ci: add CI/release workflows and npm binary distribution

Author: bytesoverflow

.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - run: go vet ./...
+
+      - run: make test
+
+      - run: make build

.github/workflows/release.yml

@@ -0,0 +1,60 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to release (e.g. v0.45.4)"
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    env:
+      VERSION: ${{ inputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - run: make dist
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Publish to npm
+        working-directory: npm
+        run: |
+          SEMVER="${VERSION#v}"
+          npm version "$SEMVER" --no-git-tag-version
+          if [[ "$SEMVER" == *-* ]]; then
+            npm publish --provenance --access public --tag next
+          else
+            npm publish --provenance --access public
+          fi
+
+      - name: Create and push tag
+        run: |
+          git tag "$VERSION"
+          git push origin "$VERSION"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ inputs.version }}
+          generate_release_notes: true
+          files: |
+            dist/intercept-*.tar.gz
+            dist/intercept-*.zip
+            dist/checksums.txt

.gitignore

@@ -1,3 +1,3 @@
 .claude
-intercept
+/intercept
 dist/

Makefile

@@ -8,7 +8,7 @@ HOSTARCH = $(shell go env GOARCH)
 
 PLATFORMS = linux-amd64 linux-arm64 darwin-amd64 darwin-arm64 windows-amd64 windows-arm64
 
-.PHONY: build all clean test lint $(PLATFORMS)
+.PHONY: build all dist clean test lint $(PLATFORMS)
 
 build:
 	CGO_ENABLED=0 GOOS=$(HOSTOS) GOARCH=$(HOSTARCH) \
@@ -27,6 +27,19 @@ endef
 
 $(foreach platform,$(PLATFORMS),$(eval $(call build-platform,$(platform))))
 
+dist: all
+	@for dir in dist/*/; do \
+		name=$$(basename $$dir); \
+		os=$$(echo $$name | cut -d_ -f1); \
+		arch=$$(echo $$name | cut -d_ -f2); \
+		if [ "$$os" = "windows" ]; then \
+			(cd $$dir && zip -q ../../dist/intercept-$$os-$$arch.zip *); \
+		else \
+			tar -czf dist/intercept-$$os-$$arch.tar.gz -C $$dir .; \
+		fi \
+	done
+	@cd dist && sha256sum intercept-*.tar.gz intercept-*.zip > checksums.txt
+
 clean:
 	rm -rf dist/
 

README.md

@@ -20,10 +20,22 @@ Intercept is a transparent proxy that sits between an AI agent and an MCP (Model
 
 ## Install
 
+**npm:**
+
+```sh
+npm install -g @policylayer/intercept
+```
+
+**Go:**
+
 ```sh
 go install github.com/policylayer/intercept@latest
 ```
 
+**Pre-built binaries:**
+
+Download from [GitHub Releases](https://github.com/policylayer/intercept/releases) and place the binary on your PATH.
+
 ## Quick start
 
 **1. Generate a policy scaffold from a running MCP server:**

npm/bin/intercept

@@ -0,0 +1,16 @@
+#!/bin/sh
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+BINARY="$SCRIPT_DIR/intercept"
+
+if [ "$(uname -o 2>/dev/null)" = "Msys" ] || [ "$(uname -o 2>/dev/null)" = "Cygwin" ]; then
+  BINARY="$SCRIPT_DIR/intercept.exe"
+fi
+
+if [ ! -f "$BINARY" ] || [ "$BINARY" = "$0" ]; then
+  echo "Error: intercept binary not found. Run 'npm install' or 'node install.js' first." >&2
+  exit 1
+fi
+
+exec "$BINARY" "$@"

npm/install.js

@@ -0,0 +1,124 @@
+#!/usr/bin/env node
+"use strict";
+
+const https = require("https");
+const http = require("http");
+const fs = require("fs");
+const path = require("path");
+const { execSync } = require("child_process");
+const PLATFORM_MAP = {
+  linux: "linux",
+  darwin: "darwin",
+  win32: "windows",
+};
+
+const ARCH_MAP = {
+  x64: "amd64",
+  arm64: "arm64",
+};
+
+function getPackageVersion() {
+  const pkg = JSON.parse(
+    fs.readFileSync(path.join(__dirname, "package.json"), "utf8")
+  );
+  return pkg.version;
+}
+
+function getDownloadUrl(version, os, arch) {
+  const ext = os === "windows" ? "zip" : "tar.gz";
+  return `https://github.com/policylayer/intercept/releases/download/v${version}/intercept-${os}-${arch}.${ext}`;
+}
+
+function fetch(url, redirects = 0) {
+  return new Promise((resolve, reject) => {
+    if (redirects > 10) {
+      return reject(new Error("Too many redirects"));
+    }
+    const client = url.startsWith("https") ? https : http;
+    client
+      .get(url, { headers: { "User-Agent": "policylayer-intercept-npm" } }, (res) => {
+        if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          return fetch(res.headers.location, redirects + 1).then(resolve, reject);
+        }
+        if (res.statusCode !== 200) {
+          return reject(new Error(`Download failed: HTTP ${res.statusCode} from ${url}`));
+        }
+        const chunks = [];
+        res.on("data", (chunk) => chunks.push(chunk));
+        res.on("end", () => resolve(Buffer.concat(chunks)));
+        res.on("error", reject);
+      })
+      .on("error", reject);
+  });
+}
+
+function extractTarGz(buffer, destDir) {
+  const tmpFile = path.join(destDir, "_tmp.tar.gz");
+  fs.writeFileSync(tmpFile, buffer);
+  try {
+    execSync(`tar -xzf "${tmpFile}" -C "${destDir}"`, { stdio: "ignore" });
+  } finally {
+    fs.unlinkSync(tmpFile);
+  }
+}
+
+function extractZip(buffer, destDir) {
+  const tmpFile = path.join(destDir, "_tmp.zip");
+  fs.writeFileSync(tmpFile, buffer);
+  try {
+    // PowerShell is available on all supported Windows versions
+    execSync(
+      `powershell -NoProfile -Command "Expand-Archive -Force '${tmpFile}' '${destDir}'"`,
+      { stdio: "ignore" }
+    );
+  } finally {
+    fs.unlinkSync(tmpFile);
+  }
+}
+
+async function main() {
+  const platform = PLATFORM_MAP[process.platform];
+  const arch = ARCH_MAP[process.arch];
+
+  if (!platform || !arch) {
+    console.error(
+      `Unsupported platform: ${process.platform}-${process.arch}`
+    );
+    process.exit(1);
+  }
+
+  const version = getPackageVersion();
+  if (version === "0.0.0") {
+    console.error(
+      "Package version is 0.0.0. Binary download is only available for published releases."
+    );
+    process.exit(1);
+  }
+
+  const url = getDownloadUrl(version, platform, arch);
+  const binDir = path.join(__dirname, "bin");
+  const binaryName = platform === "windows" ? "intercept.exe" : "intercept";
+  const binaryPath = path.join(binDir, binaryName);
+
+  console.log(`Downloading intercept v${version} for ${platform}/${arch}...`);
+
+  try {
+    const buffer = await fetch(url);
+
+    fs.mkdirSync(binDir, { recursive: true });
+
+    if (platform === "windows") {
+      extractZip(buffer, binDir);
+    } else {
+      extractTarGz(buffer, binDir);
+    }
+
+    fs.chmodSync(binaryPath, 0o755);
+    console.log(`Installed intercept to ${binaryPath}`);
+  } catch (err) {
+    console.error(`Failed to install intercept: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+main();

npm/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@policylayer/intercept",
+  "version": "0.0.0",
+  "description": "Policy-as-code enforcement for MCP tool calls",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/PolicyLayer/Intercept.git",
+    "directory": "npm"
+  },
+  "homepage": "https://github.com/policylayer/intercept",
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "policy",
+    "proxy",
+    "ai",
+    "security",
+    "guardrails"
+  ],
+  "bin": {
+    "intercept": "bin/intercept"
+  },
+  "scripts": {
+    "postinstall": "node install.js"
+  },
+  "os": [
+    "linux",
+    "darwin",
+    "win32"
+  ],
+  "cpu": [
+    "x64",
+    "arm64"
+  ],
+  "files": [
+    "bin/",
+    "install.js"
+  ]
+}