[AAASM-2344] 🐛 (release): Lowercase repository.url for npm sigstore provenance

[Chisanan232]

Summary

Fixes a v0.0.1-alpha.4 publish failure in release-node.yml where pnpm publish --provenance was rejected by the npm registry with HTTP 422 because the package's repository.url (AI-agent-assembly) did not byte-for-byte match the canonical lowercase URL (ai-agent-assembly) emitted in the sigstore provenance bundle.

GitHub routing is case-insensitive — both URLs resolve to the same repository — but npm's sigstore verifier performs a case-sensitive string compare and refused the upload.

Lowercase the org segment in every package.json that ships to npm:

• package.json (root @agent-assembly/sdk, plus bugs.url and homepage)
• packages/runtime-linux-x64/package.json
• packages/runtime-linux-arm64/package.json
• packages/runtime-darwin-x64/package.json
• packages/runtime-darwin-arm64/package.json

Failed run

https://github.com/ai-agent-assembly/node-sdk/actions/runs/26855112352

npm error (verbatim)

npm error 422 Unprocessable Entity - PUT https://registry.npmjs.org/@agent-assembly%2fruntime-linux-x64 -
Error verifying sigstore provenance bundle: Failed to validate repository information:
package.json: "repository.url" is "git+https://github.com/AI-agent-assembly/node-sdk.git",
expected to match "https://github.com/ai-agent-assembly/node-sdk" from provenance

Release re-trigger plan

Once this PR is merged, re-run release-node.yml via workflow_dispatch with release_tag: v0.0.1-alpha.4. No new git tag is needed — none of the 0.0.1-alpha.4 npm versions were ever created (publish failed before any package made it to the registry), so re-publishing the same version is clean.

Test plan

• grep -rn "AI-agent-assembly" --include="package.json" returns no results after the change
• All 5 package.json files now use https://github.com/ai-agent-assembly/node-sdk.git
• After merge: trigger release-node.yml with release_tag: v0.0.1-alpha.4
• Confirm all 5 packages publish successfully to npm with provenance

Notes on out-of-scope references

AI-agent-assembly also appears in README.md badges, docs/, CONTRIBUTING.md, .github/workflows/*.yml (gh CLI --repo args), verification-reports/, and website/.docusaurus/ generated output. None of these affect npm provenance and all work fine via GitHub's case-insensitive routing, so they are intentionally left alone.

Closes AAASM-2344

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Chisanan232]

Claude Code review — AAASM-2344

CI state — 24 SUCCESS / 1 FAILURE — ignorable

mergeable: MERGEABLE, mergeStateStatus: UNSTABLE (because of the 1 FAILURE).

The single FAILURE is test (22, windows-latest) — the failing step is #4 "Setup Node.js", i.e. actions/setup-node@v… itself failing on the Windows runner before our test code ever ran. This is a well-known infra flake category (Windows runner + Node.js installer downloads occasionally time out), and it has nothing to do with this PR's diff (package.json URL strings only).

Per your standing instruction — "if the fail root cause is acceptance like test coverage or SonarQube parts, we could ignore it first" — this is in the ignorable-infra category, even less ambiguous than coverage failures because the test code didn't execute. Safe to merge.

24 SUCCESS includes Node 18/20/22 on ubuntu-latest + macos-latest, plus the SonarCloud + Codecov + lint checks. The actual sigstore provenance verification can't be tested here pre-merge because npm publish only happens on tag — but the regex/string change is mechanically obvious.

Scope vs. acceptance criteria

AC (from AAASM-2344 ticket)	Status	Evidence
Lowercase repository.url in root package.json so npm sigstore provenance verification passes (was git+https://github.com/AI-agent-assembly/node-sdk.git, needs git+https://github.com/ai-agent-assembly/node-sdk.git)	✅	package.json — 3+/3- diff covers repository.url + related bugs.url + homepage
Apply the same lowercase fix to all 4 runtime sub-package package.json files	✅	Each of packages/runtime-{linux-x64,linux-arm64,darwin-x64,darwin-arm64}/package.json — 1+/1- diff per file
Re-trigger release-node.yml via workflow_dispatch against v0.0.1-alpha.4 after merge	⏳ post-merge	I will trigger this once Group 1 PRs are all merged
All 5 npm packages publish successfully with sigstore provenance	⏳ post-merge	Live verification on re-trigger

Coupling note

This PR alone makes pnpm publish succeed for the alpha-4 release. The previously published 0.0.1-alpha.3 tarball was separately broken (scripts/postinstall.mjs missing from files array — would have made every npm install fail with MODULE_NOT_FOUND), but that was already fixed by AAASM-2326 / PR #64 which merged before this PR. So the alpha-4 republish will produce both publishable AND usable npm packages. My duplicate ticket AAASM-2453 (which I filed assuming it was unfixed) has been closed as duplicate of AAASM-2326.

Verdict

Ready for human approval and merge. Diff is minimal (10 lines across 5 files), all 5 files are pure repository.url lowercasing, the one CI failure is an unrelated Windows setup-node flake. After merge + re-trigger, alpha-4's npm publish completes for the first time.

— Claude Code (Opus 4.7, 1M context)