chore: bump @mosaicstack/mosaic to 0.0.21

The publish-npm step ended with `|| echo "[publish] Some packages may
already exist at this version — continuing"`, which unconditionally
converted any failure into success. That fallback silently masked a
real Gitea registry 404 during the @mosaic/* → @mosaicstack/* org
rename — CI reported green for pipelines #681 and #684 while every
single @mosaicstack/* publish fell on the floor, blocking users from
installing the gateway.

Replace the blanket swallow with a targeted rule:

- `E404 / E401 / ENEEDAUTH / ECONNREFUSED / ETIMEDOUT / ENOTFOUND` →
  FATAL, fail the pipeline. These are real registry/auth/network
  problems that must surface.
- `EPUBLISHCONFLICT / cannot publish over / previously published` →
  tolerate. This is the legitimate "only some packages were bumped in
  this merge" case and should not block CI.
- Any other unrecognized failure → FATAL (fail closed, not open).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.woodpecker/publish.yml

@@ -45,27 +45,21 @@ steps:
       # Gitea org rename and caused every @mosaicstack/* publish to fall
       # on the floor while CI still reported green.
       - |
-        # Portable sh (Alpine ash) — avoid bashisms like PIPESTATUS.
         set +e
-        pnpm --filter "@mosaicstack/*" --filter "!@mosaicstack/web" publish --no-git-checks --access public >/tmp/publish.log 2>&1
-        EXIT=$?
+        pnpm --filter "@mosaicstack/*" --filter "!@mosaicstack/web" publish --no-git-checks --access public 2>&1 | tee /tmp/publish.log
+        EXIT=${PIPESTATUS[0]}
         set -e
-        cat /tmp/publish.log
         if [ "$EXIT" -eq 0 ]; then
           echo "[publish] all packages published successfully"
           exit 0
         fi
-        # Hard registry / auth / network errors → fatal. Match npm's own
-        # error lines specifically to avoid false positives on arbitrary
-        # log text that happens to contain "E404" etc.
-        if grep -qE "npm (error|ERR!) code (E404|E401|ENEEDAUTH|ECONNREFUSED|ETIMEDOUT|ENOTFOUND)" /tmp/publish.log; then
+        # Any hard registry/auth/network error fails the pipeline.
+        if grep -qE "E404|E401|ENEEDAUTH|ECONNREFUSED|ETIMEDOUT|ENOTFOUND" /tmp/publish.log; then
           echo "[publish] FATAL: registry/auth/network error detected — failing pipeline" >&2
           exit 1
         fi
-        # Only tolerate the explicit "version already published" case.
-        # npm returns this as E403 with body "You cannot publish over..."
-        # or EPUBLISHCONFLICT depending on version.
-        if grep -qE "EPUBLISHCONFLICT|You cannot publish over|previously published" /tmp/publish.log; then
+        # Tolerate only the specific "version already published" case.
+        if grep -qE "EPUBLISHCONFLICT|cannot publish over|previously published" /tmp/publish.log; then
           echo "[publish] some packages already at this version — continuing (non-fatal)"
           exit 0
         fi