Safety is not a flag.
It is the default path.

The publish path in xnpm is a gauntlet, not a formality. Every step must pass before the real npm publish command is called.

• ✓
  Validates .gitignore and .npmignore Creates .npmignore if absent. Confirms rules are consistent with .gitignore and safe to publish.
• ✓
  Dry-run pack inspection Runs npm pack --dry-run --json and inspects every file that would be included in the package.
• ✓
  Blocks sensitive file patterns .env files, secrets, keys, credentials — detected before they can ship. Publish is blocked until the issue is resolved.
• ✓
  Post-bump re-validation After bumping the version, the pack check runs again on the exact final state. The check is not skipped because it already passed once.

Guaranteed by the publish flow

• ✓
  No publish without a passing pack checkThe dry-run check is not optional and cannot be skipped in the default flow.
• ✓
  No publish if sensitive patterns are detectedThe block is hard. You fix the ignore rules, then run again.
• ✓
  Post-bump check on the final stateThe version bump happens first; the check runs on what will actually ship.

What xnpm does not claim

• —It does not audit the contents of your published files for correctness, only for unwanted inclusions.
• —It does not scan for hardcoded secrets inside your source files — only files that would be packed.
• —It cannot undo a publish — that is an irreversible external effect, logged with full details.