spec-forge-cli

No explicit malicious code or secrets are present in the provided semantic-release configuration fragment. The dominant risk signal is that the release pipeline executes multiple custom local Node scripts via @semantic-release/exec during both prepare and publish phases, and the resulting artifacts are uploaded and published. This warrants direct review and integrity verification of scripts/release/*.mjs to rule out tampering, credential misuse, unexpected network activity, or backdoored artifacts.