feat: add npm publishing for opencode plugin

[muness]

Summary

• Rename package from @cloud-atlas-ai/bottle to @open-horizon-labs/bottle-opencode
• Add publish-npm job to release workflow for automated npm publishing on release
• Uses OIDC provenance for supply chain security

Test plan

• Verify workflow syntax is valid
• On next release tag, verify npm publish job runs successfully
• Verify package is published to npm under @open-horizon-labs/bottle-opencode

Notes

• Requires NPM_TOKEN secret to be configured in the npm environment
• The plugin already exists with full functionality (CLI wrapper exposing bottle commands to OpenCode)

Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Updated package name to @open-horizon-labs/bottle-opencode and reset version to 0.1.0
  • Refreshed description, keywords, and added a publish-time version note
  • Added repository directory metadata for the plugin
  • Configured automated npm publishing for release builds

• Chores

  • Updated wm-opencode plugin version in the stable manifest to 0.3.8

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new publish-npm job to the release GitHub Actions workflow to publish the opencode plugin to npm, and updates opencode-plugin/package.json metadata (name, version, description, keywords, repository directory). Also bumps wm-opencode version in the stable bottle manifest.

Changes

Cohort / File(s)	Change Summary
CI/CD workflow \.github/workflows/release.yml	Added publish-npm job that runs after plan/release on real releases (not dry-run); checks out code, sets up Bun and Node (Node 22), extracts version from git tag, updates opencode-plugin/package.json, installs with Bun, builds, validates output, and publishes to npm using an NPM_TOKEN.
Package metadata opencode-plugin/package.json	Package identity changed: name -> @open-horizon-labs/bottle-opencode; version reset to 0.1.0; added _versionNote; description, keywords updated; repository augmented with directory: "opencode-plugin".
Bottles manifest bottles/stable/manifest.json	Updated opencode_plugins.wm-opencode version from 0.1.0 to 0.3.8.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant Runner as Action Runner
    participant Repo as Repository
    participant Bun as Bun/Node build
    participant NPM as npm Registry

    GH->>Runner: trigger release workflow (is_release && not dry-run)
    Runner->>Repo: checkout code (tag available)
    Runner->>Runner: extract version from git tag
    Runner->>Repo: update \`opencode-plugin/package.json\` version
    Runner->>Bun: install deps with Bun & build
    Bun-->>Runner: build artifacts verified
    Runner->>NPM: publish package with NPM_TOKEN (public)
    NPM-->>Runner: publish result
    Runner-->>GH: job completes

Loading

Possibly related issues

• feat: publish bottle as opencode npm plugin #52: Implements opencode-plugin npm publication and package rename, matching this PR's added publish-npm job and package metadata changes.

Possibly related PRs

• feat: refactor release workflow with plan pattern #49: Related changes to .github/workflows/release.yml that refactor/structure release/publish jobs.
• fix: OpenCode bottle as true meta-package with convenience commands #7: Prior updates to opencode-plugin/package.json metadata and versioning.
• Add manifest version update script and improve release docs #38: Related manifest/version updates referencing plugin package name/version.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change: adding npm publishing capability for the opencode plugin via a new workflow job.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/opencode-plugin

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[muness]

Superego Code Review

What's Working Well

1. OIDC provenance - Using --provenance with id-token: write is good practice for supply chain security
2. Environment isolation - The environment: npm gate provides manual approval control
3. Consistent pattern - Follows the existing publish job structure (cargo publish)
4. Version extraction - Deriving from git tag keeps version truth in one place

Suggestions

1. Version sync gap (potential gotcha)
The workflow updates package.json at publish time via jq, but the committed package.json shows 0.1.0. Contributors might be confused about what version is "current". Consider adding a comment to package.json noting version is set at publish time, or use a placeholder like 0.0.0-development.

2. Package rename - deprecation notice?
You're renaming from @cloud-atlas-ai/bottle to @open-horizon-labs/bottle-opencode. If the old package had users, consider publishing a deprecation notice:

npm deprecate @cloud-atlas-ai/bottle "Moved to @open-horizon-labs/bottle-opencode"

3. Build verification
The workflow builds then publishes, but doesn't verify the build succeeded meaningfully. Consider adding a quick smoke test:

- name: Verify build output
  working-directory: opencode-plugin
  run: test -f dist/index.js && test -f dist/index.d.ts

4. Minor: npm upgrade step
Node 22 ships with npm 10.x which supports OIDC. The npm install -g npm@latest step might be unnecessary—worth testing if you can drop it.

Questions to Consider

• Is there a dry-run mode you'd want for testing the publish workflow?
• Should publish-npm depend on any test/lint jobs for the plugin specifically?

Overall this is a straightforward, well-structured addition. The main thing I'd address is communicating the package rename to any existing users.

---

🧠 Superego review (code prompt)