Skip to content

Private packages

"Private" here means published to the Gitea registry at registry.hivecast.ai, not npmjs.com. Visibility is governed by Gitea's per-package access settings.

Default publish target

All Matrix packages today publish to Gitea, not public npm. The npm publish safety audit documents what would have to change before the public path is exercised; until those gates pass, Gitea is the only path.

Setup

A consumer or developer who wants to install private packages from Gitea configures their npm scope:

ini
# ~/.npmrc or project .npmrc
@open-matrix:registry=https://registry.hivecast.ai/api/packages/hivecast-admin/npm/
//registry.hivecast.ai/:_authToken=<gitea-token>

For public-readable packages (the current default for @open-matrix/*), the auth token is needed only for publishing — not for npm install.

Publish flow

bash
cd projects/matrix-3/packages/<name>
NPM_CONFIG_REGISTRY=https://registry.hivecast.ai/api/packages/hivecast-admin/npm/ \
NPM_CONFIG__AUTH_TOKEN=<gitea-token> \
npm publish

Gitea accepts the tarball, stores it, and exposes it via its npm packages API immediately.

Visibility tiers

Gitea supports per-package visibility settings. The defaults for @open-matrix/* packages are:

VisibilityEffect
Public (current default)Anonymous read. Installable without authentication.
Org-restrictedRead requires Gitea token bound to the open-matrix org.
PrivateRead requires explicit per-package permission grant.

Today, all @open-matrix/* packages are public-read. Privacy is operational (registry behind admin token for publish; deletion possible) rather than commercial.

Why "private" still makes sense pre-launch

Three reasons documented in Gitea backend:

  1. Deletion ability. Crucial for pre-launch — versions can be retracted when wrong.
  2. No public exposure of WIP packages. Pre-launch packages depend on each other heavily; partial APIs would leak otherwise.
  3. Unified domain. Same operator owns hivecast.ai and registry.hivecast.ai.

Cross-references

  • The publish flow itself is in Publish flow.
  • Gitea provisioning is in Gitea backend.
  • The auth model is in Authentication.
  • The deploy pipeline that bootstraps the host with private-package access is projects/deploy-cloud/deploy.sh.

See also

Source: projects/deploy-cloud/Caddyfile.bare, projects/deploy-cloud/setup-aws.sh, .github/workflows/release.yml (release dispatch).