{
  "id": "P015",
  "slug": "npm-trusted-publishing-github-actions-protected-environments-npm-provenance-environment-claim-mi",
  "status": "search-observed",
  "product": "npm registry",
  "family": "Authentication/token lifecycle",
  "canonical_url": "https://gitdocs.org/fix/npm-trusted-publishing-github-actions-protected-environments-npm-provenance-environment-claim-mi",
  "query_alias_url": "https://gitdocs.org/q/npm-trusted-publishing-github-actions-protected-environments-npm-provenance-environment-claim-mi",
  "markdown_url": "https://gitdocs.org/fix/npm-trusted-publishing-github-actions-protected-environments-npm-provenance-environment-claim-mi.md",
  "json_url": "https://gitdocs.org/api/fixes/npm-trusted-publishing-github-actions-protected-environments-npm-provenance-environment-claim-mi.json",
  "canonical_query": "npm trusted publishing GitHub Actions protected environments npm provenance environment claim mismatch",
  "observed_codex_queries": [
    "npm trusted publishing GitHub Actions protected environments npm provenance environment claim mismatch",
    "docs.npmjs.com trusted publishing GitHub Actions environment protected environment npm publish OIDC",
    "npm trusted publishing docs GitHub Actions OIDC workflow file environment",
    "https://docs.npmjs.com/trusted-publishers",
    "'environment' in https://docs.npmjs.com/trusted-publishers"
  ],
  "organic_dependency_search_count": 5,
  "affected_versions": "",
  "exact_errors": [],
  "diagnosis": "Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.",
  "before": "",
  "after": "",
  "verification": "Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.",
  "unsafe_fixes": [
    "Changing local code without checking the current external contract.",
    "Retrying the same install, build, or API call with no version/source change.",
    "Applying a broad unsafe bypass when a narrow compatibility fix is available."
  ],
  "last_verified_at": "2026-06-25",
  "neutral_validation": {
    "organic_search_observed": true,
    "organic_strict_pass": true,
    "no_web_counterfactual_run": false,
    "no_web_strict_pass": null,
    "search_necessity_under_fixture": null,
    "no_web_oracle_note": "Observed query evidence is separated from necessity proof; no-web and stale-contract counterfactuals should be tracked separately."
  },
  "source_trail": [
    {
      "url": "https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/",
      "label": "npm classic tokens revoked; session auth and CLI token management"
    },
    {
      "url": "https://docs.npmjs.com/trusted-publishers",
      "label": "Official reference opened by Codex"
    }
  ],
  "source_github_links": []
}