From 8cdd4678168962911b996b7d49c8fb1f39c1c9c2 Mon Sep 17 00:00:00 2001
From: Piyush Vyas <pie.vyas@gmail.com>
Date: Thu, 2 Apr 2026 04:35:58 -0500
Subject: [PATCH] Protect release branches from internal-only artifacts and
 accidental side-package publish

This narrows the public release surface before the follow-up changeset work.
The workflow now blocks tracked operator docs/state files, the README banner
uses a hosted asset that renders on npm, and integration packages are marked
non-publishable with an explicit prepublish failure.

Constraint: Keep this as a stacked prep PR on top of fix/e2e-replay without bundling unrelated dirty-worktree edits
Rejected: Commit the cleanup from the active dirty worktree directly | risked scooping unrelated uncommitted changes into the PR
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Keep integration packages private unless they gain a deliberate published-package contract and files allowlist
Tested: Root npm ci/build/typecheck/test, browser-use npm ci/typecheck/test, root npm pack --dry-run, integration npm publish --dry-run failure paths
Not-tested: Browserbase npm ci on this base branch; package-lock.json is out of sync before this prep change
---
 .github/workflows/release.yml         | 12 ++++++++++++
 .gitignore                            | 13 +++++++++++++
 README.md                             |  2 +-
 integrations/browser-use/package.json |  2 ++
 integrations/browserbase/package.json |  2 ++
 5 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 08c379f..2e6e885 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,18 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@v4
+      - name: Check repository hygiene
+        run: |
+          if git ls-files | grep -E '^(docs/plans|\.omx|\.pilot|\.dev-session)(/|$)|(^|/)(AGENTS\.md|CLAUDE\.md|POSITIONING\.md|ROADMAP\.md|BROWSER_USE_PR\.md|demo/RECORD-DEMO-PROMPT\.md|\.staff-engineer-state\.json|\.staff-engineer\.json)$'; then
+            echo "Tracked internal-only files found in public release tree."
+            exit 1
+          fi
+          extra_banners="$(git ls-files .github/banners | grep -Ev '^\.github/banners/05-replay-arrows\.svg$' || true)"
+          if [ -n "$extra_banners" ]; then
+            printf '%s\n' "$extra_banners"
+            echo "Tracked banner drafts found outside the release banner."
+            exit 1
+          fi
       - uses: actions/setup-node@v4
         with:
           node-version: 22
diff --git a/.gitignore b/.gitignore
index d98f435..e3edd91 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,19 @@ node_modules/
 dist/
 .turbo/
 *.tsbuildinfo
+.DS_Store
+*.tgz
+.omx/
+.pilot/
 .dev-session/
 .staff-engineer-state.json
+.staff-engineer.json
+AGENTS.md
+.github/banners/*
+!.github/banners/05-replay-arrows.svg
+docs/plans/
+POSITIONING.md
+ROADMAP.md
+BROWSER_USE_PR.md
+demo/RECORD-DEMO-PROMPT.md
 CLAUDE.md
diff --git a/README.md b/README.md
index da94b64..5574358 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <p align="center">
-  <img src=".github/banners/05-replay-arrows.svg" alt="DBAR — Deterministic Browser Agent Runtime" width="800"/>
+  <img src="https://raw.githubusercontent.com/pyyush/dbar/fix/e2e-replay/.github/banners/05-replay-arrows.svg" alt="DBAR — Deterministic Browser Agent Runtime" width="800"/>
 </p>
 
 <p align="center">
diff --git a/integrations/browser-use/package.json b/integrations/browser-use/package.json
index 8cc283c..61d5923 100644
--- a/integrations/browser-use/package.json
+++ b/integrations/browser-use/package.json
@@ -2,12 +2,14 @@
   "name": "@pyyush/dbar-browser-use",
   "version": "0.2.0",
   "description": "DBAR snapshot capture sidecar for browser-use agent sessions",
+  "private": true,
   "author": "Piyush Vyas",
   "license": "Apache-2.0",
   "type": "module",
   "scripts": {
     "build": "tsc",
     "capture": "node --loader ts-node/esm capture.ts",
+    "prepublishOnly": "node -e \"console.error('This integration package is intentionally not publishable.'); process.exit(1)\"",
     "test": "vitest run",
     "test:watch": "vitest",
     "typecheck": "tsc --noEmit"
diff --git a/integrations/browserbase/package.json b/integrations/browserbase/package.json
index 5dfa4c2..cb5aaa3 100644
--- a/integrations/browserbase/package.json
+++ b/integrations/browserbase/package.json
@@ -2,6 +2,7 @@
   "name": "@pyyush/dbar-browserbase",
   "version": "0.2.0",
   "description": "DBAR + Browserbase: deterministic capture in the cloud, replay locally",
+  "private": true,
   "author": "Piyush Vyas",
   "license": "Apache-2.0",
   "type": "module",
@@ -9,6 +10,7 @@
     "capture": "npx tsx capture.ts",
     "replay": "npx tsx replay.ts",
     "example": "npx tsx example.ts",
+    "prepublishOnly": "node -e \"console.error('This integration package is intentionally not publishable.'); process.exit(1)\"",
     "test": "vitest run --config vitest.config.ts"
   },
   "dependencies": {