fix: npm trusted publishing

[jbrejner]

• All 8 packages have updated publishing settings including "Require two-factor authentication and disallow tokens (recommended)" as per npm recommandations.
• the secret NPM_TOKEN have been deleted

fix: #828

[claude]

Claude finished @jbrejner's task in 2m 39s —— View job

---

PR Review: npm trusted publishing

• Run static analysis (build, vet, mod tidy)
• Review changed files
• Post review summary

---

Static Analysis

All checks pass — go build ./..., go vet ./..., and go mod tidy report no issues. This PR only touches npm/workflow files, so that's expected.

Review

This PR looks good. The changes are clean and complete:

1. All 8 .npmrc files removed — eliminates the _authToken=${NPM_TOKEN} lines that would reference a now-deleted secret. No stale auth config left behind.

2. NPM_TOKEN removed from release.yml — the workflow already has id-token: write permission (line 123), and npm-publish.sh already passes --provenance when running in GitHub Actions. The OIDC auth path is properly wired.

3. README updated — the old .npmrc documentation is replaced with a clear note about trusted publishing requirements for new packages. The text annotation on the code fence is a nice touch.

4. No remaining references — grep confirms zero remaining mentions of NPM_TOKEN, _authToken, or .npmrc across the entire codebase.

One minor note

The README line at 114 says:

The package publishing expects the package is configured for Trusted publishing - so if more platforms are added you must configure the new packages accordingly.

This is good documentation. It might be worth also noting where the trusted publisher configuration lives (npm registry settings for each @kosli/* package) so future contributors know where to look — but that's optional polish, not a blocker.

Summary

Clean, well-scoped migration. The .npmrc files and NPM_TOKEN secret are fully removed, the OIDC/provenance path was already in place, and the docs are updated. No issues found.