feat(cli): add multi-platform npm release foundation

.github/workflows/codra-cli-release.yml

@@ -0,0 +1,132 @@
+name: Codra CLI release
+
+on:
+  workflow_dispatch:
+    inputs:
+      publish:
+        description: Publish @codra/cli to npm (requires NPM_TOKEN secret)
+        type: boolean
+        default: false
+
+jobs:
+  build-binaries:
+    name: build ${{ matrix.target }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: linux-x64
+            os: ubuntu-latest
+            artifact: codra-linux-x64
+            bin_name: codra
+          - target: linux-arm64
+            os: ubuntu-24.04-arm
+            artifact: codra-linux-arm64
+            bin_name: codra
+          - target: darwin-x64
+            os: macos-13
+            artifact: codra-darwin-x64
+            bin_name: codra
+          - target: darwin-arm64
+            os: macos-14
+            artifact: codra-darwin-arm64
+            bin_name: codra
+          - target: win32-x64
+            os: windows-latest
+            artifact: codra-win32-x64.exe
+            bin_name: codra.exe
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Build codra-cli release binary
+        run: cargo build -p codra-cli --release
+
+      - name: Stage platform artifact (Unix)
+        if: runner.os != 'Windows'
+        run: |
+          install -m 755 target/release/${{ matrix.bin_name }} "${{ matrix.artifact }}"
+
+      - name: Stage platform artifact (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          Copy-Item target/release/${{ matrix.bin_name }} -Destination ${{ matrix.artifact }}
+
+      - name: Upload platform artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.artifact }}
+          path: ${{ matrix.artifact }}
+          if-no-files-found: error
+
+  package-npm:
+    name: Package @codra/cli npm tarball
+    needs: build-binaries
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Download release binaries
+        uses: actions/download-artifact@v4
+        with:
+          path: packages/codra-npm-cli/artifacts
+          pattern: codra-*
+          merge-multiple: true
+
+      - name: Package native binaries from artifacts
+        working-directory: packages/codra-npm-cli
+        env:
+          CODRA_USE_ARTIFACTS: '1'
+          CODRA_ARTIFACTS_DIR: ${{ github.workspace }}/packages/codra-npm-cli/artifacts
+        run: npm run build:from-artifacts
+
+      - name: Test npm wrapper
+        working-directory: packages/codra-npm-cli
+        run: npm test
+
+      - name: Validate npm pack contents
+        working-directory: packages/codra-npm-cli
+        env:
+          CODRA_EXPECT_ALL_PLATFORMS: '1'
+        run: npm run pack:dry
+
+      - name: Build npm tarball (no publish)
+        working-directory: packages/codra-npm-cli
+        env:
+          CODRA_USE_ARTIFACTS: '1'
+          CODRA_ARTIFACTS_DIR: ${{ github.workspace }}/packages/codra-npm-cli/artifacts
+        run: npm pack
+
+      - name: Upload npm tarball artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: codra-cli-npm-tarball
+          path: packages/codra-npm-cli/codra-cli-*.tgz
+          if-no-files-found: error
+
+      - name: Publish to npm (guarded)
+        if: inputs.publish == true
+        working-directory: packages/codra-npm-cli
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          CODRA_USE_ARTIFACTS: '1'
+          CODRA_ARTIFACTS_DIR: ${{ github.workspace }}/packages/codra-npm-cli/artifacts
+        run: |
+          if [ -z "$NODE_AUTH_TOKEN" ]; then
+            echo "NPM_TOKEN secret is required when publish=true"
+            exit 1
+          fi
+          npm publish --access public

README.md

@@ -112,7 +112,7 @@ npm install -g @codra/cli   # coming soon
 codra run --task summarize-context --jsonl
 ```
 
-The [`@codra/cli`](packages/codra-npm-cli/) package is a thin Node wrapper that spawns the native `codra` binary built from `codra-cli`. Local `npm run build` packages only the current platform binary; multi-platform npm releases need a release workflow (see [packages/codra-npm-cli/README.md](packages/codra-npm-cli/README.md)).
+The [`@codra/cli`](packages/codra-npm-cli/) package is a thin Node wrapper that spawns the native `codra` binary built from `codra-cli`. Multi-platform npm distribution is in progress (linux/macOS/Windows targets); a manual [release workflow](.github/workflows/codra-cli-release.yml) packages all platform binaries before publish (see [packages/codra-npm-cli/README.md](packages/codra-npm-cli/README.md)).
 
 ## Roadmap
 

packages/codra-npm-cli/.gitignore

@@ -1 +1,2 @@
-bin/native/
+bin/native/
+artifacts/

packages/codra-npm-cli/README.md

@@ -13,7 +13,19 @@ codra --help
 
 Until the package is published, use [local development](#local-development) below.
 
-## Local development
+## Supported platforms
+
+| Platform key | npm binary path | CI artifact name |
+|--------------|-----------------|------------------|
+| `linux-x64` | `bin/native/linux-x64/codra` | `codra-linux-x64` |
+| `linux-arm64` | `bin/native/linux-arm64/codra` | `codra-linux-arm64` |
+| `darwin-x64` | `bin/native/darwin-x64/codra` | `codra-darwin-x64` |
+| `darwin-arm64` | `bin/native/darwin-arm64/codra` | `codra-darwin-arm64` |
+| `win32-x64` | `bin/native/win32-x64/codra.exe` | `codra-win32-x64.exe` |
+
+Optional per-platform npm packages may be added later if tarball size becomes too large. For now, all targets ship in `@codra/cli`.
+
+## Local development (current host only)
 
 ```bash
 cd packages/codra-npm-cli
@@ -23,43 +35,62 @@ node bin/codra.js run --task summarize-context --jsonl
 npm test
 ```
 
-`npm run build` runs `cargo build -p codra-cli --release` and copies the release binary into `bin/native/<platform>-<arch>/` for **the current machine only** (for example `linux-arm64` on this host).
+`npm run build` runs `cargo build -p codra-cli --release` and copies the binary into `bin/native/<current-platform>-<arch>/` only.
 
-## Current limitation
+## Multi-platform release (artifacts)
 
-- A local `npm run build` packages **only the current platform/arch** binary.
-- `npm pack` / `npm publish` run `prepack`, which rebuilds and copies that same host binary into the tarball.
-- End users on other platforms will see a clear error until release-built binaries for their OS/arch are included.
-- Real public npm publishing needs release-built binaries for each supported target (see [Multi-platform release plan](#multi-platform-release-plan)).
+Release maintainers build per-platform binaries in CI, then package them into one npm tarball.
 
-This package does **not** ship multi-platform binaries today.
+### Artifact naming
 
-## Publishing checklist
+Place prebuilt files in `packages/codra-npm-cli/artifacts/` (or set `CODRA_ARTIFACTS_DIR`):
 
-When ready to publish (maintainers only):
+```
+artifacts/codra-linux-x64
+artifacts/codra-linux-arm64
+artifacts/codra-darwin-x64
+artifacts/codra-darwin-arm64
+artifacts/codra-win32-x64.exe
+```
 
-1. `npm login`
-2. `npm run build` — release Rust binary for this host
-3. `npm test`
-4. `npm run pack:dry` — verify tarball contents (runs `prepack` + dry-run checks)
-5. Confirm tarball includes `README.md`, `package.json`, `bin/codra.js`, and `bin/native/<platform>-<arch>/codra` only
-6. `npm publish --access public`
+Package into `bin/native/`:
+
+```bash
+npm run build:from-artifacts
+```
+
+- Fails if any artifact is missing (default).
+- Set `CODRA_ALLOW_PARTIAL_BINARIES=1` to package only available artifacts (local testing).
+
+### Manual GitHub Actions release
+
+Workflow: [`.github/workflows/codra-cli-release.yml`](../../.github/workflows/codra-cli-release.yml)
+
+- Trigger: **workflow_dispatch** only (not automatic on push).
+- Builds matrix: linux-x64, linux-arm64, darwin-x64, darwin-arm64, win32-x64.
+- Job `package-npm`: downloads artifacts, runs `build:from-artifacts`, `npm test`, `npm pack`, uploads tarball.
+- **npm publish is disabled by default.** Set workflow input `publish: true` and configure `NPM_TOKEN` secret to publish.
 
-Do not publish until multi-platform release binaries are available for your intended audience, unless you are intentionally shipping a single-platform preview.
+## Local vs release packaging
 
-## Multi-platform release plan
+| Flow | Command | Result |
+|------|---------|--------|
+| Local dev | `npm run build` | Current host binary only |
+| Release | `npm run build:from-artifacts` | All artifacts → `bin/native/*` |
+| `npm pack` / `npm publish` | `prepack` | Uses artifacts if present, else host `build` |
 
-Future release workflow should build and bundle:
+## Publishing checklist
 
-| Target | Binary path |
-|--------|-------------|
-| `linux-x64` | `bin/native/linux-x64/codra` |
-| `linux-arm64` | `bin/native/linux-arm64/codra` |
-| `darwin-x64` | `bin/native/darwin-x64/codra` |
-| `darwin-arm64` | `bin/native/darwin-arm64/codra` |
-| `win32-x64` | `bin/native/win32-x64/codra.exe` |
+When ready to publish (maintainers only):
 
-Automation (GitHub Actions or similar) is not implemented yet.
+1. Run **Codra CLI release** workflow (or supply all artifacts locally).
+2. `npm login` (only if publishing manually).
+3. `npm test`
+4. `CODRA_EXPECT_ALL_PLATFORMS=1 npm run pack:dry`
+5. Verify tarball lists all five `bin/native/<platform>/` binaries.
+6. Publish via workflow with `publish: true` **or** `npm publish --access public` (guarded).
+
+Do not publish until all target binaries are included unless intentionally shipping a preview.
 
 ## Supported commands
 
@@ -71,8 +102,6 @@ codra run --task explain-issue --jsonl
 codra run --task summarize-context --jsonl
 ```
 
-Invalid tasks exit non-zero. With `--jsonl`, failures emit `codra.run.failed`.
-
 ## GitHub context (optional)
 
 | Variable | Purpose |
@@ -87,7 +116,7 @@ Invalid tasks exit non-zero. With `--jsonl`, failures emit `codra.run.failed`.
 
 - No AI provider API calls in this CLI layer yet.
 - Does not print `GITHUB_TOKEN` or other secrets in output.
-- Local-first CLI foundation; wraps the existing Rust binary unchanged.
+- Wraps the existing Rust binary unchanged.
 
 ## License