chore: make repo build standalone after extraction from prx

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @bounded-systems/maintainers

.github/workflows/ci.yml

@@ -0,0 +1,42 @@
+name: ci
+
+# Quality gate: build, test, and a JSR publish dry-run on every PR and push to
+# main. Trust is mechanical — the publish path is validated before a release tag
+# is ever cut.
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  build-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
+        with:
+          bun-version: 1.3.14
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build (tsc)
+        run: bun run build
+
+      - name: Test
+        run: bun test
+
+      - name: JSR publish dry-run
+        run: bunx jsr publish --dry-run --allow-slow-types

.github/workflows/publish-jsr.yml

@@ -0,0 +1,46 @@
+name: publish-jsr
+
+# Publish @bounded-systems/verbspec to JSR (https://jsr.io) via tokenless OIDC.
+# JSR exchanges the GitHub OIDC token (id-token: write) for publish rights,
+# verified against the package's linked GitHub repo (bounded-systems/verbspec) —
+# no token or secret.
+#
+# Trigger: push a release tag `v<version>` (matching package.json/jsr.json), or
+# run manually via workflow_dispatch.
+#
+# JSR publishes the TypeScript source directly (no dist build). --allow-slow-types
+# keeps parity with the monorepo: a package without explicit public-API types
+# still publishes (lower JSR score, not a hard block).
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+  id-token: write # tokenless JSR publish (OIDC)
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
+        with:
+          bun-version: 1.3.14
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Publish to JSR
+        run: bunx jsr publish --allow-slow-types

.gitignore

@@ -0,0 +1,3 @@
+node_modules/
+dist/
+*.tsbuildinfo

package.json

@@ -51,5 +51,10 @@
   },
   "peerDependencies": {
     "zod": "^3.25.0 || ^4.0.0"
+  },
+  "devDependencies": {
+    "@types/bun": "^1.3.14",
+    "typescript": "^6.0.3",
+    "zod": "^4.4.3"
   }
 }

tsconfig.build.json

@@ -1,5 +1,5 @@
 {
-  "extends": "../../tsconfig.json",
+  "extends": "./tsconfig.json",
   "compilerOptions": {
     "noEmit": false,
     "module": "NodeNext",
@@ -12,5 +12,5 @@
     "rootDir": "./src"
   },
   "include": ["src/**/*.ts"],
-  "exclude": ["src/**/__tests__/**"]
+  "exclude": ["src/**/__tests__/**", "**/*.test.ts"]
 }

tsconfig.json

@@ -1,4 +1,18 @@
 {
-  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "exactOptionalPropertyTypes": true,
+    "noUncheckedIndexedAccess": true,
+    "noEmit": true,
+    "allowImportingTsExtensions": true,
+    "resolveJsonModule": true,
+    "verbatimModuleSyntax": true,
+    "forceConsistentCasingInFileNames": true,
+    "skipLibCheck": true,
+    "types": ["bun"]
+  },
   "include": ["src/**/*.ts"]
 }