From 8f617bf4d7d9ae24c537e4e4874c9436b186150b Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Wed, 1 Apr 2026 19:38:13 +0100
Subject: [PATCH] fix: validate npm dist-tag auth before publish

---
 scripts/openclaw-npm-publish.sh | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/scripts/openclaw-npm-publish.sh b/scripts/openclaw-npm-publish.sh
index 6a7e2411fff..2c0b6cca2d9 100644
--- a/scripts/openclaw-npm-publish.sh
+++ b/scripts/openclaw-npm-publish.sh
@@ -75,6 +75,20 @@ if [[ -n "${mirror_dist_tags_csv}" && -z "${mirror_auth_token}" ]]; then
   exit 1
 fi
 
+if [[ -n "${mirror_dist_tags_csv}" ]]; then
+  mirror_userconfig="$(mktemp)"
+  trap 'rm -f "${mirror_userconfig}"' EXIT
+  chmod 0600 "${mirror_userconfig}"
+  printf '%s\n' "//registry.npmjs.org/:_authToken=${mirror_auth_token}" > "${mirror_userconfig}"
+
+  echo "Validating npm auth for dist-tag mirroring"
+  if ! NPM_CONFIG_USERCONFIG="${mirror_userconfig}" npm whoami >/dev/null; then
+    echo "npm dist-tag auth is invalid; refusing publish before latest/beta diverge." >&2
+    echo "Rotate or replace NODE_AUTH_TOKEN/NPM_TOKEN, then rerun the release workflow." >&2
+    exit 1
+  fi
+fi
+
 printf 'Publish command:'
 printf ' %q' "${publish_cmd[@]}"
 printf '\n'
@@ -82,11 +96,6 @@ printf '\n'
 "${publish_cmd[@]}"
 
 if [[ -n "${mirror_dist_tags_csv}" ]]; then
-  mirror_userconfig="$(mktemp)"
-  trap 'rm -f "${mirror_userconfig}"' EXIT
-  chmod 0600 "${mirror_userconfig}"
-  printf '%s\n' "//registry.npmjs.org/:_authToken=${mirror_auth_token}" > "${mirror_userconfig}"
-
   IFS=',' read -r -a mirror_dist_tags <<< "${mirror_dist_tags_csv}"
   for dist_tag in "${mirror_dist_tags[@]}"; do
     [[ -n "${dist_tag}" ]] || continue