ci: fail publish pipeline loudly on registry/auth/network errors

The publish-npm step ended with `|| echo "[publish] Some packages may
already exist at this version — continuing"`, which unconditionally
converted any failure into success. That fallback silently masked a
real Gitea registry 404 during the @mosaic/* → @mosaicstack/* org
rename — CI reported green for pipelines #681 and #684 while every
single @mosaicstack/* publish fell on the floor, blocking users from
installing the gateway.

Replace the blanket swallow with a targeted rule:

- `E404 / E401 / ENEEDAUTH / ECONNREFUSED / ETIMEDOUT / ENOTFOUND` →
  FATAL, fail the pipeline. These are real registry/auth/network
  problems that must surface.
- `EPUBLISHCONFLICT / cannot publish over / previously published` →
  tolerate. This is the legitimate "only some packages were bumped in
  this merge" case and should not block CI.
- Any other unrecognized failure → FATAL (fail closed, not open).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.woodpecker/publish.yml

@@ -45,21 +45,27 @@ steps:
       # Gitea org rename and caused every @mosaicstack/* publish to fall
       # on the floor while CI still reported green.
       - |
+        # Portable sh (Alpine ash) — avoid bashisms like PIPESTATUS.
         set +e
-        pnpm --filter "@mosaicstack/*" --filter "!@mosaicstack/web" publish --no-git-checks --access public 2>&1 | tee /tmp/publish.log
-        EXIT=${PIPESTATUS[0]}
+        pnpm --filter "@mosaicstack/*" --filter "!@mosaicstack/web" publish --no-git-checks --access public >/tmp/publish.log 2>&1
+        EXIT=$?
         set -e
+        cat /tmp/publish.log
         if [ "$EXIT" -eq 0 ]; then
           echo "[publish] all packages published successfully"
           exit 0
         fi
-        # Any hard registry/auth/network error fails the pipeline.
-        if grep -qE "E404|E401|ENEEDAUTH|ECONNREFUSED|ETIMEDOUT|ENOTFOUND" /tmp/publish.log; then
+        # Hard registry / auth / network errors → fatal. Match npm's own
+        # error lines specifically to avoid false positives on arbitrary
+        # log text that happens to contain "E404" etc.
+        if grep -qE "npm (error|ERR!) code (E404|E401|ENEEDAUTH|ECONNREFUSED|ETIMEDOUT|ENOTFOUND)" /tmp/publish.log; then
           echo "[publish] FATAL: registry/auth/network error detected — failing pipeline" >&2
           exit 1
         fi
-        # Tolerate only the specific "version already published" case.
-        if grep -qE "EPUBLISHCONFLICT|cannot publish over|previously published" /tmp/publish.log; then
+        # Only tolerate the explicit "version already published" case.
+        # npm returns this as E403 with body "You cannot publish over..."
+        # or EPUBLISHCONFLICT depending on version.
+        if grep -qE "EPUBLISHCONFLICT|You cannot publish over|previously published" /tmp/publish.log; then
           echo "[publish] some packages already at this version — continuing (non-fatal)"
           exit 0
         fi

packages/mosaic/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mosaicstack/mosaic",
-  "version": "0.0.21",
+  "version": "0.0.20",
   "repository": {
     "type": "git",
     "url": "https://git.mosaicstack.dev/mosaicstack/mosaic-stack.git",

packages/mosaic/src/runtime/update-checker.ts

@@ -127,28 +127,10 @@ export function semverLt(a: string, b: string): boolean {
 // ─── Known packages for checkForAllUpdates() ──────────────────────────────
 
 const KNOWN_PACKAGES = [
-  '@mosaicstack/agent',
-  '@mosaicstack/auth',
-  '@mosaicstack/brain',
-  '@mosaicstack/config',
-  '@mosaicstack/coord',
-  '@mosaicstack/db',
-  '@mosaicstack/design-tokens',
-  '@mosaicstack/discord-plugin',
-  '@mosaicstack/forge',
-  '@mosaicstack/gateway',
-  '@mosaicstack/log',
-  '@mosaicstack/macp',
-  '@mosaicstack/memory',
   '@mosaicstack/mosaic',
-  '@mosaicstack/oc-framework-plugin',
-  '@mosaicstack/oc-macp-plugin',
-  '@mosaicstack/prdy',
+  '@mosaicstack/cli',
+  '@mosaicstack/gateway',
   '@mosaicstack/quality-rails',
-  '@mosaicstack/queue',
-  '@mosaicstack/storage',
-  '@mosaicstack/telegram-plugin',
-  '@mosaicstack/types',
 ];
 
 // ─── Multi-package types ──────────────────────────────────────────────────