diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..3b05600
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,31 @@
+name: publish
+
+# Publishes @bounded-systems/conformance-kit to npm with build provenance, on a
+# `v*` tag push (the deliberate release trigger — merging to main never publishes).
+# Uses npm Trusted Publishing (OIDC): no stored NPM_TOKEN. The package's trusted
+# publisher must be configured once on npmjs.com (repo + this workflow); until then
+# the publish step fails closed.
+on:
+  push:
+    tags: ["v*"]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write # OIDC — npm provenance + trusted publishing
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: "22"
+          registry-url: "https://registry.npmjs.org"
+      - name: Install deps
+        run: npm ci --no-audit --no-fund
+      - name: Test gate (must pass before publish)
+        run: npm test
+      - name: Publish to npm (provenance, public)
+        run: npm publish --provenance --access public
diff --git a/package.json b/package.json
index dde1fd7..cb65f93 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@bounded-systems/conformance-kit",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Standalone, site-agnostic web-conformance toolkit: integrity tooling + build gates + provenance generators, all parameterized so a site vendors one kit instead of duplicating scripts.",
   "type": "module",
   "license": "MIT",
@@ -31,6 +31,30 @@
   "scripts": {
     "test": "node test/run.mjs"
   },
+  "files": [
+    "gates",
+    "generators",
+    "integrity",
+    "emitters",
+    "lib",
+    "provenance.json",
+    "vendor.example.json",
+    "README.md",
+    "LICENSE"
+  ],
+  "exports": {
+    "./package.json": "./package.json",
+    "./gates/*": "./gates/*",
+    "./gates/conformance/*": "./gates/conformance/*",
+    "./generators/*": "./generators/*",
+    "./integrity/*": "./integrity/*",
+    "./emitters/*": "./emitters/*",
+    "./lib/*": "./lib/*"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "dependencies": {
     "@mozilla/readability": "^0.5.0",
     "@zazuko/env-node": "^2.1.5",