fix: address all 37 PR review comments from Greptile + CodeRabbit

Batch fix for every actionable review comment on PR #478:

release.yml hardening:
- Version mismatch now exits 1 (was warning-only) — prevents releasing
  with wrong version in VERSIONS file
- Removed `|| true` from Kotlin gradle build + Web npm pack — build
  failures now properly fail the release
- Publish job requires iOS/Android/Web native builds to succeed (was
  `always()` which created releases with missing artifacts)
- Release created as draft (engineer manually publishes after verify)

package-sdk.sh (Kotlin, Swift, RN):
- Clean staging dir (`rm -rf`) before copying natives when --natives-from
  given — prevents stale .so/.xcframework from prior runs leaking in
- validate-artifact.sh failures propagated in CI mode (no `|| true`);
  local mode stays tolerant

sync-versions.sh:
- bump_json_version anchored to `^  "version":` (2-space indent) so it
  only matches the top-level version field, not nested ones in
  peerDependenciesMeta/overrides/resolutions

.gitleaksbaseline:
- Redacted Match field which contained real API key suffixes — now shows
  `REDACTED (rule-name)` instead of the actual token body

Other nits:
- AGENTS.md: renamed stale `testLocal` label → `useLocalNatives`
- Root gradle.properties: added `runanywhere.useLocalNatives=false`
  alongside legacy `testLocal` for backwards compat
- Kotlin gradle.properties: kept both `useLocalNatives` and `testLocal`
  lines so build-kotlin.sh's sed rewrites still work

False positive dismissed:
- pr-build.yml "missing done" (CodeRabbit #3084027246) — `done` is at
  line 475, confirmed by 5+ green CI runs of the summary job

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sanchitmonga22

.github/workflows/release.yml

@@ -57,8 +57,9 @@ jobs:
           # VERSIONS file should already be bumped before tag (sync-versions.sh)
           PROJECT_VERSION=$(grep -E '^PROJECT_VERSION=' sdk/runanywhere-commons/VERSIONS | cut -d= -f2 | xargs)
           if [ "$PROJECT_VERSION" != "$V" ]; then
-            echo "::warning::PROJECT_VERSION in VERSIONS is '$PROJECT_VERSION' but releasing '$V'."
-            echo "::warning::Run scripts/sync-versions.sh $V before tagging next time."
+            echo "::error::PROJECT_VERSION in VERSIONS is '$PROJECT_VERSION' but releasing '$V'."
+            echo "::error::Run scripts/sync-versions.sh $V before tagging."
+            exit 1
           fi
 
   # ---------------------------------------------------------------------------
@@ -267,7 +268,7 @@ jobs:
           ls -la sdk/runanywhere-kotlin/src/androidMain/jniLibs/ || true
       - name: Build Kotlin AAR + JAR
         working-directory: sdk/runanywhere-kotlin
-        run: ./gradlew build assembleRelease -x test --no-daemon || true
+        run: ./gradlew build assembleRelease -x test --no-daemon
       - name: Collect Kotlin SDK artifacts
         run: |
           mkdir -p sdk-staging/kotlin
@@ -314,7 +315,7 @@ jobs:
         run: |
           mkdir -p ../../sdk-staging/web
           for pkg in packages/core packages/llamacpp packages/onnx; do
-            (cd "$pkg" && npm pack --pack-destination ../../../../sdk-staging/web/) || true
+            (cd "$pkg" && npm pack --pack-destination ../../../../sdk-staging/web/)
           done
           ls -la ../../sdk-staging/web/ || true
           for f in ../../sdk-staging/web/*.tgz; do
@@ -500,7 +501,15 @@ jobs:
       - native_web
       - sdk_kotlin
       - sdk_web
-    if: always() && needs.validate.result == 'success'
+    if: >-
+      needs.validate.result == 'success' &&
+      needs.native_ios.result == 'success' &&
+      needs.native_android.result == 'success' &&
+      needs.native_linux.result != 'failure' &&
+      needs.native_windows.result != 'failure' &&
+      needs.native_web.result == 'success' &&
+      needs.sdk_kotlin.result != 'failure' &&
+      needs.sdk_web.result != 'failure'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -543,6 +552,7 @@ jobs:
         with:
           tag_name: v${{ needs.validate.outputs.version }}
           name: v${{ needs.validate.outputs.version }}
+          draft: true
           generate_release_notes: true
           files: |
             release-flat/*

.gitleaksbaseline

@@ -21,7 +21,7 @@ This is a cross-platform SDK monorepo. On a Linux cloud VM, the buildable servic
 
 - **Android SDK**: Installed at `/opt/android-sdk`. `ANDROID_HOME` and `JAVA_HOME` are set in `~/.bashrc`.
 - **JDK 17**: Required by Gradle JVM toolchain. Both JDK 17 and JDK 21 are installed.
-- **`testLocal` flag**: Set to `true` in `gradle.properties`. Pass `-Prunanywhere.useLocalNatives=false` to Gradle to avoid needing Android NDK (downloads pre-built JNI libs from GitHub releases instead of building locally).
+- **`useLocalNatives` flag**: Set to `true` in `gradle.properties`. Pass `-Prunanywhere.useLocalNatives=false` to Gradle to avoid needing Android NDK (downloads pre-built JNI libs from GitHub releases instead of building locally).
 - **C++ compiler**: Default clang on this VM lacks `libc++` headers. Use `gcc`/`g++` via `-DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++`.
 - **`local.properties`**: Auto-created at root, `sdk/runanywhere-kotlin/`, and `examples/android/RunAnywhereAI/` with `sdk.dir=/opt/android-sdk`.
 - **pre-commit hooks**: Installed via `pre-commit install`. Requires `git config --unset-all core.hooksPath` first if `core.hooksPath` is set.

AGENTS.md

@@ -10,4 +10,5 @@ org.gradle.configureondemand=true
 kotlin.code.style=official
 # KMP configuration
 kotlin.mpp.applyDefaultHierarchyTemplate=false
+runanywhere.useLocalNatives=false
 runanywhere.testLocal=false

gradle.properties

@@ -65,7 +65,7 @@ bump_line() {
 
 bump_json_version() {
     local file="$1"
-    bump_line "$file" '"version": "[^"]+"' "\"version\": \"${NEW_VERSION}\""
+    bump_line "$file" '^  "version": "[^"]+"' "  \"version\": \"${NEW_VERSION}\""
 }
 
 bump_pubspec_version() {

scripts/sync-versions.sh

@@ -42,6 +42,10 @@ kotlin.mpp.applyDefaultHierarchyTemplate=false
 # =============================================================================
 runanywhere.useLocalNatives=false
 
+# Legacy alias — build-kotlin.sh still rewrites this line via sed.
+# Prefer runanywhere.useLocalNatives above; keep this for backwards compat.
+runanywhere.testLocal=false
+
 # Force rebuild of runanywhere-commons C++ code (default: false)
 # Set to true when you've made changes to C++ source files
 runanywhere.rebuildCommons=false

sdk/runanywhere-kotlin/gradle.properties

@@ -49,6 +49,7 @@ JNI_DIR="${KOTLIN_ROOT}/src/androidMain/jniLibs"
 if [ -n "$NATIVES_FROM" ]; then
     [ -d "$NATIVES_FROM" ] || { echo "ERROR: --natives-from not found: $NATIVES_FROM" >&2; exit 1; }
     echo ">> Staging .so files from $NATIVES_FROM → $JNI_DIR"
+    rm -rf "$JNI_DIR"
     mkdir -p "$JNI_DIR"
     for abi in arm64-v8a armeabi-v7a x86_64 x86; do
         if [ -d "$NATIVES_FROM/$abi" ]; then
@@ -102,5 +103,9 @@ done
 
 if [ -x "${REPO_ROOT}/scripts/validate-artifact.sh" ]; then
     echo ""
-    "${REPO_ROOT}/scripts/validate-artifact.sh" "$DIST_DIR"/*.aar "$DIST_DIR"/*.jar 2>/dev/null || true
+    if [ "$RAC_BUILD_MODE" = "ci" ]; then
+        "${REPO_ROOT}/scripts/validate-artifact.sh" "$DIST_DIR"/*.aar "$DIST_DIR"/*.jar 2>/dev/null
+    else
+        "${REPO_ROOT}/scripts/validate-artifact.sh" "$DIST_DIR"/*.aar "$DIST_DIR"/*.jar 2>/dev/null || true
+    fi
 fi

sdk/runanywhere-kotlin/scripts/package-sdk.sh

@@ -45,6 +45,7 @@ if [ -n "$NATIVES_FROM" ]; then
     for pkg_dir in "$RN_ROOT/packages"/*/; do
         pkg=$(basename "$pkg_dir")
         android_jni="$pkg_dir/android/src/main/jniLibs"
+        rm -rf "$android_jni" "$pkg_dir/ios/Frameworks"
         for abi in arm64-v8a armeabi-v7a x86_64 x86; do
             if [ -d "$NATIVES_FROM/$abi" ]; then
                 mkdir -p "$android_jni/$abi"
@@ -120,5 +121,9 @@ done
 
 if [ -x "${REPO_ROOT}/scripts/validate-artifact.sh" ]; then
     echo ""
-    "${REPO_ROOT}/scripts/validate-artifact.sh" "$DIST_DIR"/*.tgz 2>/dev/null || true
+    if [ "$RAC_BUILD_MODE" = "ci" ]; then
+        "${REPO_ROOT}/scripts/validate-artifact.sh" "$DIST_DIR"/*.tgz 2>/dev/null
+    else
+        "${REPO_ROOT}/scripts/validate-artifact.sh" "$DIST_DIR"/*.tgz 2>/dev/null || true
+    fi
 fi

sdk/runanywhere-react-native/scripts/package-sdk.sh

@@ -51,6 +51,7 @@ if [ -n "$NATIVES_FROM" ] && [ "$NATIVES_FROM" != "$BINARIES_DIR" ]; then
         exit 1
     fi
     echo ">> Staging XCFrameworks from $NATIVES_FROM → $BINARIES_DIR"
+    rm -rf "$BINARIES_DIR"
     mkdir -p "$BINARIES_DIR"
     # Handle both loose xcframeworks and zipped ones
     find "$NATIVES_FROM" -maxdepth 3 -name "*.xcframework" -type d -exec cp -R {} "$BINARIES_DIR/" \; 2>/dev/null || true