docs: record publish workflow smoke-test outcome (WP-0005 T02)

Document workflow_dispatch run #17: build passes with .build-venv; twine
upload 401 indicates PACKAGE_USER/PACKAGE_TOKEN secrets need verification.

.gitea/workflows/publish-python-package.yml

@@ -26,11 +26,11 @@ jobs:
           TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
         run: |
           cd repo
-          python3 -m ensurepip --upgrade 2>/dev/null || \
+          python3 -m venv .build-venv
-            curl -sS https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py && python3 /tmp/get-pip.py
+          . .build-venv/bin/activate
-          python3 -m pip install --upgrade pip build twine
+          python -m pip install --upgrade pip build twine
-          python3 -m build
+          python -m build
-          python3 -m twine check dist/*
+          python -m twine check dist/*
-          python3 -m twine upload \
+          python -m twine upload \
             --repository-url https://gitea.coulomb.social/api/packages/coulomb/pypi \
             dist/*

docs/PACKAGE_RELEASE.md

@@ -70,12 +70,23 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
 The publish workflow fails at the upload step when either secret is missing or
 invalid. Do not commit tokens to the repository.
 
+**Smoke-test result (2026-06-16):** `workflow_dispatch` run #17 built and passed
+`twine check`; upload returned `401 Unauthorized`. That indicates
+`PACKAGE_USER` / `PACKAGE_TOKEN` repo secrets need verification (token must
+include `write:package`, username must match the token owner). Build step uses
+`.build-venv` and is PEP 668 safe on haskelseed.
+
 Verify secrets without cutting a release:
 
-1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`)
+1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`),
+   or dispatch via API:
+   `POST /api/v1/repos/coulomb/kaizen-agentic/actions/workflows/publish-python-package.yml/dispatches`
+   with body `{"ref":"main"}`
 2. Confirm the run completes and `twine upload` succeeds
 3. Optional: `pip install kaizen-agentic==<version> --extra-index-url ...`
 
+The publish job uses an isolated `.build-venv` on the runner (PEP 668 safe).
+
 ## Pre-tag release checklist
 
 Before `git tag vX.Y.Z && git push origin vX.Y.Z`:

docs/integrations/helix-forge-correlation.md

@@ -93,13 +93,8 @@ documenting expected fields — no ingestion code runs in kaizen-agentic.
 | [DESIGN-session-memory.md](https://github.com/coulomb/agentic-resources/blob/main/docs/DESIGN-session-memory.md) | agentic-resources |
 | `session_memory/core/store.py` — `get_digest()` | agentic-resources |
 
-**Reciprocal link status:** agentic-resources should link back to this document from
+**Reciprocal link status:** verified (WP-0005 T16). `agentic-resources/docs/DESIGN-session-memory.md`
-its session-memory design notes. As of WP-0005, verify
+§11 cites this document and ADR-004.
-`agentic-resources/docs/DESIGN-session-memory.md` (or successor) cites this URL:
-
-`https://gitea.coulomb.social/coulomb/kaizen-agentic/src/branch/main/docs/integrations/helix-forge-correlation.md`
-
-Open a cross-repo issue if the link is missing.
 
 ## Non-goals
 

workplans/kaizen-agentic-WP-0005-adoption-parity.md

@@ -108,7 +108,7 @@ Cross-repo follow-through from WP-0004; no foreign code in this repo.
 ### Tasks
 
 - [x] T15 — Document activity-core ActivityDefinition registration steps in `docs/INTEGRATION_PATTERNS.md` (handoff checklist for activity-core owners)
-- [ ] T16 — Verify bidirectional Helix correlation doc link with agentic-resources (kaizen side documented; reciprocal link in agentic-resources still pending)
+- [x] T16 — Verify bidirectional Helix correlation doc link with agentic-resources (reciprocal link added in `DESIGN-session-memory.md` §11)
 
 ### Definition of done