chore: bump fs-theme + fs-translation 0.1.1 (provenance attestation)

[Goosterhof]

What

fs-theme and fs-translation are still published only at unattested 0.1.0 (Sapper STALE-3 / QM F-5). They predate the NPM_CONFIG_PROVENANCE workflow hardening, so consumers pinning ^0.1.0 resolve to provenance-unattested releases (verified: npm view ...@0.1.0 dist.attestations returns empty). Provenance is now on 9 of 11 packages; these two are the holdouts.

This is a no-functional-change patch bump that re-publishes both through the now-provenance-enabled OIDC pipeline so the published artifacts ship SLSA attestations.

Changes

• packages/theme/package.json — 0.1.0 → 0.1.1
• packages/translation/package.json — 0.1.0 → 0.1.1
• packages/theme/CHANGELOG.md + packages/translation/CHANGELOG.md — created (sibling packages carry CHANGELOGs; these two did not), dated 2026-06-01, changeset-format ### Patch Changes.
• package-lock.json — version-field sync only (2 lines; verified no unrelated dependency churn leaked into the tracked diff).

No src/ changes. Both are leaf packages (no internal @script-development peers) — pure leaf bumps, no cascade-tax peer-range widening.

⚠️ Merge = Publish

On merge this WILL publish fs-theme@0.1.1 + fs-translation@0.1.1 via the OIDC pipeline — the publish trigger matches packages/theme/package.json + packages/translation/package.json.

Ordering dependency (flagged, not assumed): PR #105 (armorer/oidc-gate-mutation-reporter — narrows the publish trigger to packages/*/package.json + adds the OIDC Environment gate) ideally merges first, so this publish runs through the gated job rather than the current ungated id-token: write surface. Recommend merging #105 before this PR. If #105 is not yet merged at decision time, the publish still works through the current pipeline — the gate is a hardening, not a blocker.

Verification

• npm run build (theme + translation) — clean dual ESM+CJS output.
• lint:pkg (publint + attw) on both bumped manifests — publint "All good! / No problems found 🌟", attw all-green (node10 / node16-CJS / node16-ESM / bundler).
• oxfmt --check on all changed files — clean.

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying fs-packages with    Cloudflare Pages

Latest commit:	3034248
Status:	✅  Deploy successful!
Preview URL:	https://e0e49b9f.fs-packages.pages.dev
Branch Preview URL:	https://engineer-theme-translation-a.fs-packages.pages.dev

View logs

[Goosterhof]

✅ Approve-worthy

0 blockers · 0 concerns · 1 nit · 2 praise

No-functional-change patch bump of fs-theme and fs-translation from 0.1.0 → 0.1.1 to re-publish both through the now-provenance-enabled OIDC pipeline so the artifacts ship SLSA attestations. Diff matches the description exactly: two package.json bumps, two new CHANGELOGs, a two-line lockfile version sync, zero src/ changes. Clean.

Nits

• packages/theme/CHANGELOG.md:3 / packages/translation/CHANGELOG.md:3 — the heading ## 0.1.1 — 2026-06-01 carries an em-dash date, which is not the standard changesets emitted heading (changesets writes ## 0.1.1 and dates nothing). Harmless and arguably more useful, but if a future changeset version run ever touches these files it will not match this hand-authored shape — worth knowing the format is bespoke, not tool-generated.

Praise

• The merge = publish warning is the load-bearing call. The publish trigger does match packages/theme/package.json + packages/translation/package.json, so merge does fire two real npm publishes — surfacing that in the PR body rather than letting it land as a surprise is exactly right.
• The PR #105 ordering dependency is flagged as a recommendation, not assumed — verified #105 is still OPEN, so the gate is not on main yet. Framing it as "merge #105 first for the gated path, but this still publishes through the current pipeline if not" is the honest version: it names the hardening without manufacturing a hard blocker. Merge order is a Commander call, not a code defect.

Automated war-room agent review — posted because this PR carries the Agent Review Requested label.

[jasperboerhof]

PR Reviewer · claimed

• Target: fs-packages
• PR: chore: bump fs-theme + fs-translation 0.1.1 (provenance attestation) #107
• Branch: engineer/theme-translation-attestation
• AC anchor: none
• Worktree: ~/Code/agent-worktrees/fs-packages/review-107

[jasperboerhof]

PR Reviewer · 10/10 · PASS

fs-packages #107 · AC anchor: none
Scores: acceptance SKIP · simplicity 10 · surface 10 · silent-failure – · efficiency –

No findings — all reviewers clean.

Action

merge-ready

[jasperboerhof]

Auto-approved — review verdict is PASS. See the verdict comment for the per-reviewer breakdown.