Ship v0.2.0 to npm (and downstream distribution surfaces)

All engineering for v0.2.0 is committed on main (17 commits since v0.1.0 ship). The release is gated only on one of two one-time credential actions anh needs to perform on the npmjs.com web UI.

Choose one of two paths:

Path A — Token-based (5 minutes total, recurring rotation)

Per docs/PUBLISH-NPM-TOKEN.md:

1. Generate a Granular Access Token at https://www.npmjs.com/settings/nhonh/tokens
   • Critical: Permissions = Read and write (the current NPM_TOKEN returns E404 on PUT because it's Read-only — verified via the workflow log evidence trail in docs/PUBLISH-NPM-TOKEN.md).
2. Update the GH secret: gh secret set NPM_TOKEN -R hoainho/ohmyperf --body 'npm_xxx...'
3. Trigger the publish: gh workflow run publish-stable.yml --field bump=minor -R hoainho/ohmyperf

This path requires token rotation when it expires (npm caps Granular Access Tokens at 1 year).

Path B — OIDC Trusted Publishing (10-min one-time setup, zero recurring cost)

Per docs/PUBLISH-NPM-OIDC.md:

Trusted publishing requires the package to already exist on npm, so Path A must run once first to publish v0.2.0. After v0.2.0 lands:

1. For each of the 17 @ohmyperf/* packages on npmjs.com → Settings → Publishing access → Trusted publishers → Add → GitHub Actions:
   • Organization: hoainho
   • Repository: ohmyperf
   • Workflow filename: publish-stable.yml
   • Environment: (blank)
2. Every future release uses short-lived OIDC tokens + cryptographic provenance attestations. The NPM_TOKEN secret becomes unnecessary.

The workflow is already prepared for OIDC: Node 24 + permissions: id-token: write + preflight that auto-skips in OIDC-only mode (commits a019bf0, 3efe4d6).

What ships in v0.2.0

New publishable packages

• @ohmyperf/eslint-plugin v0.2.0 — 7 CWV-linked ESLint rules (no-document-write, no-sync-xhr, no-large-inline-data-url, prefer-loading-lazy, prefer-fetchpriority, no-render-blocking-script-in-head, no-passive-event-violation)
• @ohmyperf/fixers v0.2.0 — Archetype registry + proposePatches() engine

New MCP tools

• propose_patch — Returns structured { archetype, url, search, replace, rationale, expectedImpactMs, confidence } patches for actionable opportunities (issue v2 Track #5: Agent Fix Loop — Propose · Patch · Verify (KILLER FLAGSHIP) #6)
• verify_fix — Re-measures candidate + Mann-Whitney U diff against baseline; closes the agent fix loop

Engineering changes

• W2-website: backend-detector probe leaks CORS errors to console on /measure #11 OOPIF per-frame CDPSession — Cross-origin iframes now get real CDP sessions (verified on MDN iframe page: 5/5 OOPIFs got REAL_CDP_SESSION)
• W2-Defer backend detection until Measure is clicked #12 syntheticInteraction — INP now measurable via CDP Input.dispatchMouseEvent
• W2-SPA: poll for extension installation mid-session (don't require reload) #17 stage 1 — SourceLocation schema slot + sourcemap detection MVP (issue v2 Track #2: LLM-Native Taxonomy + Source-Map Resolution + Negative-Space Audits #4)

UX polish

• W3-fix(engine): batch 4 report-quality bugs from session weakness analysis #21 Terminal verdict banner — Top-of-output 🟢 PASS / 🟡 NEEDS IMPROVEMENT / 🔴 FAIL
• W3-chore: bootstrap contributor onboarding (issue templates, labels, roadmap) #22 SVG status dots — Replaces ASCII ✓ ! ✗ with inline SVG filled circles
• W3-#24 print-color-adjust: exact — CWV traffic-light colors preserved on PDF export
• W3-#25 Markdown PR verdict block — Top-of-PR 🟢/🔴 status + per-metric emoji table

Distribution prep (Wave 3)

• .github/workflows/deploy-website.yml ready for Cloudflare Pages — needs CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID secrets (see docs/DEPLOY-WEBSITE.md)
• .github/workflows/publish-vscode.yml ready for VSCode Marketplace — needs VSCE_PAT secret (see docs/PUBLISH-VSCODE.md)
• smithery.yaml ready for smithery.ai submission (see docs/PUBLISH-MCP-LISTINGS.md)

Infrastructure

• publish-stable.yml preflight catches misconfigured NPM_TOKEN in <2s with ::error:: pointing at the right diagnostic doc
• ci.yml macos-13 → macos-14 (yesterday's runner was retired by GitHub)
• 365 tests pass workspace-wide (no regressions)

Verification after publish

npx -y @ohmyperf/cli@0.2.0 doctor              # should print OK
npx -y @ohmyperf/cli@0.2.0 https://example.com # full measure end-to-end
npm view @ohmyperf/eslint-plugin version       # should print 0.2.0 (first publish)
npm view @ohmyperf/fixers version              # should print 0.2.0 (first publish)
npx -y @ohmyperf/mcp-server@0.2.0              # MCP stdio ready

Next milestones (after v0.2.0 ships)

• v0.2.1 distribution wave: trigger deploy-website.yml, submit smithery/glama/marketplace listings (all engineering ready)
• v0.3 milestone: VLQ source-map decode + framework-aware fixer archetypes (next.js, plain-html)