diff --git a/.gitea/workflows/publish-python-package.yml b/.gitea/workflows/publish-python-package.yml
index 54988c9..c37e4fe 100644
--- a/.gitea/workflows/publish-python-package.yml
+++ b/.gitea/workflows/publish-python-package.yml
@@ -12,10 +12,11 @@ jobs:
     steps:
       - name: Check out source
         env:
+          PACKAGE_USER: ${{ secrets.PACKAGE_USER }}
           PACKAGE_TOKEN: ${{ secrets.PACKAGE_TOKEN }}
         run: |
           git clone --depth 1 \
-            "https://tegwick:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
+            "https://${PACKAGE_USER}:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
             repo
           cd repo
           git checkout "${{ gitea.sha }}"
diff --git a/docs/PACKAGE_RELEASE.md b/docs/PACKAGE_RELEASE.md
index e5b3e1f..f15b753 100644
--- a/docs/PACKAGE_RELEASE.md
+++ b/docs/PACKAGE_RELEASE.md
@@ -60,8 +60,8 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
 
 | Secret | Value |
 |--------|-------|
-| `PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) |
-| `PACKAGE_TOKEN` | Gitea API token with `write:package` scope |
+| `PACKAGE_USER` | `inter-hub-pkg-rep` — forge package-publish service account |
+| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` with `write:package` scope |
 
 Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
 (not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
@@ -70,11 +70,10 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
 The publish workflow fails at the upload step when either secret is missing or
 invalid. Do not commit tokens to the repository.
 
-**Smoke-test result (2026-06-16):** `workflow_dispatch` run #17 built and passed
-`twine check`; upload returned `401 Unauthorized`. That indicates
-`PACKAGE_USER` / `PACKAGE_TOKEN` repo secrets need verification (token must
-include `write:package`, username must match the token owner). Build step uses
-`.build-venv` and is PEP 668 safe on haskelseed.
+**Smoke-test result (2026-06-16):** run #17 built and passed `twine check`; upload
+returned `401` when `PACKAGE_USER` did not match the token owner. Use the
+`inter-hub-pkg-rep` service account and its API token for both secrets. Build
+step uses `.build-venv` (PEP 668 safe on haskelseed).
 
 Verify secrets without cutting a release:
 
diff --git a/workplans/kaizen-agentic-WP-0005-adoption-parity.md b/workplans/kaizen-agentic-WP-0005-adoption-parity.md
index b8360e4..aeba0c1 100644
--- a/workplans/kaizen-agentic-WP-0005-adoption-parity.md
+++ b/workplans/kaizen-agentic-WP-0005-adoption-parity.md
@@ -37,7 +37,7 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut.
 
 ### Tasks
 
-- [x] T01 — Configure `PACKAGE_USER` and `PACKAGE_TOKEN` secrets in Gitea (Gitea rejects `GITEA_*` secret names)
+- [x] T01 — Configure `PACKAGE_USER` (`inter-hub-pkg-rep`) and `PACKAGE_TOKEN` (inter-hub-pkg-rep API token) in Gitea
 - [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch`
 - [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format)