Skip to content

docs: list all 13 instance methods in README API TOC; publish with --provenance#117

Open
kurok wants to merge 3 commits into
masterfrom
docs/109-readme-toc-provenance
Open

docs: list all 13 instance methods in README API TOC; publish with --provenance#117
kurok wants to merge 3 commits into
masterfrom
docs/109-readme-toc-provenance

Conversation

@kurok

@kurok kurok commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes #109 — two documentation/artifact drifts from the 2026-07-02 repository audit.

  1. The README API TOC listed only 5 of the 13 documented instance methods, hiding the entire KV v2/metadata surface from readers who trust the TOC. The TOC is now 1:1 with the documented API: delete, update, request, deleteVersions, undeleteVersions, destroyVersions, readMetadata and deleteMetadata each got a full API entry (anchor, description, kind, normalized parameter table) in the existing jsdoc2md style, and the per-method return contract is now stated up front: read()/list() resolve to a Lease, every other data-plane method resolves to the raw parsed Vault response body.
  2. CONTRIBUTING.md documents the release as npm publish --provenance --access public and publish.yml already requests id-token: write for OIDC — but the actual publish command never passed --provenance, so no provenance attestation was generated. The workflow now passes --provenance, matching the documented claim.

Note for maintainers (from the issue checklist): please confirm npm trusted publishing / granular token setup for node-vault-client on npmjs.com before the next release — with --provenance the publish now fails loudly if OIDC is unavailable, and the provenance badge on the next published version verifies the end-to-end claim.

Changes

  • README.md
    • API TOC: added the 8 missing instance methods, ordered to match the document
    • new API entries for delete, update, request, deleteVersions, undeleteVersions, destroyVersions, readMetadata, deleteMetadata
    • added a Return contract note (Lease vs raw parsed body) after the TOC
    • added the missing <a name="VaultClient+fillNodeConfig"></a> anchor the TOC already linked to
    • constructor options table: added api.kv.autoDetect / api.engines rows (cross-linked to the KV v2 section); fixed the options.logger row (stray extra cell, wrong default) and the missing string type on write()'s path param
    • AWS IAM example: moved namespace to its canonical api.namespace location (auth.config.namespace remains documented as the legacy fallback)
  • .github/workflows/publish.yml: npm publish --access publicnpm publish --provenance --access public (the job already has permissions: id-token: write)

Type of change

  • Bug fix
  • New feature
  • Refactor
  • Documentation
  • CI / tooling

Checklist

  • Tests added or updated — n/a, docs + workflow flag only
  • npm run lint && npm test passes locally (lint clean; test:unit 255 passing)
  • User-facing changes recorded under # Unreleased in CHANGELOG.md — n/a, no package behavior change
  • All commits have a Signed-off-by: trailer (git commit -s)

Verification

  • All 42 in-page README fragment links checked programmatically against explicit <a name> anchors and GitHub heading slugs — all resolve
  • publish.yml validated with python3 -c "import yaml; yaml.safe_load(...)"

…provenance

The README API TOC listed only 5 of the 13 documented instance methods
(fillNodeConfig, read, list, write, close), hiding the whole KV v2 and
metadata surface. Add delete, update, request, deleteVersions,
undeleteVersions, destroyVersions, readMetadata and deleteMetadata to
the TOC and give each a full API entry (anchor, description, kind and a
normalized parameter table) in the existing jsdoc2md style.

Also in the README:
- state the per-method return contract up front: read/list resolve to a
  Lease, every other data-plane method resolves to the raw parsed Vault
  response body
- add the missing <a name="VaultClient+fillNodeConfig"></a> anchor the
  TOC already pointed at
- add api.kv.autoDetect and api.engines rows to the constructor options
  table, cross-linked to the KV v2 section
- fix the options.logger row (stray table cell, wrong default) and the
  missing type on write()'s path parameter
- move the namespace option in the AWS IAM example to its canonical
  api.namespace location (auth.config.namespace stays a legacy fallback)

publish.yml: CONTRIBUTING.md documents the release as running
'npm publish --provenance --access public' and the publish job already
requests id-token: write for OIDC, but the actual command never passed
--provenance, so no provenance attestation was generated. Add the flag
so the workflow matches the documented supply-chain claim.

Fixes #109

Signed-off-by: Yuriy R <22548029+kurok@users.noreply.github.com>
@kurok kurok requested review from m2broth and wRLSS as code owners July 2, 2026 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Docs: README API TOC lists 5 of 13 methods; publish workflow lacks the --provenance CONTRIBUTING claims

1 participant