docs: backfill analytics release-readiness files

[bntvllnt]

Summary

• Backfills release-readiness docs for the public @vllnt/analytics package.
• Adds CHANGELOG.md, CONTRIBUTING.md, SECURITY.md, AGENTS.md, llms.txt, and llms-full.txt.
• Leaves package version, package manifest, code, workflows, tags, and publish state unchanged.

Evidence

• Refreshed current remote state safely by cloning origin/main into the task workspace at commit 106d5aa4bc5f2b1db3535359947774605668475e.
• npm evidence checked: latest 0.1.1, canary 0.1.1-canary.106d5aa.
• Local validation run on this branch:
  • git diff --check
  • pnpm lint
  • pnpm exec tsc --noEmit
  • pnpm test:once (119 tests passed)
• Opsec check: docs-only diff; no version bump, no release workflow edits, no tag, no publish, no merge.

Release-review gate

{"branch":"vllnt-oss","tenant":"releases","aor_fit":true,"context_read":true,"evidence_attached":true,"opsec_checked":true,"safe_for_next_step":true,"blocking_findings":[]}

Review requirement

This is release-readiness documentation only. Do not merge, tag, publish, or announce until maintainer review confirms the release-readiness gate and intended docs scope.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[bntvllnt]

Review — 0 findings

Review mode: Production — release-readiness documentation/policy metadata for a public npm package.

BLOCKING

None.

WARN

None.

VERIFIED CLEAN

• Reviewed exact head 92b0fffe939ad0401f914e416f082eec77f9b434 for PR #10.
• Full changed-file coverage: AGENTS.md, CHANGELOG.md, CONTRIBUTING.md, SECURITY.md, llms-full.txt, and llms.txt.
• The diff is docs/policy only: no package manifest/version change, no code change, no workflow change, no tag/publish/merge action.
• Release-readiness claims match current public evidence: npm latest is 0.1.1, npm canary is 0.1.1-canary.106d5aa, and GitHub releases/tags for v0.1.0 and v0.1.1 exist.
• Public docs preserve the package scope and privacy-first posture: consent checks, Do Not Track, SSR safety, and no default external analytics vendor dependency.
• No unsupported release authorization, support promise, private URL, secret/token, customer data, or internal operating mechanics found in the changed files.
• Release-review gate wording correctly keeps publish/tag/announce as separate maintainer actions.

VALIDATION

• GitHub checks at review time: Quality Gates CI passed; CodeQL passed for actions and JavaScript/TypeScript.
• Ran git diff --check origin/main...HEAD successfully.
• Cross-checked docs/package metadata against package.json and public npm/GitHub release state.
• Marked all six changed files viewed.
• Did not rerun pnpm lint, pnpm exec tsc --noEmit, or pnpm test:once locally because this PR is docs-only and the live CI gates for the current head are green.

Approval is recommended, but final approval remains reserved for the maintainer.

[bntvllnt]

Review — 1 finding (1 blocking)

Review mode: Production — release-readiness documentation/policy metadata for a public npm package.

BLOCKING

• C1 — Changelog release dates do not match the published package/release history
  • Evidence: CHANGELOG.md:7 says 0.1.1 was released on 2026-05-18, and CHANGELOG.md:19 says 0.1.0 was released on 2026-05-18. Live package/release evidence for this head shows npm 0.1.1 was published 2026-03-10T17:26:36Z, npm 0.1.0 was published 2026-03-05T20:32:15Z, GitHub release v0.1.1 is dated 2026-03-10, and v0.1.0 is dated 2026-03-05.
  • Why it matters: this PR is specifically backfilling release-readiness files. A public changelog with incorrect release dates is a stale release claim and can mislead consumers/auditors about when versions actually shipped.
  • Fix: update the version headings to the actual release dates (0.1.1 → 2026-03-10, 0.1.0 → 2026-03-05) or explicitly label the May date as the docs backfill date rather than the package release date.

WARN

None.

VERIFIED CLEAN

• Reviewed exact head 92b0fffe939ad0401f914e416f082eec77f9b434 for PR #10.
• Full changed-file coverage: AGENTS.md, CHANGELOG.md, CONTRIBUTING.md, SECURITY.md, llms-full.txt, and llms.txt.
• The diff is docs/policy only: no package manifest/version change, no code change, no workflow change, no tag/publish/merge action.
• Public docs otherwise preserve the package scope and privacy-first posture: consent checks, Do Not Track, SSR safety, and no default external analytics vendor dependency.
• No unsupported release authorization, support promise, private URL, secret/token, customer data, or internal operating mechanics found outside the changelog date issue.
• Release-review gate wording correctly keeps publish/tag/announce as separate maintainer actions.

VALIDATION

• GitHub checks for the current head: CodeQL and Quality Gates are SUCCESS.
• Ran git diff --check origin/main...HEAD successfully.
• Cross-checked package metadata against package.json (0.1.1, pnpm 9.15.4, React peer range, root/react exports).
• Cross-checked release evidence with npm view @vllnt/analytics time/dist-tags/version --json and gh release list --repo vllnt/analytics --limit 10.
• Did not rerun pnpm lint, pnpm exec tsc --noEmit, or pnpm test:once locally because this PR is docs-only and the live CI gates for the current head are green.

Formal REQUEST_CHANGES is not available here because the authenticated reviewer is also the PR author, so this COMMENT review is the request-changes-equivalent blocking review for this head. Approval is not recommended until C1 is fixed; final approval remains reserved for the maintainer.

[bntvllnt]

Blocking: these version headings present May 18 as the release date for both published versions, but the live package/release evidence shows 0.1.1 was published/released on 2026-03-10 and 0.1.0 on 2026-03-05. Because this PR is release-readiness documentation, stale release dates are not a cosmetic nit: they misstate the public release history. Please update the headings to the actual release dates, or explicitly distinguish a docs-backfill date from the package release date.

[bntvllnt]

Review — 0 findings (0 blocking, 0 warn)

Review mode: Production — release-readiness/policy docs for a public npm package.

BLOCKING

• None.

WARN

• None.

VERIFIED CLEAN

• Reviewed the full current-head diff for AGENTS.md, CHANGELOG.md, CONTRIBUTING.md, SECURITY.md, llms.txt, and llms-full.txt at c49aa87c53b98e77fbc7bc2a7038f02d6ad12362.
• The prior release-date metadata blocker is resolved: CHANGELOG.md now lists 0.1.0 as 2026-03-05 and 0.1.1 as 2026-03-10.
• Public evidence matches those dates:
  • npm @vllnt/analytics time metadata: 0.1.0 published 2026-03-05T20:32:15.942Z; 0.1.1 published 2026-03-10T17:26:36.309Z.
  • GitHub Release metadata: v0.1.0 published 2026-03-05T20:29:19Z; v0.1.1 published 2026-03-10T17:26:37Z.
  • Git tag evidence: v0.1.0 points at commit dated 2026-03-05T20:28:34Z; annotated v0.1.1 tag object/tagger date is 2026-03-10T17:26:28Z.
• npm dist-tags match the docs: latest=0.1.1, canary=0.1.1-canary.106d5aa.
• Release-safety language is consistent across the six docs/policy files: no publish/tag/merge/announce/version-bump authorization is introduced, and no secrets/private operating notes were found.

VALIDATION

• PR preflight: open, non-draft, mergeable=MERGEABLE, mergeStateStatus=CLEAN, head verified as c49aa87c53b98e77fbc7bc2a7038f02d6ad12362.
• CI/check status on the current head: Quality Gates, CodeQL, Analyze (actions), and Analyze (javascript-typescript) all passed.
• Local docs hygiene: git diff --check origin/main...HEAD passed.

Approval is recommended for bntvllnt's manual final approval; I am leaving this as a COMMENT review rather than an autonomous APPROVE.