diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 5988852..d624c77 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -2,9 +2,12 @@ name: ci
 
 on:
   push:
-    branches: [main]
+    branches: [master]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 0dc2f4f..570ddb9 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -9,9 +9,14 @@ permissions:
   contents: write   # to create the GitHub Release
   id-token: write   # OIDC token used by npm trusted publishing
 
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   publish:
     runs-on: ubuntu-latest
+    environment: npm-publish
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
@@ -33,7 +38,7 @@ jobs:
       # OIDC trusted publishing requires npm >= 11.5.1. Invoke via npx
       # so we always get a recent enough CLI without mutating the
       # global npm install on the runner.
-      - run: npx -y npm@latest publish --access public
+      - run: npx -y npm@latest publish --access public --provenance
       - uses: softprops/action-gh-release@v3
         with:
           generate_release_notes: true
diff --git a/AGENTS.md b/AGENTS.md
index 5e07939..de99eeb 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -110,3 +110,22 @@ chars. When adding entries to `permission.bash`:
 - Telemetry, network calls beyond declared `@fetch` URLs.
 - A second prompt UI library. The current `src/ui.ts` handles it.
 - Backups under `~/.config/opencode/`; they belong in the cache dir.
+
+## package.json — supply-chain hygiene
+
+Do NOT add any of the following without an explicit human review:
+
+- An `optionalDependencies` block, or a `dependencies` entry using a
+  `git+`, `http(s):`, `file:`, or tarball specifier. The May 2026
+  TanStack worm shipped its payload via exactly this shape.
+- A `prepare`, `preinstall`, `postinstall`, or other install-time
+  lifecycle script. This package's only lifecycle scripts are
+  `prepare`/`prepublishOnly` running `tsc`; don't broaden them.
+- Floating version ranges (`^`, `~`, `*`, `latest`) in `dependencies`
+  or `devDependencies`. Pin exact versions so `package-lock.json` is
+  the only source of truth.
+- New runtime dependencies in general — see "Code conventions" above.
+
+The `npm publish` step must pass `--provenance` so the published
+tarball carries SLSA build attestation verifiable via
+`npm audit signatures`.