Shipping an npm CLI Tool Securely to a Specific Customer — Designing the Build, Sign, and Deliver Pipeline

You want a privately developed npm CLI tool used only inside one customer enterprise, never on the public npm registry. It looks like plain packaging, but in practice you must satisfy three things at once: passing the OS security gates (Gatekeeper and SmartScreen), tamper-evident signing, and a distribution network you can control and audit per customer. Targeting macOS and Windows now with Linux ahead, this post designs build, signing, distribution, and supply-chain hardening as a single pipeline.