AIWG 2026.6.7 — "@aiwg/cockpit provenance metadata"

AIWG 2026.6.7 — "@aiwg/cockpit provenance metadata"

Released: 2026-06-21 Channel: stable (`npm install -g aiwg`)

Maintenance cut to validate the new `@aiwg/cockpit` npm trusted-publishing leg. The previous 2026.6.6 run generated a Sigstore provenance bundle for `github.com/jmagly/aiwg`, but npm rejected the cockpit publish because the packed `apps/cockpit/package.json` had no `repository.url`.


Fix

`@aiwg/cockpit` now declares repository metadata that matches the GitHub Actions provenance identity:

{
  "repository": {
    "type": "git",
    "url": "https://github.com/jmagly/aiwg",
    "directory": "apps/cockpit"
  }
}

The npm scope is `@aiwg`, but the provenance source repository is still the GitHub mirror that runs the publish workflow. The `directory` field points npm users and registry metadata at the subpackage inside the monorepo.

The cockpit publishability smoke test now asserts this metadata so an empty or missing `repository.url` fails locally before a release tag is cut.


Upgrade

npm install -g aiwg     # 2026.6.7
aiwg version            # -> 2026.6.7 [stable]

No action required. Release-pipeline/package-metadata validation cut; no CLI behavior changes.