fix: use inter-hub-pkg-rep for Gitea publish auth (WP-0005 T02)

Wire PACKAGE_USER into git clone URL and document inter-hub-pkg-rep as the
forge package-publish service account for PACKAGE_USER/PACKAGE_TOKEN.

docs/PACKAGE_RELEASE.md

@@ -60,8 +60,8 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
 
 | Secret | Value |
 |--------|-------|
-| `PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) |
-| `PACKAGE_TOKEN` | Gitea API token with `write:package` scope |
+| `PACKAGE_USER` | `inter-hub-pkg-rep` — forge package-publish service account |
+| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` with `write:package` scope |
 
 Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
 (not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
@@ -70,11 +70,10 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
 The publish workflow fails at the upload step when either secret is missing or
 invalid. Do not commit tokens to the repository.
 
-**Smoke-test result (2026-06-16):** `workflow_dispatch` run #17 built and passed
-`twine check`; upload returned `401 Unauthorized`. That indicates
-`PACKAGE_USER` / `PACKAGE_TOKEN` repo secrets need verification (token must
-include `write:package`, username must match the token owner). Build step uses
-`.build-venv` and is PEP 668 safe on haskelseed.
+**Smoke-test result (2026-06-16):** run #17 built and passed `twine check`; upload
+returned `401` when `PACKAGE_USER` did not match the token owner. Use the
+`inter-hub-pkg-rep` service account and its API token for both secrets. Build
+step uses `.build-venv` (PEP 668 safe on haskelseed).
 
 Verify secrets without cutting a release: