diff --git a/docs/PACKAGE_RELEASE.md b/docs/PACKAGE_RELEASE.md
index b036152..e5b3e1f 100644
--- a/docs/PACKAGE_RELEASE.md
+++ b/docs/PACKAGE_RELEASE.md
@@ -70,6 +70,12 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
 The publish workflow fails at the upload step when either secret is missing or
 invalid. Do not commit tokens to the repository.
 
+**Smoke-test result (2026-06-16):** `workflow_dispatch` run #17 built and passed
+`twine check`; upload returned `401 Unauthorized`. That indicates
+`PACKAGE_USER` / `PACKAGE_TOKEN` repo secrets need verification (token must
+include `write:package`, username must match the token owner). Build step uses
+`.build-venv` and is PEP 668 safe on haskelseed.
+
 Verify secrets without cutting a release:
 
 1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`),