DevForge / DevLuxe 10X Registry Gate Execution Walkthrough

0 of 0 complete

title: "DevForge / DevLuxe Registry Gate Execution Walkthrough"
version: "2026-07-09.5"
status: "manual execution guide - registry gates pending"


DevForge / DevLuxe 10X Registry Gate Execution Walkthrough (source: internal value-standard label, not a measured multiplier)

Read first: This is the A-grade execution guide for claiming devluxe on npm and PyPI. It tells you exactly what must be done manually by you, what can be automated afterward, what values to paste, what receipts prove completion, and what cleanup is mandatory after first publish.

Brutal Reality Boundary

Known Current State - July 9, 2026

Item Current value Why it matters
GitHub owner katterskillsawmill Real repository owner from the local remote.
GitHub repo devluxe Real repository name from the local remote.
GitHub remote https://github.com/katterskillsawmill/devluxe.git Must match registry publisher fields.
npm package devluxe Public namespace to claim.
PyPI project devluxe Public namespace to claim.
npm version 0.2.0 Current npm/package.json version.
PyPI version 0.2.0 Current pypi/pyproject.toml version.
Workflow file publish.yml Enter only this filename in registry forms.
GitHub workflow path .github/workflows/publish.yml Actual workflow path in the repo.
npm environment npm-publish GitHub environment used by publish-npm.
PyPI environment pypi GitHub environment used by publish-pypi.
First-publish npm secret NPM_TOKEN Environment secret name only; never record the value.
Local monorepo /root/ecosystems/ecosystem-whitelabel/devluxe Working source location.
Portal walkthrough path walkthroughs/devforge-devluxe/2026-07-09/ CooperLux portal section path.
Website access route https://cooperluxe.com/walkthroughs Existing protected website route where the operator link belongs.
Pages guide route https://james-cooperluxe.pages.dev/guides/devforge-devluxe-10x-claim-walkthrough-2026-07-09/ Wrangler-deployed artifact location used by the website SSO link; 10x in the slug is the internal value-standard label. (source: this walkthrough boundary)
Optional redirect host walkthroughs.cooperlux.com Optional future redirect to https://cooperluxe.com/walkthroughs; not required for today.

What I Can Automate vs What You Must Do

Track Can be automated by Codex Must be done manually by you
Registry probes Check whether npm/PyPI already have devluxe. None.
Local package tests Run npm tests, build checks, and Python checks when dependencies are available. None unless local dependencies require account access.
GitHub workflow review Inspect .github/workflows/publish.yml for branch, environment, permission, and publish shape. Approve any publish run if GitHub environment protection asks for approval.
GitHub environments I can show exact environment names and expected settings. You must create/configure environments if I do not have authenticated GitHub admin access.
PyPI pending publisher I can supply exact form values. You must log in to PyPI and add the pending publisher.
npm first-publish token I can supply exact token scope and secret name. You must log in to npm, create the token, copy it once, and put it into GitHub as NPM_TOKEN.
First publish I can give the UI path and CLI command. You must explicitly authorize the publish and approve protected jobs.
Post-publish cleanup I can patch workflow files after the package exists if requested. You must configure npm trusted publishing in npm package settings and revoke/delete the first-publish token.

Official Constraints Checked July 9, 2026

Claim Ledger

Claim Status Receipt / boundary
DevLuxe local registry package sources are prepared for owner execution. partial npm tests passed locally on July 9, 2026; PyPI local pytest was not run because pytest was missing from the base Python environment.
Public npm namespace claim is complete. false/removed Live probe returned npm 404 on July 9, 2026; package does not exist yet.
Public PyPI namespace claim is complete. false/removed Live probe returned PyPI 404 on July 9, 2026; project does not exist yet.
The workflow is 100% complete. false/removed Completion requires npm page, PyPI page, GitHub Actions run receipt, and post-publish token cleanup.
10X is an external measured multiplier. (source: boundary row) false/removed The label is only an internal quality/value standard.
The secure Next.js middleware pack is dead or deleted. false/removed packs/seniormatic/secure-nextjs-middleware remains a reusable asset; only standalone project-building was stopped.

Zero-Secret Rule

Phase 0 - Automated Preflight We Can Run

Run these before doing account work. These do not publish anything.

cd /root/ecosystems/ecosystem-whitelabel/devluxe
git status --short
git remote -v
sed -n '1,220p' .github/workflows/publish.yml

Expected:

Registry availability check:

curl -sS -o /dev/null -w "npm: %{http_code}\n" https://registry.npmjs.org/devluxe
curl -sS -o /dev/null -w "pypi: %{http_code}\n" https://pypi.org/pypi/devluxe/json

Expected before first publish:

npm: 404
pypi: 404

Local package checks:

cd /root/ecosystems/ecosystem-whitelabel/devluxe/npm
npm test

Expected:

Python package check, if pytest is available:

cd /root/ecosystems/ecosystem-whitelabel/devluxe/pypi
python3 -m pytest -q

Expected:

Phase 1 - Manual GitHub Environment Setup

Purpose: make sure the publish jobs have protected, named environments before registry publish starts.

Open:

https://github.com/katterskillsawmill/devluxe/settings/environments

Create or verify pypi

Pass signal:

Create or verify npm-publish

Pass signal:

If GitHub says environment protections are unavailable The repo may be private and the current GitHub plan may limit some protection rules. Create the environments anyway if possible. The environment names still matter because the workflow references `pypi` and `npm-publish`, and environment secrets are scoped to those jobs.

Phase 2 - Manual PyPI Pending Publisher Setup

Purpose: let the first trusted PyPI publish create devluxe without any PyPI API token.

Open:

https://pypi.org/manage/account/publishing/

If PyPI asks you to log in:

Add pending publisher:

PyPI form field Exact value
Project name devluxe
Owner katterskillsawmill
Repository name devluxe
Workflow name publish.yml
Environment name pypi

Pass signal:

Stop condition:

Why PyPI still shows no project page after this step That is expected. PyPI pending publishers do not create or reserve the project until first trusted publish. The project page appears only after the workflow successfully publishes the distribution.

Phase 3 - Manual npm First-Publish Token Setup

Purpose: claim the unscoped npm package once, then immediately move toward trusted publishing and token removal.

Open:

https://www.npmjs.com/settings/katterskillsawmill/tokens

If that organization token page is not available, use your npm profile menu:

Create token:

npm token field Exact guidance
Token name devluxe-first-publish-2026-07-09
Description One-time first publish for devluxe; revoke after trusted publishing is configured.
Expiration Shortest available; npm documents at least 1 day for custom expiration.
Packages and scopes Read and write for all packages/scopes available to the publishing account.
Organizations Only add organization access if the package will publish under organization ownership.
Bypass 2FA Enable only if npm account/package settings require 2FA for publish automation and the workflow would otherwise fail.

Add token to GitHub environment:

Open:

https://github.com/katterskillsawmill/devluxe/settings/environments

Pass signal:

Stop condition:

Phase 4 - Manual Workflow Dispatch

Purpose: run the single manual-dispatch release workflow after both account gates are ready.

Open:

https://github.com/katterskillsawmill/devluxe/actions/workflows/publish.yml

Run from GitHub UI:

Alternative terminal command, only if your GitHub CLI is authenticated to the correct account:

gh workflow run publish.yml -R katterskillsawmill/devluxe -f target=both
gh run watch -R katterskillsawmill/devluxe

While the workflow runs:

Stop conditions:

Phase 5 - Completion Receipts

After the workflow reports success, capture all receipts before calling the workflow complete.

Open and save URLs:

Receipt URL
GitHub publish workflow https://github.com/katterskillsawmill/devluxe/actions/workflows/publish.yml
npm package https://www.npmjs.com/package/devluxe
npm version https://www.npmjs.com/package/devluxe/v/0.2.0
PyPI project https://pypi.org/project/devluxe/
PyPI version https://pypi.org/project/devluxe/0.2.0/
npm registry JSON https://registry.npmjs.org/devluxe
PyPI registry JSON https://pypi.org/pypi/devluxe/json

Run verification commands:

curl -sS -o /dev/null -w "npm: %{http_code}\n" https://registry.npmjs.org/devluxe
curl -sS -o /dev/null -w "pypi: %{http_code}\n" https://pypi.org/pypi/devluxe/json
npm view devluxe version
npx devluxe@0.2.0 --help
python3 -m pip install --upgrade devluxe==0.2.0
devluxe check --help

Expected after successful first publish:

Receipt note template:

devluxe first registry claim completed on <date/time UTC>. GitHub run: <run-url>. npm package: https://www.npmjs.com/package/devluxe/v/0.2.0. PyPI package: https://pypi.org/project/devluxe/0.2.0/. Token cleanup status: <pending/done>. npm trusted publishing flip status: <pending/done>.

Phase 6 - Mandatory npm Token Cleanup

Purpose: remove the temporary first-publish credential path.

Do this immediately after npm publish succeeds.

Delete GitHub environment secret

Open:

https://github.com/katterskillsawmill/devluxe/settings/environments

Revoke npm token

Open npm access tokens:

https://www.npmjs.com/settings/katterskillsawmill/tokens

Pass signal:

Phase 7 - Post-Publish npm Trusted Publishing Flip

Purpose: make the next npm publish use OIDC instead of a long-lived token.

Open:

https://www.npmjs.com/package/devluxe

npm trusted publisher field Exact value
Organization or user katterskillsawmill
Repository devluxe
Workflow filename publish.yml
Environment name npm-publish
Allowed actions npm publish

Then update .github/workflows/publish.yml before the next npm release:

  publish-npm:
    needs: build-npm
    if: ${{ (inputs.target == 'both' || inputs.target == 'npm') && github.ref == 'refs/heads/main' }}
    runs-on: ubuntu-latest
    environment: npm-publish
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/setup-node@v4
        with:
          node-version: 22.14.0
          registry-url: https://registry.npmjs.org
      - uses: actions/download-artifact@v4
        with:
          name: devluxe-npm-package
          path: npm-package
      - run: npm install -g npm@latest
      - run: npm --version
      - run: npm publish npm-package/*.tgz

Important:

Maximum-security option after OIDC works:

Phase 8 - PyPI Post-Publish Verification

Purpose: prove the PyPI pending publisher converted to a normal trusted publisher.

Open:

https://pypi.org/manage/project/devluxe/settings/publishing/

PyPI publisher field Expected
Owner katterskillsawmill
Repository devluxe
Workflow publish.yml
Environment pypi

Phase 9 - 100% Completion Checklist

The workflow is complete only when every line below is true.

Fast Path - The Minimum Manual Click Sequence

Use this when you are ready and want the shortest path.

  1. [ ] GitHub: create/verify environment pypi.
  2. [ ] GitHub: create/verify environment npm-publish.
  3. [ ] PyPI: add pending publisher with project devluxe, owner katterskillsawmill, repo devluxe, workflow publish.yml, environment pypi.
  4. [ ] npm: create one short-lived granular read/write token for first publish.
  5. [ ] GitHub: paste token only into environment secret npm-publish -> NPM_TOKEN.
  6. [ ] GitHub Actions: run publish.yml on branch main with target=both.
  7. [ ] Approve protected publish jobs only after build jobs pass.
  8. [ ] Verify npm and PyPI package pages exist.
  9. [ ] Delete GitHub NPM_TOKEN.
  10. [ ] Revoke npm token.
  11. [ ] Configure npm trusted publisher for future OIDC publishes.
  12. [ ] Record receipts.

Troubleshooting

npm publish fails with authentication or OTP error Check whether the token was added as a GitHub environment secret under `npm-publish`, not as a repository secret. Confirm the workflow job uses `environment: npm-publish`. If npm account settings require 2FA for automation, recreate the token with the npm website's 2FA bypass option if policy allows it, then replace the GitHub secret. Do not print the token while debugging.
npm publish succeeds but npm trusted publishing is not visible Open the package settings page for `devluxe`. The package must exist before that settings page exists. If the option is still missing, confirm you are logged into the npm owner account that owns the package.
PyPI publish fails with trusted publisher mismatch Compare the PyPI pending publisher fields character by character: owner `katterskillsawmill`, repository `devluxe`, workflow `publish.yml`, environment `pypi`. Do not use `.github/workflows/publish.yml` in the workflow-name field.
The registry name is taken before you publish Stop. Do not retry with the same public claim language. Decide whether to dispute, rename, scope, or publish under a different package name. Update the walkthrough and package metadata before any new publish attempt.
The Python local tests cannot run because pytest is missing Do not treat local Python test verification as complete until the dependency environment is fixed or the GitHub workflow build job has run and passed `pytest -q`. The publish workflow installs `pytest` in the PyPI build job before running tests.
GitHub required reviewers are unavailable for the private repo Use the environments anyway if available, and keep manual dispatch as the release brake. If required reviewers are unavailable on the current plan, the hard gate becomes your explicit manual run of `workflow_dispatch` plus immediate token deletion after success.

Portal Placement

Current status:

Local filesystem review path:

deliverables/cooperlux-walkthrough-portal-2026-07-07/site/walkthroughs/devforge-devluxe/2026-07-09/devforge-devluxe-10x-claim-walkthrough-2026-07-09.html

Local HTTP review URL when the portal static server is running on port 8792:

http://127.0.0.1:8792/walkthroughs/devforge-devluxe/2026-07-09/devforge-devluxe-10x-claim-walkthrough-2026-07-09.html

Restart the local portal server if needed:

cd /root/ecosystems/ecosystem-publishing/deliverables/cooperlux-walkthrough-portal-2026-07-07/site
python3 -m http.server 8792 --bind 0.0.0.0

Website access path after the Wrangler deploy is complete:

https://cooperluxe.com/walkthroughs

Direct Pages guide URL after Wrangler deploy:

https://james-cooperluxe.pages.dev/guides/devforge-devluxe-10x-claim-walkthrough-2026-07-09/

Required public-access receipts before the website path is treated as complete:

Public Portal Online Gate - Why Localhost Failed

Current verified blocker:

Official Cloudflare references for the public portal gate:

Wrangler deployment path:

  1. [ ] Confirm the DevLuxe files exist under:
/root/ecosystems/ecosystem-cooperluxe/james-portal/public/guides/devforge-devluxe-10x-claim-walkthrough-2026-07-09/
  1. [ ] Confirm cooperluxe-portal/src/lib/walkthroughs.ts includes the admin link to:
https://james-cooperluxe.pages.dev/guides/devforge-devluxe-10x-claim-walkthrough-2026-07-09/
  1. [ ] Deploy the Pages guide with Wrangler:
cd /root/ecosystems/ecosystem-cooperluxe/james-portal
npx --yes wrangler pages deploy public --project-name james-cooperluxe --branch main --commit-message "Add DevLuxe registry gate walkthrough"
  1. [ ] If the website deployment does not automatically pick up cooperluxe-portal source changes, deploy the website through its normal production lane.
  2. [ ] Open:
https://cooperluxe.com/walkthroughs
  1. [ ] Sign in as the owner/admin.
  2. [ ] Click DevForge / DevLuxe Registry Gate Execution.
  3. [ ] Confirm the guide opens and the checklists/copy buttons work.
  4. [ ] Save the Wrangler deployment URL and website verification timestamp.

Optional redirect host path:

/root/dcoop-workflows/cooperlux-wrangler-subdomain-audit-2026-07-08/cooperlux-walkthroughs-redirect

Automation path if Codex is finishing the deployment:

Artifact Maintenance Checklist

📝 My notes

Auto-saves to this browser. Survives reloads. Click Export to download as .md.
Saved