feat(publish): cross-org CLI-tail publish pipeline w/ source-allowlist trust gate

Mirrors socket-addon's cross-org publish wiring; symmetric infrastructure
for @socketbin/* CLI tails:

- `scripts/source-allowlist.mts` — typed export of `SOURCE_ALLOWLIST`,
  currently empty (EMPTY_ALLOWLIST sentinel). The first binsuite family
  adds its row here BEFORE merging the package directory — the publisher
  refuses publish attempts for unknown families, so the allowlist row is
  the trust grant that turns the package directory on.
- `scripts/publish-cross-org.mts` — entry-point that mirrors socket-addon's
  byte-for-byte except the kind: 'cli' default flows through
  buildBinaryPathInTail() to place `bin/<name>[.exe]` instead of
  `<name>.node`.
- `.github/workflows/publish-cross-org.yml` — workflow_dispatch trigger.
  Default dry-run: true; real publishes require the canonical bypass.
- `package.json` — `publish:cross-org` script.
- `CHANGELOG.md` — bootstrap with the Unreleased entry.

The publisher will refuse every publish until the first SOURCE_ALLOWLIST
row lands — that's the intended state for a freshly-scaffolded publisher
with no authorized sources yet.

Author: jdalton

.github/workflows/publish-cross-org.yml

@@ -0,0 +1,80 @@
+name: 🚀 Cross-org publish
+
+# Bespoke socket-bin publish pipeline for cross-org CLI tails. Reads the
+# repo's source-allowlist.mts to authorize a (source-repo, release-tag) pair,
+# downloads the release artifacts via `gh release download`, verifies their
+# attestations against the allowlist row's signer-workflow, extracts each
+# triplet's archive into its `packages/<prefix><triplet>/` directory, stamps
+# the version, and (unless dry-run) `npm publish --provenance` per tail.
+#
+# Trust layers (every successful run requires ALL):
+#   1. Allowlist match — entry in scripts/source-allowlist.mts.
+#   2. Tag conformance — release tag matches the row's tagPattern.
+#   3. SHA256SUMS attested — `gh attestation verify` succeeds.
+#   4. Per-archive attested — same, for each downloaded tarball.
+#   5. Tarball SHA matches SHA256SUMS — local recomputation.
+#   6. Manifest name conformance — extracted package.json's `name` is exactly
+#      `<targetScope>/<namePrefix><triplet>`.
+#
+# Bypass: this workflow accepts a `dry-run` input to satisfy
+# release-workflow-guard. The default is true. A real publish requires
+# `Allow workflow-dispatch bypass: publish-cross-org` typed verbatim in the
+# session that runs `gh workflow run … -f dry-run=false`.
+
+on:
+  workflow_dispatch:
+    inputs:
+      source-repo:
+        description: 'GitHub <owner>/<repo> hosting the release artifacts (must match an allowlist row)'
+        required: true
+        type: string
+      release-tag:
+        description: 'Release tag in source-repo (must match the row''s tagPattern)'
+        required: true
+        type: string
+      dry-run:
+        description: 'Stage + verify only; skip npm publish (default: true)'
+        required: false
+        default: true
+        type: boolean
+
+permissions:
+  contents: read
+  id-token: write
+  attestations: read
+
+jobs:
+  cross-org-publish:
+    name: Stage + (optionally) publish
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 (2025-08-15)
+
+      - name: Setup + install
+        uses: SocketDev/socket-registry/.github/actions/setup-and-install@f09a1cd39868ae45d304cfcead2d4f19a5325d8a # main (2026-06-01)
+
+      - name: Stage + publish
+        env:
+          SOURCE_REPO: ${{ inputs.source-repo }}
+          RELEASE_TAG: ${{ inputs.release-tag }}
+          DRY_RUN: ${{ inputs.dry-run }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: node scripts/publish-cross-org.mts
+
+      - name: Summarize publish
+        if: always()
+        run: |
+          {
+            echo "## socket-bin cross-org publish"
+            echo ""
+            echo "| Input | Value |"
+            echo "| --- | --- |"
+            echo "| source-repo | \`${{ inputs.source-repo }}\` |"
+            echo "| release-tag | \`${{ inputs.release-tag }}\` |"
+            echo "| dry-run | \`${{ inputs.dry-run }}\` |"
+            echo "| result | ${{ job.status }} |"
+          } >> "$GITHUB_STEP_SUMMARY"

CHANGELOG.md

@@ -0,0 +1,24 @@
+# Changelog
+
+All notable changes to this package will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- `scripts/source-allowlist.mts`: authoritative allowlist of `(source-repo,
+  build-workflow, tag-pattern)` tuples authorized to mint `@socketbin/*`
+  CLI-tail packages. Empty until the first binsuite family is scaffolded.
+- `scripts/publish-cross-org.mts`: entry-point that reads the allowlist,
+  delegates the download → verify → extract → stage pipeline to the fleet
+  `stageMultiPackagePublish()` runner, and `npm publish --provenance` per
+  staged tail.
+- `.github/workflows/publish-cross-org.yml`: `workflow_dispatch` trigger
+  (`source-repo`, `release-tag`, `dry-run` inputs) that runs the publisher
+  under the workflow's OIDC identity. Default `dry-run: true`; a real
+  publish requires the canonical `Allow workflow-dispatch bypass:
+  publish-cross-org` phrase in the operator's session.
+- `package.json`: `publish:cross-org` script.

package.json

@@ -28,6 +28,7 @@
     "prepare": "node scripts/fleet/install-git-hooks.mts && node scripts/fleet/install-git-hooks.mts",
     "publish": "node scripts/fleet/publish.mts",
     "publish:ci": "node scripts/fleet/publish.mts --tag ${DIST_TAG:-latest}",
+    "publish:cross-org": "node scripts/publish-cross-org.mts",
     "publish:dry": "node scripts/fleet/publish.mts --dry-run",
     "security": "node scripts/fleet/security.mts",
     "setup": "node .claude/hooks/fleet/setup-security-tools/index.mts",

scripts/publish-cross-org.mts

@@ -0,0 +1,139 @@
+/**
+ * @file Entry point for socket-bin's cross-org tail publishes. Driven by the
+ *   `publish-cross-org.yml` workflow's `workflow_dispatch` inputs (mapped
+ *   into env vars: `SOURCE_REPO`, `RELEASE_TAG`, `DRY_RUN`). Reads
+ *   `scripts/source-allowlist.mts` for the trust boundary, delegates the
+ *   download → verify → extract → stage pipeline to the fleet
+ *   `stageMultiPackagePublish` runner, and on non-dry-run iterates the
+ *   staged tails and `npm publish --provenance` each one.
+ *
+ *   Mirrors `socket-addon/scripts/publish-cross-org.mts` byte-for-byte
+ *   except for the tail-directory convention (`packages/<prefix><triplet>`
+ *   is identical in both repos) and the `kind` field on allowlist rows
+ *   (socket-addon families are NAPI; socket-bin families are CLI). The
+ *   `kind` distinction flows through `buildBinaryPathInTail()`, which
+ *   places `bin/<name>[.exe]` instead of `<name>.node`.
+ *
+ *   The allowlist is empty until the first binsuite family is scaffolded
+ *   — the runner refuses on `allowlist-miss`, which is the intended state
+ *   for a freshly-scaffolded publisher with no authorized sources yet.
+ *
+ *   Exit codes:
+ *     0 — every requested tail staged + (unless dry-run) published.
+ *     1 — any stage or publish failure (the first one; fail-fast).
+ */
+
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+import { getDefaultLogger } from '@socketsecurity/lib-stable/logger/default'
+
+import { runCommand } from './fleet/util/run-command.mts'
+import {
+  MultiPackageStageError,
+  stageMultiPackagePublish,
+  type TailStageOutcome,
+} from './fleet/util/multi-package-publish.mts'
+import type { GitHubRepoSlug } from './fleet/util/source-allowlist.mts'
+import {
+  buildBinaryPathInTail,
+  findAllowlistEntry,
+} from './fleet/util/source-allowlist.mts'
+import { SOURCE_ALLOWLIST } from './source-allowlist.mts'
+
+const logger = getDefaultLogger()
+const REPO_ROOT = path.dirname(path.dirname(fileURLToPath(import.meta.url)))
+const STAGING_DIR = path.join(REPO_ROOT, '.cross-org-stage')
+
+function readRequiredEnv(name: string): string {
+  const value = process.env[name]
+  if (!value || value.trim() === '') {
+    throw new Error(
+      `Missing required env: ${name}. Set it via workflow_dispatch input or the calling shell.`,
+    )
+  }
+  return value.trim()
+}
+
+function isGitHubRepoSlug(value: string): value is GitHubRepoSlug {
+  const parts = value.split('/')
+  return parts.length === 2 && parts[0]!.length > 0 && parts[1]!.length > 0
+}
+
+async function publishTail(tail: TailStageOutcome): Promise<void> {
+  logger.log(`Publishing ${tail.tailName}@${tail.version}…`)
+  const exitCode = await runCommand(
+    'npm',
+    ['publish', '--access', 'public', '--provenance'],
+    { cwd: tail.tailDir },
+  )
+  if (exitCode !== 0) {
+    throw new Error(
+      `npm publish failed for ${tail.tailName}@${tail.version} (exit ${exitCode}). See above stderr from npm.`,
+    )
+  }
+  logger.success(`Published ${tail.tailName}@${tail.version}`)
+}
+
+async function main(): Promise<void> {
+  const sourceRepoRaw = readRequiredEnv('SOURCE_REPO')
+  if (!isGitHubRepoSlug(sourceRepoRaw)) {
+    throw new Error(
+      `SOURCE_REPO must be <owner>/<repo>; got ${sourceRepoRaw}.`,
+    )
+  }
+  const sourceRepo: GitHubRepoSlug = sourceRepoRaw
+  const releaseTag = readRequiredEnv('RELEASE_TAG')
+  const dryRun = process.env['DRY_RUN'] !== 'false'
+
+  const entry = findAllowlistEntry(SOURCE_ALLOWLIST, sourceRepo, releaseTag)
+  if (!entry) {
+    throw new MultiPackageStageError(
+      `No socket-bin allowlist row matches ${sourceRepo} tag ${releaseTag}. Add a SourceAllowlistEntry in scripts/source-allowlist.mts or correct the inputs.`,
+      'allowlist-miss',
+    )
+  }
+
+  logger.log(`socket-bin cross-org publish`)
+  logger.log(`  source: ${sourceRepo} @ ${releaseTag}`)
+  logger.log(`  family: ${entry.familyId} (${entry.kind} → ${entry.binaryName})`)
+  logger.log(`  dry-run: ${dryRun}`)
+
+  const result = await stageMultiPackagePublish({
+    allowlist: SOURCE_ALLOWLIST,
+    sourceRepo,
+    releaseTag,
+    tailDirFor: triplet =>
+      path.join(REPO_ROOT, 'packages', `${entry.namePrefix}${triplet}`),
+    binaryPathInTail: triplet => buildBinaryPathInTail(entry, triplet),
+    stagingDir: STAGING_DIR,
+    dryRun,
+  })
+
+  logger.log(
+    `Staged ${result.tails.length} tail(s) for ${result.entry.familyId}@${result.version}`,
+  )
+
+  if (dryRun) {
+    logger.log('Dry run — skipping npm publish step. Done.')
+    return
+  }
+
+  for (let i = 0, { length } = result.tails; i < length; i += 1) {
+    // eslint-disable-next-line no-await-in-loop
+    await publishTail(result.tails[i]!)
+  }
+
+  logger.success(
+    `socket-bin cross-org publish complete: ${result.tails.length} tail(s) → ${entry.targetScope}/${entry.namePrefix}*@${result.version}`,
+  )
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  main().catch((err: unknown) => {
+    logger.error(err instanceof Error ? err.message : String(err))
+    process.exitCode = 1
+  })
+}
+
+export { main }

scripts/source-allowlist.mts

@@ -0,0 +1,30 @@
+/**
+ * @file socket-bin's source-allowlist — the trust boundary for every
+ *   `@socketbin/*` CLI-tail this repo publishes. Each entry is one
+ *   (source-repo, build-workflow, tag-pattern) tuple authorized to mint a
+ *   family of npm tails. Adding a row is a fleet-level review (new trust
+ *   grant); removing a row immediately revokes that family's ability to
+ *   publish through socket-bin.
+ *
+ *   The publisher (`scripts/publish-cross-org.mts`) reads this array and
+ *   refuses any publish whose `(sourceRepo, releaseTag)` doesn't match a
+ *   row. Allowlist match is layer 1 of the trust gate; artifact attestation
+ *   verification via `gh attestation verify` is layer 2. Both must pass.
+ *
+ *   Currently empty: the binsuite tail packages this repo will publish are
+ *   still being scaffolded (tracked separately). When the first family
+ *   lands, add its row here BEFORE merging the package directory — the
+ *   publisher refuses publish attempts for unknown families, so the
+ *   allowlist row is the trust grant that turns the package directory on.
+ *
+ *   Schema lives in the fleet (`scripts/fleet/util/source-allowlist.mts`);
+ *   this file ships only the data + a typed export.
+ */
+
+import {
+  EMPTY_ALLOWLIST,
+  type SourceAllowlistEntry,
+} from './fleet/util/source-allowlist.mts'
+
+export const SOURCE_ALLOWLIST: readonly SourceAllowlistEntry[] =
+  EMPTY_ALLOWLIST