From de083ae9c63384d4ab219c297ab4ec1b1d75c0bf Mon Sep 17 00:00:00 2001
From: Jarrod Watts <35651410+jarrodwatts@users.noreply.github.com>
Date: Sun, 4 Jan 2026 22:41:00 +1100
Subject: [PATCH] security: add CI workflow to build dist/ after merge (#12)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* security: add CI workflow to build dist/ after merge

Phase 1 of removing dist/ from PRs to close security attack vector.

Changes:
- Add build-dist.yml workflow that builds and commits dist/ on push to main
- Update CONTRIBUTING.md with build process documentation
- Reset CHANGELOG.md to 0.0.1 (initial release)

After this is verified working, Phase 2 will remove dist/ from git tracking.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: prevent CI re-trigger on dist/ changes

Add paths-ignore for dist/** to ci.yml so CI doesn't re-run when
build-dist workflow commits compiled output. Addresses race condition.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: add concurrency, permissions, and build verification

Address review feedback:
- Add concurrency group to queue builds (prevents race conditions)
- Add explicit contents: write permission
- Add build verification step (test -f dist/index.js)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: run tests before building dist/

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/build-dist.yml | 42 ++++++++++++++++++++++++++++++++
 .github/workflows/ci.yml         |  2 ++
 CHANGELOG.md                     | 19 +++++++--------
 CONTRIBUTING.md                  | 11 +++++++++
 4 files changed, 64 insertions(+), 10 deletions(-)
 create mode 100644 .github/workflows/build-dist.yml

diff --git a/.github/workflows/build-dist.yml b/.github/workflows/build-dist.yml
new file mode 100644
index 0000000..3337746
--- /dev/null
+++ b/.github/workflows/build-dist.yml
@@ -0,0 +1,42 @@
+name: Build dist
+
+on:
+  push:
+    branches: [main]
+
+concurrency:
+  group: build-dist
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[auto]')"
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - run: npm ci
+      - run: npm test
+      - run: npm run build
+
+      - name: Verify build output
+        run: test -f dist/index.js || exit 1
+
+      - name: Commit dist/
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add dist/ --force
+          git diff --staged --quiet || git commit -m "build: compile dist/ [auto]"
+          git push
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6c69da0..03a3fcc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
   push:
     branches: [main]
+    paths-ignore:
+      - 'dist/**'
 
 jobs:
   test:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index efba9fa..9f24c2e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,15 +2,14 @@
 
 All notable changes to Claude HUD will be documented in this file.
 
-## [2.0.0] - 2025-01-02
+## [0.0.1] - 2025-01-04
 
-### Changed
-- Complete rewrite from split-pane TUI to inline statusline
-- New statusline renderer with multi-line output
-- Transcript-driven tool/agent/todo parsing
-- Native context usage from stdin JSON
-
-### Removed
-- Hook-based capture flow
-- Split-pane UI and related components
+Initial release of Claude HUD as a Claude Code statusline plugin.
 
+### Features
+- Real-time context usage monitoring with color-coded progress bar
+- Active tool tracking with completion counts
+- Running agent status with elapsed time
+- Todo progress display
+- Native token data from Claude Code stdin
+- Transcript parsing for tool/agent/todo activity
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e0f2e72..f1a1062 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -28,8 +28,19 @@ See `TESTING.md` for the full testing strategy, fixtures, and snapshot updates.
 - Prefer tests for behavior changes.
 - Avoid introducing dependencies unless necessary.
 
+## Build Process
+
+**Important**: PRs should only modify files in `src/` — do not include changes to `dist/`.
+
+CI automatically builds and commits `dist/` after your PR is merged. This keeps PRs focused on source code and makes review easier.
+
+```
+Your PR: src/ changes only → Merge → CI builds dist/ → Committed automatically
+```
+
 ## Pull Requests
 
 - Describe the problem and the fix.
 - Include tests or explain why they are not needed.
 - Link issues when relevant.
+- Only modify `src/` files — CI handles `dist/` automatically.