feat(publish): make package installable from Gitea npm registry (WHYNOT-WP-0003 T02)
Some checks failed
ci / check (push) Has been cancelled
ci / release (push) Has been cancelled

- package.json: private:false; real repository.url; publishConfig.registry →
  coulomb Gitea npm; lit dependency → peerDependency (^3) + devDependency;
  ship the ir/ consumer contract (files + ./ir/* export); add PUBLISHING.md to files.
- .npmrc: real @whynot scope registry + ${NPM_AUTH_TOKEN} ref (no secret committed).
- PUBLISHING.md: publish flow, token routing (operator/OpenBao — warden route is not
  in this CLI), and consumer install.
- README: registry-install path + lit peer note. CHANGELOG: Added/Changed entries.

Config + packaging validated via `npm pack --dry-run` (ir/, tokens, CSS, PUBLISHING.md
included; .npmrc excluded). Actual `npm publish` + install-verify is gated on a Gitea
NPM_AUTH_TOKEN (operator-owned) and an explicit outward-publish go-ahead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-27 15:15:47 +02:00
parent c538d05434
commit e02011905a
6 changed files with 99 additions and 12 deletions

11
.npmrc
View File

@@ -1,5 +1,6 @@
# When ready to publish to Gitea Packages, uncomment and set NPM_AUTH_TOKEN
# in your shell or CI secrets.
#
# @whynot:registry=https://gitea.example.com/api/packages/whynot/npm/
# //gitea.example.com/api/packages/whynot/npm/:_authToken=${NPM_AUTH_TOKEN}
# @whynot/* is published to and installed from the coulomb Gitea npm registry.
# The auth token is NOT stored here — set NPM_AUTH_TOKEN in your shell/CI.
# It is operator/OpenBao-owned (credential-routing.md: tokens route, never vend);
# obtain a Gitea package token from the operator. Publish flow: see PUBLISHING.md.
@whynot:registry=https://gitea.coulomb.social/api/packages/coulomb/npm/
//gitea.coulomb.social/api/packages/coulomb/npm/:_authToken=${NPM_AUTH_TOKEN}