Configure npm publishing token for Release workflow

[cbusillo]

Objective

Enable the Release workflow to publish @just-every/code and its platform packages to npm when a GitHub Release is published from main.

Current Status

State: Waiting
Next action: Configure secrets.NPM_TOKEN with a valid npm automation/granular token that can publish @just-every/* packages and bypass 2FA for CI publishing.
Blocked by: npm credential setup outside the repository.
Last verified: 2026-05-24 in Release run 26360477400.

Evidence

Release run 26360477400 completed successfully, created/updated GitHub Release v0.6.100, and intentionally skipped npm publishing because NPM_TOKEN was empty. An earlier probe run, 26359698151, showed the self-hosted runner had an ambient NODE_AUTH_TOKEN, but npm whoami failed with it, so the workflow now treats NPM_TOKEN as the only canonical npm publish credential.

Current npm state: npm view @just-every/code version returns 0.6.99, while GitHub Release v0.6.100 exists.

Acceptance Criteria

• secrets.NPM_TOKEN exists for the Release workflow.
• npm whoami succeeds in the Validate npm auth job.
• A main-branch Release run publishes the per-target npm packages and main @just-every/code package.
• npm view @just-every/code version matches the current GitHub Release version.

Relationships

Follow-up from #119/#120 and the v0.6.100 release validation work.
Related to #85 and #87.

[cbusillo]

Planning update from 2026-05-24:

npm publishing is no longer considered required for the near-term auto-update plan. The current direction is to use GitHub Releases as the canonical internal update feed, with #127 generating a release manifest and #128 adding guarded CLI update behavior.

This issue should remain deferred unless we later decide package-manager distribution is intentional. If #126 removes npm publishing from the active Release path, this issue can likely be closed as superseded rather than fixed with a new token.