agentfront · frontegg-david · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -35,6 +35,10 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     environment: release
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+      is_prerelease: ${{ steps.version.outputs.is_prerelease }}
+      branch: ${{ steps.context.outputs.branch }}
     env:
       NX_DAEMON: "false"
 
@@ -433,3 +437,172 @@ jobs:
           echo "| Pre-release | ${{ steps.version.outputs.is_prerelease }} |" >> "$GITHUB_STEP_SUMMARY"
           echo "| Branch | \`${{ steps.context.outputs.branch }}\` |" >> "$GITHUB_STEP_SUMMARY"
           echo "| Packages | All libs/* |" >> "$GITHUB_STEP_SUMMARY"
+
+  cherry-pick-version-to-main:
+    needs: publish
+    if: >
+      inputs.dry_run != true &&
+      needs.publish.outputs.is_prerelease == 'false'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check if latest semver
+        id: check
+        run: |
+          set -euo pipefail
+          VERSION="${{ needs.publish.outputs.version }}"
+
+          git fetch --tags
+
+          # Get all stable version tags, sort by semver, pick highest
+          LATEST=$(git tag --list 'v*' \
+            | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
+            | sort -V \
+            | tail -1 \
+            | sed 's/^v//')
+
+          echo "Released version: $VERSION"
+          echo "Latest stable tag: $LATEST"
+
+          if [ "$VERSION" = "$LATEST" ]; then
+            echo "is_latest=true" >> "$GITHUB_OUTPUT"
+            echo "This is the latest version — will cherry-pick to main"
+          else
+            echo "is_latest=false" >> "$GITHUB_OUTPUT"
+            echo "Skipping: v$VERSION is not the latest (v$LATEST is newer)"
+          fi
+
+      - name: Configure git
+        if: steps.check.outputs.is_latest == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Cherry-pick version bump to main
+        if: steps.check.outputs.is_latest == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          VERSION="${{ needs.publish.outputs.version }}"
+          RELEASE_BRANCH="${{ needs.publish.outputs.branch }}"
+          DEFAULT_BRANCH="${{ github.event.repository.default_branch }}"
+
+          # Find the version bump commit on the release branch
+          VERSION_COMMIT=$(git log "origin/$RELEASE_BRANCH" \
+            --grep="chore(release): v${VERSION}" \
+            --format="%H" -1)
+
+          if [ -z "$VERSION_COMMIT" ]; then
+            echo "::warning::Could not find version bump commit for v${VERSION}"
+            exit 0
+          fi
+
+          echo "Found version bump commit: $VERSION_COMMIT"
+
+          git fetch origin "$DEFAULT_BRANCH"
+
+          # Skip if the version bump is already on the default branch
+          if git merge-base --is-ancestor "$VERSION_COMMIT" "origin/$DEFAULT_BRANCH"; then
+            echo "Version bump commit $VERSION_COMMIT is already on $DEFAULT_BRANCH — skipping cherry-pick"
+            exit 0
+          fi
+
+          # Prepare cherry-pick branch
+          CHERRY_BRANCH="cherry-pick/v${VERSION}-version-to-main"
+
+          git checkout "$DEFAULT_BRANCH"
+          git pull origin "$DEFAULT_BRANCH"
+
+          # Clean up existing remote branch if any
+          git push origin --delete "$CHERRY_BRANCH" 2>/dev/null || true
+          git checkout -b "$CHERRY_BRANCH"
+
+          # Attempt cherry-pick
+          if git cherry-pick "$VERSION_COMMIT" --no-commit; then
+            # Check if cherry-pick produced any changes (may be empty if already applied via a different commit)
+            if [ -z "$(git diff --cached --name-only)" ]; then
+              echo "Cherry-pick produced no changes — version bump already applied on $DEFAULT_BRANCH"
+              git reset HEAD 2>/dev/null || true
+              exit 0
+            fi
+
+            git commit -m "$(cat <<EOF
+          chore: sync version to $VERSION
+
+          Cherry-picked from $RELEASE_BRANCH (release v$VERSION)
+          Original commit: $VERSION_COMMIT
+          EOF
+          )"
+
+            git push origin "$CHERRY_BRANCH"
+
+            gh pr create \
+              --base "$DEFAULT_BRANCH" \
+              --head "$CHERRY_BRANCH" \
+              --title "chore: sync version to v${VERSION}" \
+              --label "cherry-pick" \
+              --label "auto-cherry-pick" \
+              --body "$(cat <<EOF
+          ## Version sync to main
+
+          Updates all \`@enclave-vm/*\` package versions to \`${VERSION}\` on \`${DEFAULT_BRANCH}\`.
+
+          This cherry-pick was automatically created because \`v${VERSION}\` is the **latest stable release**.
+
+          **Source:** \`${RELEASE_BRANCH}\` release v${VERSION}
+
+          ---
+          _Auto-generated by the publish-release workflow._
+          EOF
+          )"
+
+            echo "Cherry-pick PR created successfully"
+          else
+            # Check if failure is due to empty cherry-pick (already applied) vs actual conflicts
+            if [ -z "$(git status --porcelain)" ]; then
+              echo "Cherry-pick is empty — version bump already applied on $DEFAULT_BRANCH"
+              git cherry-pick --abort 2>/dev/null || true
+              exit 0
+            fi
+
+            git cherry-pick --abort || true
+            echo "::warning::Cherry-pick had conflicts. Creating issue for manual resolution."
+
+            gh issue create \
+              --title "Manual version sync needed: v${VERSION} to main" \
+              --label "cherry-pick" \
+              --label "conflict" \
+              --label "needs-attention" \
+              --body "$(cat <<EOF
+          ## Manual Version Sync Required
+
+          Auto cherry-pick of version bump to \`v${VERSION}\` failed due to conflicts.
+
+          ### Manual Steps
+
+          \`\`\`bash
+          git checkout $DEFAULT_BRANCH && git pull
+          git checkout -b cherry-pick/v${VERSION}-version-to-main
+          git cherry-pick $VERSION_COMMIT
+          # Resolve conflicts
+          git add . && git cherry-pick --continue
+          git push origin cherry-pick/v${VERSION}-version-to-main
+          gh pr create --base $DEFAULT_BRANCH --title "chore: sync version to v${VERSION}"
+          \`\`\`
+
+          ---
+          _Auto-generated by the publish-release workflow._
+          EOF
+          )"
+          fi
diff --git a/libs/ast/package.json b/libs/ast/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/ast",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "A production-ready AST security guard for JavaScript - validate, protect, and enforce code safety with extensible rules",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave/tree/main/libs/ast-guard",

diff --git a/libs/broker/package.json b/libs/broker/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/broker",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Tool broker and session management for the EnclaveJS streaming runtime",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -35,9 +35,9 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/types": "2.10.0",
-    "@enclave-vm/stream": "2.10.0",
-    "@enclave-vm/core": "2.10.0",
+    "@enclave-vm/types": "2.11.0",
+    "@enclave-vm/stream": "2.11.0",
+    "@enclave-vm/core": "2.11.0",
     "minimatch": "^10.1.1",
     "zod": "^4.3.6"
   }

diff --git a/libs/client/package.json b/libs/client/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/client",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Browser and Node.js client SDK for the EnclaveJS streaming runtime",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -34,7 +34,7 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/types": "2.10.0",
-    "@enclave-vm/stream": "2.10.0"
+    "@enclave-vm/types": "2.11.0",
+    "@enclave-vm/stream": "2.11.0"
   }
 }
diff --git a/libs/core/package.json b/libs/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/core",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Sandbox runtime for secure JavaScript code execution",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -39,8 +39,8 @@
   },
   "dependencies": {
     "@babel/standalone": "^7.29.0",
-    "@enclave-vm/types": "2.10.0",
-    "@enclave-vm/ast": "2.10.0",
+    "@enclave-vm/types": "2.11.0",
+    "@enclave-vm/ast": "2.11.0",
     "acorn": "8.15.0",
     "acorn-walk": "8.3.4",
     "astring": "1.9.0",

diff --git a/libs/react/package.json b/libs/react/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/react",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "React hooks and components for the EnclaveJS streaming runtime",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -34,7 +34,7 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/client": "2.10.0"
+    "@enclave-vm/client": "2.11.0"
   },
   "peerDependencies": {
     "react": ">=18.0.0"

diff --git a/libs/runtime/package.json b/libs/runtime/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/runtime",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Standalone runtime worker for EnclaveJS - deployable execution environment",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -37,9 +37,9 @@
     "enclave-runtime": "./dist/cli.js"
   },
   "dependencies": {
-    "@enclave-vm/types": "2.10.0",
-    "@enclave-vm/stream": "2.10.0",
-    "@enclave-vm/core": "2.10.0"
+    "@enclave-vm/types": "2.11.0",
+    "@enclave-vm/stream": "2.11.0",
+    "@enclave-vm/core": "2.11.0"
   },
   "devDependencies": {
     "ws": "^8.19.0"

diff --git a/libs/stream/package.json b/libs/stream/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/stream",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Streaming protocol implementation for EnclaveJS runtime (NDJSON, encryption, reconnection)",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -35,6 +35,6 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/types": "2.10.0"
+    "@enclave-vm/types": "2.11.0"
   }
 }
diff --git a/libs/types/package.json b/libs/types/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/types",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Type definitions and Zod schemas for the EnclaveJS streaming runtime protocol",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",