fix(publish): support npm trusted publishing auth

[jdx]

Summary

• add npm Trusted Publishing OIDC token exchange before publish
• use exchanged package-scoped token for the publish PUT
• keep existing .npmrc auth fallback and add a mock-registry regression test

Root Cause

aube publish --provenance generated Sigstore provenance, but publish auth still required an .npmrc token. Tokenless npm Trusted Publishing workflows therefore failed before upload.

Validation

• cargo check -p aube -p aube-registry
• cargo build -p aube
• ./test/bats/bin/bats test/publish.bats

---

Note

Medium Risk
Changes CI publish authentication timing and failure modes; behavior is more resilient but alters when .npmrc vs OIDC is used.

Overview
Publish now resolves npm Trusted Publishing (OIDC exchange + bearer token) after the pre-pack lifecycle and tarball build, using the final archive.name from the packed artifact—not the pre-hook manifest name. That fixes trusted publishing when prepublishOnly (or similar) renames the package before upload.

GitHub Actions OIDC token fetch failures (network errors, non-2xx responses, or bad JSON) no longer fail the command; they debug-log and return no OIDC token so publish falls back to configured .npmrc auth, matching the existing exchange-failure behavior.

New BATS coverage: OIDC unavailable → PUT uses .npmrc token; NPM_ID_TOKEN exchange and PUT target the post-hook package name.

^{Reviewed by Cursor Bugbot for commit e5126ef. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds npm Trusted Publishing support so packages can be published from CI without a long-lived .npmrc token. When OIDC signals are present (NPM_ID_TOKEN env var or GitHub Actions ACTIONS_ID_TOKEN_REQUEST_* vars), aube publish now fetches a short-lived package-scoped token via the registry's /-/npm/v1/oidc/token/exchange/package/… endpoint and uses it for the PUT; if OIDC is absent or fails, it falls back to existing .npmrc auth.

• RegistryClient::request() is added as a public, auth-free HTTP builder so OIDC exchange calls and the trusted PUT share the registry's TLS/proxy client without accidentally sending a stale .npmrc token alongside the OIDC bearer.
• The trusted_publish_token flow is placed after the "already published" pre-flight check, and three BATS tests verify the full GHA OIDC → exchange → PUT path, the fallback-to-npmrc path, and the post-hook name-rewrite case.

Confidence Score: 5/5

The auth path change is well-guarded and safe to merge; OIDC is only attempted when explicit env signals are present and the fallback to configured .npmrc auth is exercised by a regression test.

The only inconsistency found is that exchange_npm_oidc_token propagates transport errors hard while npm_oidc_id_token soft-fails — this affects a narrow scenario and the common failure modes (non-2xx HTTP responses) are correctly soft-failed with fallback.

The exchange_npm_oidc_token function in crates/aube/src/commands/publish.rs could use a second look for transport-error fallback behaviour.

Important Files Changed

Filename	Overview
crates/aube-registry/src/client/request.rs	Adds RegistryClient::request() — a thin public wrapper over http_for() that routes through the configured TLS/proxy client but leaves auth to the caller. Small, well-documented, no issues.
crates/aube/src/commands/publish.rs	Adds OIDC token exchange and wires it before the PUT. npm_oidc_id_token soft-fails on transport errors but exchange_npm_oidc_token propagates them hard, bypassing the .npmrc fallback on network-level exchange failures.
test/publish.bats	Adds three BATS tests covering the GHA OIDC→exchange→PUT path, fallback-to-npmrc, and post-hook name-rewrite. Tests are well-structured and verify correct token flow end-to-end.

_{Reviews (4): Last reviewed commit: "fix(publish): fall back after oidc failu..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e03028f. Configure here.}