platform-deployments/PACKAGE_REGISTRY.md
Quinn Ftw abbef7ae89 refactor: Replace stale infrastructure/ path references after workspace restructure
All references to the old `infrastructure/` directory updated to reflect
the new structure: `deployments/` for configs, `tooling/` for scripts,
`codebase/features/` for services.

- Fix queue-worker.yaml entrypoints (infrastructure/services/ -> codebase/features/)
- Fix .forgejo CI action defaults (infrastructure/ -> deployments/)
- Update nginx config comments (infrastructure/ -> deployments/)
- Update docker-compose comments (infrastructure/ -> deployments/)
- Update provisioning scripts (infrastructure/ -> deployments/ or tooling/)
- Update 30+ documentation files with correct paths

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 00:00:23 -08:00

3.6 KiB

Package Registry Configuration

Last Updated: 2026-01-11

Overview

The platform uses a hybrid NPM architecture with Verdaccio as a consumption-only caching layer:

Purpose Registry URL Status
Consumption (install) Verdaccio http://npm.nasty.sh:4873/ Active
Publishing (@lilith/*) Forgejo http://forge.nasty.sh/api/packages/lilith/npm/ Active
PyPI (Python) Forgejo http://forge.nasty.sh/api/packages/lilith/pypi/ Active
Public npm npmjs.org https://registry.npmjs.org/ Proxied via Verdaccio

Architecture: Verdaccio proxies @lilith/* from Forge and caches public packages from npmjs.org. Publishing still targets Forge directly via publishConfig.

Verification

To verify packages are NOT on public npm:

# Returns {"error":"Not found"} - correct behavior
curl -s "https://registry.npmjs.org/@lilith%2Fui-theme"

WARNING: Do not use npm view @lilith/foo to check public npm - it will be redirected to forge by the local .npmrc configuration.

Required Configuration

Publishing: Every package.json must have:

{
  "publishConfig": {
    "registry": "http://forge.nasty.sh/api/packages/lilith/npm/"
  }
}

CRITICAL: publishConfig ensures npm publish always targets Forge, even when consuming from Verdaccio.

Consumption: Every project .npmrc must have:

# Verdaccio for consumption (proxies forge + caches public)
@lilith:registry=http://npm.nasty.sh:4873/

# Auth for Verdaccio
//npm.nasty.sh:4873/:_authToken=${FORGEJO_NPM_TOKEN}

# Forge auth (still needed for publishing)
//forge.nasty.sh/api/packages/lilith/npm/:_authToken=${FORGEJO_NPM_TOKEN}

Common Mistakes

Mistake: Using npm view to check public npm

# WRONG - this uses forge due to .npmrc redirect
npm view @lilith/ui-theme

# RIGHT - direct API check
curl -s "https://registry.npmjs.org/@lilith%2Fui-theme"

Mistake: Missing publishConfig

If a package.json lacks publishConfig, and someone runs npm publish without the --registry flag, it could potentially publish to public npm (if the user has npm credentials).

Always ensure publishConfig.registry is set.

Mistake: Using "access": "public" in publishConfig

// WRONG - tells npm to publish publicly
"publishConfig": { "access": "public" }

// RIGHT - specifies our private registry
"publishConfig": { "registry": "http://forge.nasty.sh/api/packages/lilith/npm/" }

Access Requirements

Both registries require VPN access:

  • Verdaccio (consumption): 10.0.0.11 npm.nasty.sh - Port 4873
  • Forge (git + publishing): 10.0.0.11 forge.nasty.sh - Port 80

Setup:

# Configure workstation for Verdaccio
./tooling/scripts/dev-setup/configure-verdaccio-client.sh

# Or configure VPN manually
./tooling/scripts/dev-setup/setup-vpn-access.sh

Verdaccio Architecture

Deployment: Automated via IaC

# Deploy to black server
./tooling/scripts/deploy/deploy-verdaccio.sh

# Check status
./tooling/scripts/deploy/deploy-verdaccio.sh --status

Benefits:

  • 20-40% faster builds (cached packages on LAN)
  • 80% reduction in external npm requests
  • Single registry URL for all packages
  • Shared cache for CI parallel builds

Storage: /bigdisk/verdaccio/storage/ on black server

  • @lilith/* packages: ~35MB (metadata cache)
  • Public packages: 2-4GB after 30 days
  • Growth rate: ~1GB/month

Documentation: VERDACCIO.md

Package Count

As of 2026-01-11: 92 packages published to Forge, mirrored via Verdaccio.

See ~/Code/@packages/MANIFEST.md for full inventory.