release: v1.2.0 — adoption polish and publish pipeline (WP-0005)

Bump version to 1.2.0. Fleet parity, install doc sync, Gitea publish workflow
fixes, and Helix reciprocal doc link. Closes KAIZEN-WP-0005.

.gitea/workflows/publish-python-package.yml

@@ -12,10 +12,11 @@ jobs:
     steps:
       - name: Check out source
         env:
+          PACKAGE_USER: ${{ secrets.PACKAGE_USER }}
           PACKAGE_TOKEN: ${{ secrets.PACKAGE_TOKEN }}
         run: |
           git clone --depth 1 \
-            "https://tegwick:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
+            "https://${PACKAGE_USER}:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
             repo
           cd repo
           git checkout "${{ gitea.sha }}"
@@ -24,13 +25,17 @@ jobs:
         env:
           TWINE_USERNAME: ${{ secrets.PACKAGE_USER }}
           TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
+          PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring
         run: |
           cd repo
-          python3 -m ensurepip --upgrade 2>/dev/null || \
-            curl -sS https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py && python3 /tmp/get-pip.py
-          python3 -m pip install --upgrade pip build twine
-          python3 -m build
-          python3 -m twine check dist/*
-          python3 -m twine upload \
+          python3 -m venv .build-venv
+          . .build-venv/bin/activate
+          python -m pip install --upgrade pip build twine
+          python -m build
+          python -m twine check dist/*
+          python -m twine upload \
+            --username "${TWINE_USERNAME}" \
+            --password "${TWINE_PASSWORD}" \
+            --non-interactive \
             --repository-url https://gitea.coulomb.social/api/packages/coulomb/pypi \
             dist/*

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.2.0] - 2026-06-16
+
 ### Added
 - **`make agents-sync-package`** — sync `agents/` into packaged `data/agents/`
 - **Packaged agent parity test** — `release-check` fails when wheel data drifts from source
@@ -14,7 +16,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 - **Install documentation** — HELLO_WORLD, CLI_CHEAT_SHEET, AGENT_DISTRIBUTION use Gitea PyPI extra index
-- **`docs/PACKAGE_RELEASE.md`** — secrets setup and pre-tag release checklist
+- **`docs/PACKAGE_RELEASE.md`** — OpenBao token custody, publish smoke-test notes, pre-tag checklist
+
+### Fixed
+- **Gitea publish workflow** — `.build-venv` for PEP 668 on haskelseed; explicit twine credentials; `tegwick` + `inter-hub-pkg-rep` token from OpenBao
+- **Helix correlation docs** — bidirectional link with agentic-resources (WP-0005 T16)
 
 ## [1.1.0] - 2026-06-18
 

docs/PACKAGE_RELEASE.md

@@ -60,8 +60,18 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
 
 | Secret | Value |
 |--------|-------|
-| `PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) |
-| `PACKAGE_TOKEN` | Gitea API token with `write:package` scope |
+| `PACKAGE_USER` | `tegwick` — Gitea username that owns the package token |
+| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`) |
+
+Token custody (OpenBao):
+
+```text
+platform/data/operators/inter-hub/package-management
+  → field: inter-hub-pkg-rep
+```
+
+Paste the **plaintext** token into the Gitea secret UI. `inter-hub-pkg-rep` is the
+token name in Gitea, not a username.
 
 Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
 (not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
@@ -70,12 +80,22 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
 The publish workflow fails at the upload step when either secret is missing or
 invalid. Do not commit tokens to the repository.
 
+**Smoke-test (2026-06-16):** `workflow_dispatch` run #3042 authenticated successfully
+(`409 Conflict` on re-upload of `1.1.0` — expected). Root causes of earlier `401`s:
+wrong token (`GITEA_API_TOKEN` ≠ package token), wrong username (`inter-hub-pkg-rep`
+is a token name), and a stale org-level secret. Build uses `.build-venv` (PEP 668).
+
 Verify secrets without cutting a release:
 
-1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`)
+1. Open **Actions → Publish Python package → Run workflow** (`workflow_dispatch`),
+   or dispatch via API:
+   `POST /api/v1/repos/coulomb/kaizen-agentic/actions/workflows/publish-python-package.yml/dispatches`
+   with body `{"ref":"main"}`
 2. Confirm the run completes and `twine upload` succeeds
 3. Optional: `pip install kaizen-agentic==<version> --extra-index-url ...`
 
+The publish job uses an isolated `.build-venv` on the runner (PEP 668 safe).
+
 ## Pre-tag release checklist
 
 Before `git tag vX.Y.Z && git push origin vX.Y.Z`:

docs/integrations/helix-forge-correlation.md

@@ -93,13 +93,8 @@ documenting expected fields — no ingestion code runs in kaizen-agentic.
 | [DESIGN-session-memory.md](https://github.com/coulomb/agentic-resources/blob/main/docs/DESIGN-session-memory.md) | agentic-resources |
 | `session_memory/core/store.py` — `get_digest()` | agentic-resources |
 
-**Reciprocal link status:** agentic-resources should link back to this document from
-its session-memory design notes. As of WP-0005, verify
-`agentic-resources/docs/DESIGN-session-memory.md` (or successor) cites this URL:
-
-`https://gitea.coulomb.social/coulomb/kaizen-agentic/src/branch/main/docs/integrations/helix-forge-correlation.md`
-
-Open a cross-repo issue if the link is missing.
+**Reciprocal link status:** verified (WP-0005 T16). `agentic-resources/docs/DESIGN-session-memory.md`
+§11 cites this document and ADR-004.
 
 ## Non-goals
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "kaizen-agentic"
-version = "1.1.0"
+version = "1.2.0"
 description = "AI agent development framework embracing continuous improvement (kaizen)"
 readme = "README.md"
 license = {file = "LICENSE"}

src/kaizen_agentic/__init__.py

@@ -9,7 +9,7 @@ It also includes a comprehensive agent distribution system for sharing
 specialized agents across projects via CLI tools and package management.
 """
 
-__version__ = "1.1.0"
+__version__ = "1.2.0"
 __author__ = "Kaizen Agentic Team"
 
 from .core import Agent, AgentConfig

workplans/kaizen-agentic-WP-0005-adoption-parity.md

@@ -4,7 +4,7 @@ type: workplan
 title: "Adoption Polish and Fleet Parity (v1.2.0)"
 domain: custodian
 repo: kaizen-agentic
-status: active
+status: completed
 owner: kaizen-agentic
 topic_slug: custodian
 state_hub_workstream_id: 88c7b3e6-be98-480c-b47b-936e74a1a31b
@@ -14,7 +14,7 @@ updated: "2026-06-16"
 
 # KAIZEN-WP-0005 — Adoption Polish and Fleet Parity
 
-**Status:** active
+**Status:** completed
 **Owner:** kaizen-agentic
 **Repo:** kaizen-agentic
 **Target version:** 1.2.0
@@ -37,8 +37,8 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut.
 
 ### Tasks
 
-- [x] T01 — Configure `PACKAGE_USER` and `PACKAGE_TOKEN` secrets in Gitea (Gitea rejects `GITEA_*` secret names)
-- [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch`
+- [x] T01 — Configure `PACKAGE_USER` (`tegwick`) and `PACKAGE_TOKEN` (OpenBao `inter-hub-pkg-rep` token) in Gitea
+- [x] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch` (auth OK; 409 on re-upload of 1.1.0)
 - [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format)
 
 ### Definition of done
@@ -108,7 +108,7 @@ Cross-repo follow-through from WP-0004; no foreign code in this repo.
 ### Tasks
 
 - [x] T15 — Document activity-core ActivityDefinition registration steps in `docs/INTEGRATION_PATTERNS.md` (handoff checklist for activity-core owners)
-- [ ] T16 — Verify bidirectional Helix correlation doc link with agentic-resources (kaizen side documented; reciprocal link in agentic-resources still pending)
+- [x] T16 — Verify bidirectional Helix correlation doc link with agentic-resources (reciprocal link added in `DESIGN-session-memory.md` §11)
 
 ### Definition of done