fix: publish workflow auth — tegwick user, OpenBao token, explicit twine creds

inter-hub-pkg-rep is the Gitea token name (not a username). PACKAGE_USER is
tegwick; token custody is OpenBao platform/operators/inter-hub/package-management.
Disable keyring in CI and pass twine --username/--password explicitly.

.gitea/workflows/publish-python-package.yml

@@ -25,6 +25,7 @@ jobs:
         env:
           TWINE_USERNAME: ${{ secrets.PACKAGE_USER }}
           TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
+          PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring
         run: |
           cd repo
           python3 -m venv .build-venv
@@ -33,5 +34,8 @@ jobs:
           python -m build
           python -m twine check dist/*
           python -m twine upload \
+            --username "${TWINE_USERNAME}" \
+            --password "${TWINE_PASSWORD}" \
+            --non-interactive \
             --repository-url https://gitea.coulomb.social/api/packages/coulomb/pypi \
             dist/*

docs/PACKAGE_RELEASE.md

@@ -60,8 +60,8 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
 
 | Secret | Value |
 |--------|-------|
-| `PACKAGE_USER` | `inter-hub-pkg-rep` — forge package-publish service account |
-| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` with `write:package` scope |
+| `PACKAGE_USER` | `tegwick` — Gitea username that owns the package token |
+| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`); custody in OpenBao at `platform/data/operators/inter-hub/package-management` (field `inter-hub-pkg-rep`) |
 
 Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
 (not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
@@ -70,10 +70,11 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
 The publish workflow fails at the upload step when either secret is missing or
 invalid. Do not commit tokens to the repository.
 
-**Smoke-test result (2026-06-16):** run #17 built and passed `twine check`; upload
-returned `401` when `PACKAGE_USER` did not match the token owner. Use the
-`inter-hub-pkg-rep` service account and its API token for both secrets. Build
-step uses `.build-venv` (PEP 668 safe on haskelseed).
+**Smoke-test notes (2026-06-16):** `inter-hub-pkg-rep` is the **token name**, not a
+Gitea user. `PACKAGE_USER` must be `tegwick`. Token value lives in OpenBao
+(`platform/operators/inter-hub/package-management`, key `inter-hub-pkg-rep`).
+Earlier `401` failures used the wrong token (`GITEA_API_TOKEN` ≠ package token).
+Build step uses `.build-venv` (PEP 668 safe on haskelseed).
 
 Verify secrets without cutting a release:
 

workplans/kaizen-agentic-WP-0005-adoption-parity.md

@@ -37,7 +37,7 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut.
 
 ### Tasks
 
-- [x] T01 — Configure `PACKAGE_USER` (`inter-hub-pkg-rep`) and `PACKAGE_TOKEN` (inter-hub-pkg-rep API token) in Gitea
+- [x] T01 — Configure `PACKAGE_USER` (`tegwick`) and `PACKAGE_TOKEN` (OpenBao `inter-hub-pkg-rep` token) in Gitea
 - [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch`
 - [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format)