeScript declaration validation;
 - Node tests with 100% line, branch, and function coverage for `src/**/*.js`;
 - Playwright tests in Chromium, Firefox, and WebKit;
-- minified browser bundle size check under 65 KB.
+- minified browser bundle size check under 65 KB.
+
+Release readiness additionally uses `npm audit --omit=dev`, `npm pack --dry-run`, and `npm publish --dry-run`.

docs/TECHNICAL_SPEC.md

@@ -5,6 +5,7 @@
   "productName": "FingerprintJS by BotBlocker",
   "type": "module",
   "license": "MIT",
+  "sideEffects": false,
   "main": "./dist/index.cjs",
   "module": "./dist/index.mjs",
   "types": "./dist/index.d.ts",
@@ -39,14 +40,24 @@
     "./package.json": "./package.json"
   },
   "files": [
+    "CHANGELOG.md",
+    "CONTRIBUTING.md",
     "dist/",
     "docs/",
     "examples/",
+    "LICENSE",
+    "SECURITY.md",
     "README.md"
   ],
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
   "scripts": {
     "clean": "node scripts/clean.mjs",
     "build": "node scripts/build.mjs",
+    "prepack": "npm run build",
+    "prepublishOnly": "npm run verify",
     "test": "node --test tests/*.test.mjs",
     "test:browser": "playwright test",
     "test:coverage": "node --test --experimental-test-coverage --test-coverage-include=\"src/**/*.js\" --test-coverage-lines=100 --test-coverage-branches=100 --test-coverage-functions=100 tests/*.test.mjs",