npm

Use for npm registry/account tasks: npm whoami, package availability, package reservation, publish, org checks, and auth debugging.

Auth

• Use one-password first for secret rules.
• Never run op directly in the shell tool.
• Known npm 1Password item: npmjs on my.1password.com.
• The item may contain username/password/TOTP, not a stored npm token. That is fine.
• Explicit user requests to release, publish, or npm publish are consent to complete npm auth, including a desktop 1Password sign-in/unlock prompt for the known npmjs item when service-account access cannot read it. Do not stop to ask for separate permission just because the npm auth prompt is expected.
• Still stop and ask if the npmjs item is missing, the account/vault is ambiguous, credentials are malformed, npm denies package access, or the requested package/version does not match the repo release target.
• Run npm auth work inside one persistent tmux session. Reuse it on failure.
• Keep npm auth in a temp npmrc; delete it after the command.
• If hand-rolling, read npmjs once, keep secrets in shell variables, require a six-digit op item get npmjs --account my.1password.com --otp, write a temp npmrc, run all npm commands with NPM_CONFIG_USERCONFIG, then delete the npmrc and unset variables.
• npm 11 prompt piping is brittle; avoid printf ... | npm login --auth-type=legacy.
• Avoid expect for npm login unless necessary; logs can echo prompts and are easy to get wrong.
• Prefer the helper's registry API login path (npm-profile loginCouch) for automation.
• If auth shape is ambiguous or npm whoami fails, stop and ask for the exact field label / credential fix. Do not probe more 1Password items or start another tmux session.