Skip to content

Authentication

The artifact registry inherits its auth model from Gitea. There is no Matrix-proprietary auth in front of it.

Read access

ConsumerAuth required?Why
Anonymous browserno for public packages, yes for privateGitea per-package visibility setting
npm install @open-matrix/chat (public)noMatrix's @open-matrix/* scope is public-readable
npm install of a private packageyes (token)enforced by Gitea
system.packages.registry.searchn/asearches local discovery-index.json, not the HTTP registry

The default policy for the cloud-product registry is public-read for the @open-matrix scope. That matches the long-term plan to make Matrix packages freely consumable; the privacy of the registry today is operational (pre-launch deletion ability), not adversarial.

Write access

Publishing requires a Gitea token bound to a user with push access to the target organization:

bash
# Issue a token in Gitea UI: Settings → Applications → Generate Token
#   Name: matrix-publish
#   Scopes: write:package

# Use it for publish
NPM_CONFIG_REGISTRY=https://registry.hivecast.ai/api/packages/hivecast-admin/npm/ \
NPM_CONFIG__AUTH_TOKEN=<gitea-token> \
npm publish

$GITEA_TOKEN ends up in ~/.npmrc for interactive use:

ini
//registry.hivecast.ai/:_authToken=<gitea-token>

Caution: That _authToken line is the entire keyholder. Do not commit .npmrc files containing it. The repo .gitignore covers .npmrc at root; verify per-package gitignores too.

Token rotation

Today's flow is manual:

  1. Issue a new token in Gitea admin UI.
  2. Update CI secrets (GITEA_TOKEN env var) and any developer machines.
  3. Revoke the old token in Gitea admin UI.

There is no automated rotation scheduler.

Admin credentials

The Gitea admin user is provisioned by setup-aws.sh:

bash
# projects/deploy-cloud/setup-aws.sh:250-252
GITEA_ADMIN_USER=hivecast-admin
GITEA_ADMIN_PASSWORD=changeme
GITEA_ADMIN_EMAIL=admin@$DOMAIN

Caution: changeme is a literal string in the script and .env.example. Production deploys MUST override GITEA_ADMIN_PASSWORD before any other step. The npm publish safety audit (projects/matrix-3/packages/docs/content/security/npm-publish-safety.md) flags this as an open infrastructure issue under "Infrastructure Secrets (Separate Concern)."

What auth is NOT

  • Auth is not authorization to mount. A Gitea token lets you publish bytes. Whether those bytes mount as actors on a Host is governed by the Host's package store and system.registry policy, not by the artifact registry.
  • Auth is not session. The Gitea token is long-lived. Matrix's session tokens (HiveCast cookies, NATS JWTs) are unrelated.
  • Auth is not capability. The Matrix capability model (WORKSTREAMS/core-and-packaging/) is per-actor-op, not per-package-publish.

Local-mode auth

For locally-installed Hosts (hivecast install), the artifact "registry" is the bundled package store on disk. There is no HTTP layer and no authentication. Trust comes from the local filesystem:

  • Bytes were placed there by seedBundledHostPackages (the wrapper trusted the install bundle).
  • Subsequent mx install operations from the cloud registry inherit the cloud-side auth model.

See also

Source: projects/deploy-cloud/setup-aws.sh, projects/deploy-cloud/deploy.sh.