feat(release): auto-publish npm and PyPI wrappers

Add publish-registries job to release.yml that runs after verify
(release published, VirusTotal table appended). Publishes:

- pkg/npm via 'npm publish --access public --provenance'
- pkg/pypi via 'twine upload' (sdist + wheel from hatchling)

Both wrappers fetch the binary at install time, so a version bump is
the only per-release change needed. Bumped to 0.6.1.

Requires NPM_TOKEN and PYPI_TOKEN repo secrets.

Author: DeusData

.github/workflows/release.yml

@@ -256,3 +256,48 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VERSION: ${{ inputs.version }}
         run: gh release edit "$VERSION" --draft=false --repo "$GITHUB_REPOSITORY"
+
+  # ── 8. Publish package wrappers (npm + PyPI) ──────────────────
+  # Wrappers in pkg/npm and pkg/pypi download the released binary at
+  # install time, so they only need a version bump (already in the repo
+  # at this point) — no per-release sha256 substitution.
+  publish-registries:
+    needs: [verify]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write   # for npm provenance
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # ── npm ──────────────────────────────────────────────────
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v6.4.0
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Publish to npm
+        working-directory: pkg/npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance
+
+      # ── PyPI ─────────────────────────────────────────────────
+      - name: Setup Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: '3.12'
+
+      - name: Build PyPI distribution
+        working-directory: pkg/pypi
+        run: |
+          python -m pip install --upgrade build twine
+          python -m build
+
+      - name: Publish to PyPI
+        working-directory: pkg/pypi
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
+        run: twine upload --non-interactive dist/*

pkg/npm/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebase-memory-mcp",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "Fast code intelligence engine for AI coding agents — single static binary MCP server",
   "license": "MIT",
   "repository": {

pkg/pypi/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "codebase-memory-mcp"
-version = "0.6.0"
+version = "0.6.1"
 description = "Fast code intelligence engine for AI coding agents — single static binary MCP server"
 readme = "README.md"
 license = { text = "MIT" }