Appearance
Private packages
"Private" here means published to the Gitea registry at registry.hivecast.ai, not npmjs.com. Visibility is governed by Gitea's per-package access settings.
Default publish target
All Matrix packages today publish to Gitea, not public npm. The npm publish safety audit documents what would have to change before the public path is exercised; until those gates pass, Gitea is the only path.
Setup
A consumer or developer who wants to install private packages from Gitea configures their npm scope:
ini
# ~/.npmrc or project .npmrc
@open-matrix:registry=https://registry.hivecast.ai/api/packages/hivecast-admin/npm/
//registry.hivecast.ai/:_authToken=<gitea-token>For public-readable packages (the current default for @open-matrix/*), the auth token is needed only for publishing — not for npm install.
Publish flow
bash
cd projects/matrix-3/packages/<name>
NPM_CONFIG_REGISTRY=https://registry.hivecast.ai/api/packages/hivecast-admin/npm/ \
NPM_CONFIG__AUTH_TOKEN=<gitea-token> \
npm publishGitea accepts the tarball, stores it, and exposes it via its npm packages API immediately.
Visibility tiers
Gitea supports per-package visibility settings. The defaults for @open-matrix/* packages are:
| Visibility | Effect |
|---|---|
| Public (current default) | Anonymous read. Installable without authentication. |
| Org-restricted | Read requires Gitea token bound to the open-matrix org. |
| Private | Read requires explicit per-package permission grant. |
Today, all @open-matrix/* packages are public-read. Privacy is operational (registry behind admin token for publish; deletion possible) rather than commercial.
Why "private" still makes sense pre-launch
Three reasons documented in Gitea backend:
- Deletion ability. Crucial for pre-launch — versions can be retracted when wrong.
- No public exposure of WIP packages. Pre-launch packages depend on each other heavily; partial APIs would leak otherwise.
- Unified domain. Same operator owns hivecast.ai and registry.hivecast.ai.
Cross-references
- The publish flow itself is in Publish flow.
- Gitea provisioning is in Gitea backend.
- The auth model is in Authentication.
- The deploy pipeline that bootstraps the host with private-package access is
projects/deploy-cloud/deploy.sh.
See also
- Public packages — target-state npmjs.com path
- Gitea backend
- Publish flow
Source:
projects/deploy-cloud/Caddyfile.bare,projects/deploy-cloud/setup-aws.sh,.github/workflows/release.yml(release dispatch).