diag(release): v0.14.5 — keigit auth diagnostic step before publish

v0.14.4 failed with same 401 despite local-probe showing path-scoped +
Basic-auth fallback work. Adding a diagnostic step BEFORE publish:
- npm whoami against keigit
- curl Bearer probe (read endpoint /api/v1/user)
- curl PUT probe (publish endpoint with empty body)
- npm config dump (registry resolution)

Will reveal:
- Whether token actually authenticates from runner network
- Whether npm correctly resolves @keisei:registry to keigit URL
- Whether something in CI environment is rewriting/blocking the auth header

Bump 0.14.4 → 0.14.5 to trigger fresh release run.
[FROM-JOURNAL: this session — local probe confirms .npmrc form works,
CI rejects with 401, narrowing to runner-environment issue]

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/release.yml

@@ -365,6 +365,41 @@ jobs:
           # Sanity (no secrets in log — print only registry lines):
           grep -vE "_authToken|_password|username|email" .npmrc || true
 
+      # v0.14.5 diagnostic: verify the .npmrc-resolved auth actually works
+      # AGAINST keigit from the runner network. Local probes confirmed Bearer
+      # and Basic both auth-OK, but CI publish gets 401 — narrow root cause.
+      - name: Diagnose keigit auth from runner
+        if: steps.have_token.outputs.present == '1'
+        working-directory: _ts_packages
+        env:
+          KEIGIT_TOKEN: ${{ secrets.KEIGIT_TOKEN }}
+        run: |
+          set +e
+          echo "::group::npm whoami probe"
+          npm whoami --registry=https://keigit.com/api/packages/keisei/npm/ 2>&1 | head -10
+          echo "::endgroup::"
+          echo "::group::curl Bearer probe (read endpoint)"
+          curl -sS -m 10 -H "Authorization: Bearer ${KEIGIT_TOKEN}" \
+            -o /dev/null -w "HTTP %{http_code}\n" \
+            https://keigit.com/api/v1/user
+          echo "::endgroup::"
+          echo "::group::curl PUT probe (publish endpoint with empty body)"
+          curl -sS -m 10 -X PUT \
+            -H "Authorization: Bearer ${KEIGIT_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -o /tmp/probe-resp -w "HTTP %{http_code}\n" \
+            "https://keigit.com/api/packages/keisei/npm/@keisei%2Fci-probe-noop" \
+            -d '{}'
+          echo "Response (first 200 chars):"
+          head -c 200 /tmp/probe-resp 2>/dev/null
+          echo "::endgroup::"
+          echo "::group::npm config debug"
+          npm config get registry --workspaces=false
+          npm config get @keisei:registry --workspaces=false
+          npm config get -L user 2>&1 | head -20
+          echo "::endgroup::"
+          set -e
+
       - name: Install deps
         if: steps.have_token.outputs.present == '1'
         working-directory: _ts_packages

_ts_packages/package-lock.json

@@ -3707,7 +3707,7 @@
     },
     "packages/mcp-server": {
       "name": "@keisei/mcp-server",
-      "version": "0.14.4",
+      "version": "0.14.5",
       "license": "Apache-2.0",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.0.0",

_ts_packages/packages/mcp-server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keisei/mcp-server",
-  "version": "0.14.4",
+  "version": "0.14.5",
   "description": "MCP server exposing KeiSeiKit Rust primitives as Model Context Protocol tools — published to keigit.com (Forgejo npm registry, public DNS)",
   "type": "module",
   "main": "./dist/index.js",