- Remove the `publish-npm` job from `release.yml`. It has been failing on
every release with `npm error code EOTP` because the configured `NPM_TOKEN`
doesn't bypass 2FA. Manual publish from a developer machine is the actual
ship path; codify that.
- Update `docs/RELEASE_RUNBOOK.md` "npm Wrapper Release" to describe the
manual flow (`npm publish --access public` + OTP) and explain why the auto
path is gone, with a recovery note for future Trusted-Publishing migration.
- Refresh stale cross-reference comment in `publish-npm.yml` (the workflow
remains as inert plumbing for an eventual Trusted Publishing setup).
- Stop tracking `docs/DeepSeek_V4.pdf` (4.4 MB). It was never referenced
outside test fixture filenames; the tests synthesize their own fake PDF.
Add to `.gitignore` so a local copy can sit there without nagging.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hunter Bown
1f00ac6311