v0.4.1 — fix scoped-package verify URL

Patch release. Fixes a scoped-package URL bug in the artefact integrity verify recipe, surfaced during the Phase 3 pilot on @forgesworn/[email protected]. Adds a bats regression test so it cannot silently come back.

What was broken

The verify recipe in the GitHub Release body used the local npm pack filename in the registry URL path. For unscoped packages this worked because the local pack name equals the registry-side name (e.g. nsec-tree-1.5.0.tgz). For scoped packages npm flattens the scope with a dash in the local filename but the registry serves the tarball at the unscoped basename within the scope-namespaced path:

local pack:    scope-pkg-1.0.0.tgz
registry url:  https://registry.npmjs.org/@scope/pkg/-/pkg-1.0.0.tgz

Consumers who copy-pasted the verification recipe from the release body would get a 404 on scoped packages.

Only the URL was wrong. The hashes recorded in the integrity block (sha256 and npm sha512 integrity) were and remain correct, and they still match the registry tarball byte-for-byte. The bug was purely cosmetic for the verification UX, not for the integrity claim itself.

What's fixed

steps/update-release.sh now strips the scope prefix from the package name with ${name##*/} and rebuilds the URL filename as ${basename}-${version}.tgz. For unscoped packages the construction produces the same filename as before, so behaviour for nsec-tree, geohash-kit, and other unscoped consumers is unchanged.

Existing already-published scoped releases on v0.4.0 can have their release body retroactively corrected via gh release edit.

What's new

test/update-release.bats adds four regression tests covering:

• @forgesworn/[email protected] (the original Phase 3 bug)
• [email protected] (unscoped, behaviour-unchanged guard)
• @noble/[email protected] (different scope shape)
• gh release upload --clobber invocation (idempotency check)

The tests use a fake gh on PATH that captures every invocation; assertions are made on both the positive URL (must appear) and the negative URL (the broken form must not appear inside any registry URL).

Migration

None. Bumping @v0.4.0 to @v0.4.1 is a drop-in replacement. Anyone pinning @v0 already has the fix — the floating tag was moved to the fix commit before this patch release was cut.

Stats

• 1 file changed (test only); fix commit was already on main
• 63/63 bats tests pass (4 new)
• shellcheck clean
• Phase 1, 2, and 3 pilots complete: nsec-tree (unscoped), geohash-kit (unscoped), @forgesworn/shamir-words (scoped, surfaced this bug)

Full diff: v0.4.0...v0.4.1