Use npm trusted publishing in release workflow

.github/workflows/publish.yml

@@ -39,6 +39,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -51,13 +52,16 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://registry.npmjs.org"
 
       - name: Install dependencies
         working-directory: cli/reins
         run: bun install
 
+      - name: Verify npm version for trusted publishing
+        run: npm --version
+
       - name: Check if publish is needed
         id: check
         working-directory: cli/reins
@@ -80,8 +84,6 @@ jobs:
         if: steps.check.outputs.should_publish == 'true'
         working-directory: cli/reins
         run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Release
         if: steps.check.outputs.should_publish == 'true'

docs/design-docs/ci-enforcement-and-risk-policy.md

@@ -53,5 +53,5 @@ It now uses explicit regex patterns for gates like `lint`, `test`, and `typechec
 - CLI projects can satisfy the legibility observability signal with strong diagnosability evidence instead of irrelevant service observability infrastructure.
 - Lint baseline has been reduced and now passes cleanly in local checks; CI lint remains advisory until the workflow flips the gate to blocking.
 - Merges to master only publish when the merged PR already includes a new package version.
-- Requires `NPM_TOKEN` secret in GitHub repo settings for npm authentication.
+- Requires npm Trusted Publisher configuration for this GitHub repository/workflow (OIDC), not a long-lived `NPM_TOKEN`.
 - Fork PRs may still require maintainer follow-up for version bump commits.