chore(release): verify archive layout for nullclaw CLI compatibility

.github/workflows/ci.yml

@@ -29,3 +29,9 @@ jobs:
 
       - name: Build
         run: npm run build
+
+      - name: Package release artifacts (smoke)
+        run: bash ./scripts/package-release.sh "v0.0.0-ci" release
+
+      - name: Verify release artifact layout
+        run: bash ./scripts/verify-release-package.sh "v0.0.0-ci" release

.github/workflows/release.yml

@@ -33,6 +33,9 @@ jobs:
       - name: Package release archives
         run: bash ./scripts/package-release.sh "${GITHUB_REF_NAME}" release
 
+      - name: Verify release archive layout
+        run: bash ./scripts/verify-release-package.sh "${GITHUB_REF_NAME}" release
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with:

docs/operations.md

@@ -50,9 +50,10 @@ Security expectations:
 3. Manual verification of pairing, chat, approvals, logout.
 4. Build production bundle.
 5. Verify CLI startup: `npm run cli -- run --host 127.0.0.1 --port 4173`.
-6. Tag a release: `git tag vYYYY.M.D && git push origin vYYYY.M.D`.
-7. Confirm GitHub Actions `Release` workflow attached `.tar.gz` and `.zip` assets.
-8. Confirm diagnostics panel reflects actual E2E/runtime details.
+6. Validate release archive layout: `bash ./scripts/package-release.sh vX.Y.Z release && bash ./scripts/verify-release-package.sh vX.Y.Z release`.
+7. Tag a release: `git tag vYYYY.M.D && git push origin vYYYY.M.D`.
+8. Confirm GitHub Actions `Release` workflow attached `.tar.gz` and `.zip` assets.
+9. Confirm diagnostics panel reflects actual E2E/runtime details.
 
 ## GitHub Release Artifacts
 

scripts/verify-release-package.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VERSION="${1:-}"
+OUTDIR="${2:-release}"
+
+if [[ -z "${VERSION}" ]]; then
+	echo "Usage: $0 <version-tag> [output-dir]"
+	echo "Example: $0 v2026.3.5 release"
+	exit 1
+fi
+
+TAR_PATH="${OUTDIR}/nullclaw-chat-ui-${VERSION}.tar.gz"
+ZIP_PATH="${OUTDIR}/nullclaw-chat-ui-${VERSION}.zip"
+
+require_cmd() {
+	local cmd="$1"
+	if ! command -v "${cmd}" >/dev/null 2>&1; then
+		echo "Missing required command: ${cmd}" >&2
+		exit 1
+	fi
+}
+
+assert_file() {
+	local path="$1"
+	if [[ ! -f "${path}" ]]; then
+		echo "Expected file not found: ${path}" >&2
+		exit 1
+	fi
+}
+
+assert_contains_tar() {
+	local entry="$1"
+	if ! tar -tzf "${TAR_PATH}" | grep -Fx -- "${entry}" >/dev/null; then
+		echo "Tar archive missing entry: ${entry}" >&2
+		exit 1
+	fi
+}
+
+assert_contains_zip() {
+	local entry="$1"
+	if ! unzip -Z1 "${ZIP_PATH}" | grep -Fx -- "${entry}" >/dev/null; then
+		echo "Zip archive missing entry: ${entry}" >&2
+		exit 1
+	fi
+}
+
+require_cmd tar
+require_cmd unzip
+
+assert_file "${TAR_PATH}"
+assert_file "${ZIP_PATH}"
+
+required_entries=(
+	"nullclaw-chat-ui/README.md"
+	"nullclaw-chat-ui/package.json"
+	"nullclaw-chat-ui/nullclaw-chat-ui"
+	"nullclaw-chat-ui/nullclaw-chat-ui.cmd"
+	"nullclaw-chat-ui/bin/nullclaw-chat-ui.js"
+	"nullclaw-chat-ui/build/index.html"
+)
+
+for entry in "${required_entries[@]}"; do
+	assert_contains_tar "${entry}"
+	assert_contains_zip "${entry}"
+done
+
+echo "Verified release artifacts:"
+echo "  ${TAR_PATH}"
+echo "  ${ZIP_PATH}"

src/lib/components/ChatScreen.svelte

@@ -4,6 +4,7 @@
     ToolCall,
     ApprovalRequest,
   } from "$lib/stores/session.svelte";
+  import { redactWebSocketAuthToken } from "$lib/protocol/ws-url";
   import MessageBubble from "./MessageBubble.svelte";
   import ToolCallBlock from "./ToolCallBlock.svelte";
   import ApprovalPrompt from "./ApprovalPrompt.svelte";
@@ -54,6 +55,10 @@
     return items;
   });
 
+  const safeEndpointUrl = $derived(
+    redactWebSocketAuthToken(endpointUrl) ?? endpointUrl,
+  );
+
   function handleSubmit(e: Event) {
     e.preventDefault();
     const trimmed = input.trim();
@@ -105,7 +110,7 @@
             >> ESTABLISHING SECURE E2E CHANNEL... [OK]
           </p>
           <p class="typewriter-line-5">
-            >> CONNECTED TO ENDPOINT: {endpointUrl}
+            >> CONNECTED TO ENDPOINT: {safeEndpointUrl}
           </p>
           {#if initComplete}
             <p class="ready-text text-glow">

src/lib/components/ChatScreen.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, it, vi } from "vitest";
+import { render } from "@testing-library/svelte";
+import ChatScreen from "./ChatScreen.svelte";
+
+describe("ChatScreen", () => {
+  it("redacts websocket auth token in endpoint banner", () => {
+    const { container } = render(ChatScreen, {
+      props: {
+        messages: [],
+        toolCalls: [],
+        approvals: [],
+        error: null,
+        isStreaming: false,
+        endpointUrl: "wss://host.example/ws?token=super-secret&foo=bar",
+        onSend: vi.fn(),
+        onApproval: vi.fn(),
+      },
+    });
+
+    const text = container.textContent ?? "";
+    expect(text).toContain("wss://host.example/ws?token=***&foo=bar");
+    expect(text).not.toContain("super-secret");
+  });
+});