v0.14.4 failed with same 401 despite local-probe showing path-scoped +
Basic-auth fallback work. Adding a diagnostic step BEFORE publish:
- npm whoami against keigit
- curl Bearer probe (read endpoint /api/v1/user)
- curl PUT probe (publish endpoint with empty body)
- npm config dump (registry resolution)
Will reveal:
- Whether token actually authenticates from runner network
- Whether npm correctly resolves @keisei:registry to keigit URL
- Whether something in CI environment is rewriting/blocking the auth header
Bump 0.14.4 → 0.14.5 to trigger fresh release run.
[FROM-JOURNAL: this session — local probe confirms .npmrc form works,
CI rejects with 401, narrowing to runner-environment issue]
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
v0.14.2 publish run reported "success" but @keisei/mcp-server NEVER
landed on keigit because:
1. Host-scoped `.npmrc` token (`//keigit.com/:_authToken=...`) was
silently ignored by npm 10 — every publish errored with ENEEDAUTH.
2. The publish loop's `|| echo ":⚠️:"` swallowed the failure
so the job exited 0 (W1+W3 finding F3).
Two fixes in one commit:
A) Path-scoped npmrc per Forgejo docs:
`//keigit.com/api/packages/keisei/npm/:_authToken=${KEIGIT_TOKEN}`
+ `always-auth=true` for scoped registry. Also tee'd to $HOME/.npmrc
so the publish loop's `cd packages/<pkg>` cwd doesn't lose the auth
line. [VERIFIED: curl PUT with Bearer to /api/packages/keisei/npm/
returns 400 "package is invalid" (auth ACCEPTED, payload bad) — auth
format is correct]
B) Hard-fail publish loop for packages with publishConfig:
- Iterate all packages
- For each: read .publishConfig presence
- If publish errors AND has publishConfig → record gated_failed=1
- If publish errors AND no publishConfig → notice "skipped" (adapter
without registry pin reached npm.org default, expected fail)
- End of loop: exit 1 if any gated_failed
- Adapters without publishConfig (gmail/grok/recall/telegram/youtube)
correctly skip; only @keisei/mcp-server is gated, and a real
failure now blocks the job.
Bump 0.14.2 → 0.14.3 (0.14.2 tag exists with previous failed publish).
Verification done locally:
- PAT owner Parfionovich is member of org keisei [REAL: api/v1/user
+ api/v1/users/Parfionovich/orgs]
- Bearer auth to keigit npm registry works [REAL: curl probe → 400
"package invalid", not 401 "unauthorized"]
- Cargo workspace clean [REAL: cargo check exit 0]
After tag v0.14.3:
- npm-publish job creates .npmrc with path-scoped auth
- Publishes @keisei/mcp-server@0.14.3 to https://keigit.com/api/packages/keisei/npm/
- Adapters skip cleanly (no publishConfig, no NPM_TOKEN)
- Job exits 0 only if mcp-server actually landed
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
v0.14.1 tag triggered Release workflow but npm-publish was SKIPPED
because Rust matrix entry x86_64-apple-darwin failed and release
job needs:[build-release, build-mcp-binary]; npm-publish needs:release.
Single Rust target failure → entire publish chain blocks. This was
the W3 Opus CI/build finding deferred from audit-batch-2.
Two fixes:
1. **Drop x86_64-apple-darwin from build-release matrix.**
GitHub's `macos-latest` runner is now Apple Silicon (M1+); cross-compile
to x86_64 needs an OpenSSL sysroot that the arm64 image doesn't ship.
`openssl-sys 0.9.114` build fails with "Could not find openssl via
pkg-config: pkg-config has not been configured to support
cross-compilation". Apple Silicon mandatory for new Macs since 2020;
x86 Mac is legacy. If a future user needs x86 darwin, re-add with
`experimental: true` and `openssl-sys` features=["vendored"].
2. **Decouple `npm-publish` from `release`.**
The npm package builds its own `dist/` from `_ts_packages/` — it does
NOT consume Rust release tarballs. Previously `needs: release` meant a
single Rust matrix failure blocked the npm publish even though the two
are architecturally independent. Now `needs: []` (parallel with
build-release matrix). KEIGIT_TOKEN-presence guard still gracefully
skips when secret is absent.
Bump version 0.14.1 → 0.14.2 (v0.14.1 tag already exists from prior run).
After re-tag v0.14.2:
- build-release matrix: 3 targets (was 4) — should all succeed
- build-mcp-binary: 5 platforms (unchanged) — already passed in 0.14.1 run
- release job: produces GitHub Release with 3 Rust tarballs + 5 MCP binaries
- npm-publish job: runs in PARALLEL, publishes @keisei/mcp-server@0.14.2
to keigit regardless of Rust matrix status
[FROM-JOURNAL: tasks.jsonl this session — v0.14.1 release run 25280711426
ran 14m wall, 8/9 jobs success, x86_64-darwin failed at openssl-sys
build, release+npm-publish skipped via needs-chain]
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Wire @keisei/mcp-server publish to the author-operated keigit.com
Forgejo npm registry. Verified live: keigit.com → 45.77.41.204 (Vultr,
public DNS), Caddy → Forgejo 9.0.3, TLS valid, /api/v1/version=200.
Why keigit, not GitHub Packages or npm.org:
- keigit IS the canonical npm registry for the @keisei scope (operator
runs it; no separate vendor account needed)
- npm scope @keisei stays @keisei (no rename to match a github org)
- Public DNS resolves from any client; auth via per-user PAT
- One auth surface for both the git remote and the npm registry
Files changed (7):
- _ts_packages/packages/mcp-server/package.json
· removed `private: true` (was blocking ALL publish, including ours)
· added publishConfig.registry = https://keigit.com/api/packages/keisei/npm/
so accidental `npm publish` cannot route to npm.org
· added repository field (provenance link to KeiSeiKit-1.0)
· added license: Apache-2.0
- README.md (2 hunks): maturity row + install section say
"published to keigit.com", show ~/.npmrc setup
- PLUGIN.md (3 hunks): same updates referencing keigit
- .claude-plugin/mcp-template.json: _comment updated
- docs/encyclopedia/substrate-overview.md (1 hunk): MCP row says
"alpha" not "stable" + clarifies registry+scope
- .github/workflows/release.yml: npm-publish job rewired:
· KEIGIT_TOKEN secret instead of NPM_TOKEN as gate
· Two-row .npmrc temp-write: @keisei → keigit.com (always when
KEIGIT_TOKEN set), npm.org auth as optional fallback
· .npmrc cleanup via `if: always()` step
- .gitignore: _ts_packages/.npmrc + .npmrc excluded (RULE 0.8)
Verification:
- node -e 'require("./.../package.json")' parses clean,
publishConfig pinned to keigit, private:false [REAL: ran in session]
- `npm run build --workspace=@keisei/mcp-server` → tsc -b exit 0,
dist/index.js produced [REAL: built in session]
- Server starts: `node dist/index.js` lives >1s, doesn't throw,
reports expected `[adapters] not installed` for un-built siblings
- keigit.com reachable from this machine: HTTP 200 root + Forgejo
9.0.3 version endpoint [REAL: curl ran in session]
Required user-side setup before first publish:
1. Create user/org `keisei` on keigit.com (web UI; currently /keisei → 404)
2. Generate a keigit PAT with write:package scope
3. Add as github repo secret KEIGIT_TOKEN
4. Push tag v0.14.1+ → release workflow's npm-publish job picks it up
History note:
- Earlier in this session a github-packages-scope-rename variant
(commit a6f1c72) was pushed; reverted by 542a0a8 because keigit
is the right registry. Current commit lands the keigit wiring on
top of the revert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Renamed @keisei/mcp-server → @keisei84/mcp-server (scope must match
github org KeiSei84 for GitHub Packages publish). Replaced private:true
with publishConfig pinned to npm.pkg.github.com so an accidental
`npm publish` cannot leak to npm.org. CI npm-publish job rewired to
GitHub Packages auth (GITHUB_TOKEN with packages:write permission).
Why GitHub Packages, not npm.org:
- Authentication piggybacks on existing github org / PAT — no separate
account or NPM_TOKEN required for the core kit
- Scope @keisei84 maps 1:1 to org KeiSei84 (npm rule for github)
- Doesn't require public DNS for our private Forgejo (Tailscale-only
100.91.246.53 cannot be the publish target — IP-leak in public ref)
- Published artefacts live under github.com/orgs/KeiSei84/packages,
same access surface as the source repo
Why not @keisei (un-scoped or different scope):
- npm scope @keisei IS reachable on npm.org but we don't own it there
(would require email-verified npm account claim + ongoing maintenance)
- @keisei84 requires zero new accounts; works the moment KeiSei84 org
has packages enabled (github default)
Files changed (11):
- _ts_packages/packages/mcp-server/package.json — rename + publishConfig
+ repository field (required by GitHub Packages); removed private:true
- _ts_packages/package-lock.json — regenerated via `npm install`
(workspace recognises @keisei84/mcp-server symlink)
- README.md (2 hunks) — maturity row says "alpha" not
"alpha (unpublished)"; install section documents `~/.npmrc` setup
for `@keisei84:registry=https://npm.pkg.github.com/`
- PLUGIN.md (3 hunks) — same `~/.npmrc` setup; .mcp.json references
@keisei84/mcp-server; "not yet on npm" replaced with "lives on
GitHub Packages, not npm.org"
- .claude-plugin/mcp-template.json — args use @keisei84 scope
- _ts_packages/README.md (4 hunks) — package layout + npx examples
- docs/INSTALL.md, install/lib-rust.sh — comment refs
- docs/encyclopedia/substrate-overview.md (2 hunks) — package table +
publishing notes (was "published to keigit.com npm" — wrong; keigit
is a separate community-publish path for user-contributed packages,
not the destination for core @keisei84 packages)
- .github/workflows/release.yml — npm-publish job rebuilt:
· permissions: packages:write
· Two-scope .npmrc temp-write: @keisei84 → npm.pkg.github.com (always),
@keisei → npm.org (only if NPM_TOKEN secret set, else skipped per pkg)
· NODE_AUTH_TOKEN sourced from GITHUB_TOKEN
· .npmrc cleaned up via `if: always()` step
- .gitignore — _ts_packages/.npmrc + .npmrc excluded (RULE 0.8: auth
tokens never in git; CI temp-creates per-job)
Verification:
- `npm install` clean against new scope: node_modules/@keisei84/mcp-server
symlinks to packages/mcp-server, other adapters untouched in
node_modules/@keisei/* [REAL: install ran 2026-05-03 in this session]
- `npm run build --workspace=@keisei84/mcp-server` produces dist/index.js
[REAL: tsc -b exit 0]
- Server starts cleanly: `node dist/index.js` runs >1s, emits expected
"[adapters] not installed" warnings for un-built sibling adapters,
doesn't throw
- 17 references to old @keisei/mcp-server scope migrated; 0 left
[REAL: grep -rn "@keisei/mcp-server" returns 0 lines]
Bad-commit-hygiene note:
- Two earlier local commits (cb8dc2a + revert 474fe1c) attempted a
keigit.com-pinned variant; soft-reset past them so this commit lands
on top of public 2bb2f10. Bad commits never reached remote.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
leak-check.yml has the pattern 'denisparfionovich' as a literal in its grep.
On first run after install, it flags itself. Same fix as the local
.git/hooks/pre-commit — allowlist the workflow file alongside NOTICE/README.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
