fix: publish workflow auth — tegwick user, OpenBao token, explicit twine creds

inter-hub-pkg-rep is the Gitea token name (not a username). PACKAGE_USER is
tegwick; token custody is OpenBao platform/operators/inter-hub/package-management.
Disable keyring in CI and pass twine --username/--password explicitly.

docs/PACKAGE_RELEASE.md

@@ -60,8 +60,8 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
 
 | Secret | Value |
 |--------|-------|
-| `PACKAGE_USER` | `inter-hub-pkg-rep` — forge package-publish service account |
-| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` with `write:package` scope |
+| `PACKAGE_USER` | `tegwick` — Gitea username that owns the package token |
+| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`); custody in OpenBao at `platform/data/operators/inter-hub/package-management` (field `inter-hub-pkg-rep`) |
 
 Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
 (not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
@@ -70,10 +70,11 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
 The publish workflow fails at the upload step when either secret is missing or
 invalid. Do not commit tokens to the repository.
 
-**Smoke-test result (2026-06-16):** run #17 built and passed `twine check`; upload
-returned `401` when `PACKAGE_USER` did not match the token owner. Use the
-`inter-hub-pkg-rep` service account and its API token for both secrets. Build
-step uses `.build-venv` (PEP 668 safe on haskelseed).
+**Smoke-test notes (2026-06-16):** `inter-hub-pkg-rep` is the **token name**, not a
+Gitea user. `PACKAGE_USER` must be `tegwick`. Token value lives in OpenBao
+(`platform/operators/inter-hub/package-management`, key `inter-hub-pkg-rep`).
+Earlier `401` failures used the wrong token (`GITEA_API_TOKEN` ≠ package token).
+Build step uses `.build-venv` (PEP 668 safe on haskelseed).
 
 Verify secrets without cutting a release: