package-registry

Documentation guidance for projects published to npm and PyPI package registries. Covers metadata fields that affect registry pages, README cross-renderer compatibility, trusted publishing, provenance badges, and audit checks. Use when a project has package.json or pyproject.toml and is published publicly.

Best use case

package-registry is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Documentation guidance for projects published to npm and PyPI package registries. Covers metadata fields that affect registry pages, README cross-renderer compatibility, trusted publishing, provenance badges, and audit checks. Use when a project has package.json or pyproject.toml and is published publicly.

Teams using package-registry should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/package-registry/SKILL.md --create-dirs "https://raw.githubusercontent.com/littlebearapps/pitchdocs/main/.claude/skills/package-registry/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/package-registry/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How package-registry Compares

Feature / Agentpackage-registryStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Documentation guidance for projects published to npm and PyPI package registries. Covers metadata fields that affect registry pages, README cross-renderer compatibility, trusted publishing, provenance badges, and audit checks. Use when a project has package.json or pyproject.toml and is published publicly.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Package Registry Documentation Guidance

## When This Applies

These checks are **conditional** — only run when the project is published to a package registry.

| File Present | Registry | Action |
|-------------|----------|--------|
| `package.json` | npm (npmjs.com) | Check npm metadata fields, badge templates |
| `pyproject.toml` | PyPI (pypi.org) | Check PyPI metadata fields, Markdown compatibility |
| Both | npm + PyPI | Check both; cross-renderer compatibility is critical |

Detection:
```bash
[ -f "package.json" ] && echo "npm project detected"
[ -f "pyproject.toml" ] && echo "PyPI project detected"
```

## npm Registry Metadata

The README displayed on npmjs.com comes from the **published tarball**, not live from GitHub. Changes to your README on GitHub do not update the npm page until you publish a new version.

See `SKILL-reference.md` for the full `package.json` field table and always-included files list.

## PyPI Registry Metadata

See `SKILL-reference.md` for the full `pyproject.toml` field table, well-known URL labels, and PEP 639 SPDX licence guidance.

### Verified vs Unverified Details

PyPI's sidebar splits project information into two sections:
- **Verified details** (green checkmark): URLs verified through Trusted Publisher. GitHub statistics (stars, forks) only shown here.
- **Unverified details**: URLs and metadata that cannot be automatically verified.

Configuring a Trusted Publisher automatically verifies the repository URL.

## README Cross-Renderer Compatibility

READMEs render on multiple platforms. What works on GitHub may break on npm or PyPI.

| Markdown Feature | GitHub | npm | PyPI | Workaround |
|-----------------|--------|-----|------|------------|
| Heading anchors (`#section`) | Yes | Yes | **No** | Use full URLs to GitHub README |
| Relative images (`./docs/img.png`) | Yes | **No** | **No** | Use absolute `raw.githubusercontent.com` URLs |
| GitHub callouts (`[!NOTE]`) | Yes | **No** | **No** | Use bold text or blockquotes |
| `<details>`/`<summary>` | Yes | Yes | **Unreliable** | Avoid for critical content |
| `colspan`/`rowspan` in tables | Partial | Partial | **No** | Use simpler table structures |
| `<div align="center">` | Yes | Yes | **No** | Acceptable loss; PyPI strips most HTML alignment |
| Mermaid diagrams | Yes | **No** | **No** | Use pre-rendered SVG/PNG images |
| Task lists (`- [ ]`) | Yes | Yes | **No** | Use bullet lists with emoji checkmarks |
| Footnotes | Yes | **No** | **No** | Use inline parenthetical notes |

### Key Rules for Multi-Renderer READMEs

1. **Always use absolute URLs for images** — relative paths break on both npm and PyPI
2. **Avoid GitHub-specific callouts** (`[!NOTE]`, `[!WARNING]`) — plain text elsewhere
3. **Avoid heading anchor links** if PyPI rendering matters — broken on PyPI
4. **Avoid `<details>`/`<summary>`** for critical content — unreliable on PyPI
5. **Test before publishing**: `twine check dist/*` validates PyPI README rendering

### Solving GitHub vs PyPI Differences

For Python projects needing optimised READMEs on both platforms, consider `hatch-fancy-pypi-readme`:
- Assembles PyPI READMEs from fragments
- Runs regex substitutions to transform GitHub-specific content
- Converts relative links to absolute links

## Trusted Publishing and Provenance

This section covers documentation-relevant aspects. The plugin does NOT create publish workflows (that's DevOps).

### npm Trusted Publishing

- **OIDC trusted publishing went GA July 2025** — replaces long-lived tokens entirely
- Classic tokens permanently revoked December 2025; granular tokens max 90 days
- Publishing with `--provenance` flag adds a **Sigstore badge** on npmjs.com linking to the exact source commit and build workflow
- Requires `id-token: write` permission in GitHub Actions
- `repository.url` in package.json must exactly match the GitHub repo URL (case-sensitive)

### PyPI Trusted Publishing

- **Trusted Publisher since April 2023** — first major registry to support OIDC
- **Digital attestations (PEP 740) since November 2024** — Sigstore signing for package files
- "Verified details" sidebar badge appears automatically when trusted publisher is configured
- Repository URL in `[project.urls]` must match the GitHub repo for verification
- `pypa/gh-action-pypi-publish` handles publishing when configured as a trusted publisher

### What to Audit (Not Configure)

- Check if `repository.url` (npm) or `[project.urls].Repository` (PyPI) matches the actual GitHub repo URL
- Flag opportunity to add provenance/attestation badges to README if not present
- Link to trusted publishing setup docs in audit output

## Registry-Specific Badges

See `SKILL-reference.md` for npm and PyPI badge templates and recommended badge order.

## Audit Checklist

See `SKILL-reference.md` for the full npm and PyPI audit checklists.

Related Skills

pitchdocs

5
from littlebearapps/pitchdocs

Generate marketing-quality repository documentation from codebase analysis. Scans 10 signal categories, extracts features with file-level evidence, and produces README, CHANGELOG, ROADMAP, and 15+ more docs. Zero runtime dependencies. For AI context file management, see ContextDocs.

visual-standards

5
from littlebearapps/pitchdocs

Visual formatting standards for repository documentation — emoji heading prefixes, horizontal rules, TOC anchors, callouts, screenshots (device dimensions, HTML patterns, captions, shadows), and image optimisation. Load when generating READMEs with visual elements or working with screenshots.

user-guides

5
from littlebearapps/pitchdocs

Generates task-oriented user guides and how-to documentation for a repository. Creates docs/guides/ with step-by-step instructions for common workflows, integrations, and advanced usage. Links guides into README.md and CONTRIBUTING.md. Use when a project needs user-facing how-to documentation beyond the README quickstart.

roadmap

5
from littlebearapps/pitchdocs

Generates ROADMAP.md from project milestones, issues, and boards (GitHub, GitLab, or Bitbucket). Structures content with mission statement, current milestone progress, upcoming milestones, and community involvement section. Use when creating or updating a project roadmap.

public-readme

5
from littlebearapps/pitchdocs

Generates READMEs with the Daytona/Banesullivan marketing framework — hero section, benefit-driven features, quickstart, comparison tables, and compelling CTAs. Produces docs that sell as well as they inform. Use when creating or overhauling a project README.

platform-profiles

5
from littlebearapps/pitchdocs

Platform-specific equivalents for GitLab and Bitbucket when generating repository documentation. Lookup tables for file paths, badges, Markdown rendering, CI/CD, and CLI tools. Load this skill when working on non-GitHub repos or generating cross-platform docs.

pitchdocs-suite

5
from littlebearapps/pitchdocs

One-command generation and audit of the full public repository documentation set — README, CHANGELOG, ROADMAP, CONTRIBUTING, CODE_OF_CONDUCT, SECURITY, issue templates, PR template, and discussion templates. Use when setting up a new repo or auditing an existing one.

llms-txt

5
from littlebearapps/pitchdocs

Generates llms.txt and llms-full.txt files following the llmstxt.org specification. Provides LLM-friendly content curation for AI coding assistants (Cursor, Windsurf, Claude Code) and AI search engines. Use when generating or updating llms.txt for a repository.

launch-artifacts

5
from littlebearapps/pitchdocs

Transforms README and CHANGELOG into platform-specific launch content — Dev.to articles, Hacker News posts, Reddit posts, Twitter/X threads, and awesome list submission PRs. Keeps promotion tethered to code artifacts, not generic marketing. Use when launching or announcing a project release.

geo-optimisation

5
from littlebearapps/pitchdocs

Generative Engine Optimisation (GEO) patterns for documentation that surfaces correctly in AI-generated answers — citation capsules, crisp definitions, atomic sections, comparison tables, statistics, and semantic scaffolding. Load when optimising docs for AI citation (ChatGPT, Perplexity, Google AI Overviews, Claude).

feature-benefits

5
from littlebearapps/pitchdocs

Systematic codebase scanning for features and evidence-based feature-to-benefit translation. Extracts what a project does from its code and translates it into what users gain — generates features and benefits sections, "Why [Project]?" content, and feature audit reports. Use when writing a features table for a README, extracting features from code, auditing feature coverage, or answering "why should someone use this project?".

docs-verify

5
from littlebearapps/pitchdocs

Validates documentation quality and freshness — checks for broken links, stale content, llms.txt sync, image issues, heading hierarchy, and badge URLs. Runs locally or in CI. Use to catch documentation decay before it reaches users.