docs: clarify npm dist-tag auth

.agents/skills/openclaw-release-maintainer/SKILL.md

@@ -182,7 +182,10 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
   plan does not yet support required reviewers there, do not assume the
   environment alone is the approval boundary; rely on private repo access and
   CODEOWNERS until those settings can be enabled.
-- Do not use `NPM_TOKEN` or the plugin OTP flow for OpenClaw releases.
+- Do not use `NPM_TOKEN` or the plugin OTP flow for the OpenClaw package
+  publish path; package publishing uses trusted publishing.
+- Use `NPM_TOKEN` only for explicit npm dist-tag management modes, because npm
+  does not support trusted publishing for `npm dist-tag add`.
 - `@openclaw/*` plugin publishes use a separate maintainer-only flow.
 - Only publish plugins that already exist on npm; bundled disk-tree-only plugins stay unpublished.
 

docs/reference/RELEASING.md

@@ -136,9 +136,9 @@ Rules:
 - Dist-tag sync mode must use a stable or correction tag,
   `preflight_only=false`, an empty `preflight_run_id`, `npm_dist_tag=latest`,
   and `promote_beta_to_latest=false`
-- Promotion and dist-tag sync modes also require a valid `NPM_TOKEN` in the
-  `npm-release` environment because `npm dist-tag add` still needs regular npm
-  auth
+- Promotion and dist-tag sync modes also require a valid `NPM_TOKEN` because
+  `npm dist-tag add` still needs regular npm auth; trusted publishing covers
+  the package publish path only
 
 ## Stable npm release sequence
 
@@ -166,7 +166,7 @@ When cutting a stable npm release:
    `preflight_only=false`, `preflight_run_id` empty, and `npm_dist_tag=latest`
 
 The promotion and dist-tag sync modes still require the `npm-release`
-environment approval and a valid `NPM_TOKEN` in that environment.
+environment approval and a valid `NPM_TOKEN` accessible to that workflow run.
 
 That keeps the direct publish path and the beta-first promotion path both
 documented and operator-visible.