fix(ci): keep dist/ clean so PyPI publish doesn't choke on tool-hashes.json

[malkreide]

Problem

The v0.2.0 release's Publish to PyPI step failed:

Checking dist/bag_epl_mcp-0.2.0-py3-none-any.whl: PASSED
Checking dist/bag_epl_mcp-0.2.0.tar.gz: PASSED
Checking dist/tool-hashes.json: ERROR InvalidDistribution: Unknown distribution format: 'tool-hashes.json'

The SEC-022 snapshot step wrote tool-hashes.json into dist/, and pypa/gh-action-pypi-publish runs twine over every file in the downloaded dist/ artifact — it rejects the non-distribution file. The wheel + sdist both passed; the failure happened during the metadata check, before any upload, so nothing reached PyPI and 0.2.0 is still free.

Fix

Write the hash snapshot to a separate tool-hashes/ dir and upload it as its own artifact, so the dist/ artifact consumed by the publish job contains only the wheel and sdist. SEC-022 hashes are still produced and retained as a workflow artifact.

Verified

• ✅ publish.yml is valid YAML
• ✅ snapshot_tool_hashes.py <path> writes correctly to a path outside dist/ (6 tools)

After merge — how to recover the release

Because release: published runs the workflow from the tagged commit, just re-running the old run won't pick up this fix. Cleanest recovery (nothing is on PyPI yet):

1. Merge this PR.
2. Delete the existing v0.2.0 GitHub release and the v0.2.0 tag.
3. Re-create the release v0.2.0 targeting the updated main (now includes this fix) → publishing runs the corrected workflow → PyPI upload succeeds.

https://claude.ai/code/session_01CokY47qCb5iHuAfAEWdCvU

---

Generated by Claude Code