Appearance
Authentication
The artifact registry inherits its auth model from Gitea. There is no Matrix-proprietary auth in front of it.
Read access
| Consumer | Auth required? | Why |
|---|---|---|
| Anonymous browser | no for public packages, yes for private | Gitea per-package visibility setting |
npm install @open-matrix/chat (public) | no | Matrix's @open-matrix/* scope is public-readable |
npm install of a private package | yes (token) | enforced by Gitea |
system.packages.registry.search | n/a | searches local discovery-index.json, not the HTTP registry |
The default policy for the cloud-product registry is public-read for the @open-matrix scope. That matches the long-term plan to make Matrix packages freely consumable; the privacy of the registry today is operational (pre-launch deletion ability), not adversarial.
Write access
Publishing requires a Gitea token bound to a user with push access to the target organization:
bash
# Issue a token in Gitea UI: Settings → Applications → Generate Token
# Name: matrix-publish
# Scopes: write:package
# Use it for publish
NPM_CONFIG_REGISTRY=https://registry.hivecast.ai/api/packages/hivecast-admin/npm/ \
NPM_CONFIG__AUTH_TOKEN=<gitea-token> \
npm publish$GITEA_TOKEN ends up in ~/.npmrc for interactive use:
ini
//registry.hivecast.ai/:_authToken=<gitea-token>Caution: That
_authTokenline is the entire keyholder. Do not commit.npmrcfiles containing it. The repo.gitignorecovers.npmrcat root; verify per-package gitignores too.
Token rotation
Today's flow is manual:
- Issue a new token in Gitea admin UI.
- Update CI secrets (
GITEA_TOKENenv var) and any developer machines. - Revoke the old token in Gitea admin UI.
There is no automated rotation scheduler.
Admin credentials
The Gitea admin user is provisioned by setup-aws.sh:
bash
# projects/deploy-cloud/setup-aws.sh:250-252
GITEA_ADMIN_USER=hivecast-admin
GITEA_ADMIN_PASSWORD=changeme
GITEA_ADMIN_EMAIL=admin@$DOMAINCaution:
changemeis a literal string in the script and.env.example. Production deploys MUST overrideGITEA_ADMIN_PASSWORDbefore any other step. The npm publish safety audit (projects/matrix-3/packages/docs/content/security/npm-publish-safety.md) flags this as an open infrastructure issue under "Infrastructure Secrets (Separate Concern)."
What auth is NOT
- Auth is not authorization to mount. A Gitea token lets you publish bytes. Whether those bytes mount as actors on a Host is governed by the Host's package store and
system.registrypolicy, not by the artifact registry. - Auth is not session. The Gitea token is long-lived. Matrix's session tokens (HiveCast cookies, NATS JWTs) are unrelated.
- Auth is not capability. The Matrix capability model (
WORKSTREAMS/core-and-packaging/) is per-actor-op, not per-package-publish.
Local-mode auth
For locally-installed Hosts (hivecast install), the artifact "registry" is the bundled package store on disk. There is no HTTP layer and no authentication. Trust comes from the local filesystem:
- Bytes were placed there by
seedBundledHostPackages(the wrapper trusted the install bundle). - Subsequent
mx installoperations from the cloud registry inherit the cloud-side auth model.
See also
Source:
projects/deploy-cloud/setup-aws.sh,projects/deploy-cloud/deploy.sh.