Browse Source

chore: scaffold FA Pro .npmrc (env-var token, no secret committed)

Committed .npmrc sets the @fortawesome registry + reads the auth token from
${FONTAWESOME_NPM_TOKEN} at install time (no token in the file). Token lives in
the shell env (~/.zprofile), never in git. .gitignore covers .env/.env.*/.npmrc.local
as a safety net. Plan note updated to the env-var approach.
windhamdavid 1 week ago
parent
commit
c6d05a3a2f
3 changed files with 19 additions and 2 deletions
  1. 6 0
      .gitignore
  2. 9 0
      .npmrc
  3. 4 2
      _claude/notes/upgrade-plan.md

+ 6 - 0
.gitignore

@@ -7,6 +7,12 @@ npm-debug.log
 node_modules/
 build/
 
+# secrets — the FA Pro token lives in the env (FONTAWESOME_NPM_TOKEN), never a file.
+# .npmrc IS committed (env-var ref, no token); ignore any local token/env files.
+.env
+.env.*
+.npmrc.local
+
 .idea/
 .vscode/
 

+ 9 - 0
.npmrc

@@ -0,0 +1,9 @@
+; Font Awesome Pro registry — committed, and contains NO secret.
+; The auth token is read from the FONTAWESOME_NPM_TOKEN environment variable at
+; install time. Set it OUTSIDE the repo, e.g. in ~/.zprofile:
+;
+;   export FONTAWESOME_NPM_TOKEN="your-fa-pro-token"
+;
+; Do NOT paste the raw token into this file.
+@fortawesome:registry=https://npm.fontawesome.com/
+//npm.fontawesome.com/:_authToken=${FONTAWESOME_NPM_TOKEN}

+ 4 - 2
_claude/notes/upgrade-plan.md

@@ -120,8 +120,10 @@ font + ~2000 CSS rules + the npm dep all gone). `v4-style.min.css` **472 → 393
   (`@fortawesome/pro-*-svg-icons` / a kit) from FA's authed registry — **not** the webfont —
   and feed them through the sprite. Swapping sets later = change the package + regenerate.
   Replaces FA-font **and** FontMfizz.
-  - **Secret:** FA Pro npm needs a token in `.npmrc` → **gitignore `.npmrc`**; commit a
-    `.npmrc.example` with the registry line (no token).
+  - **Secret (DONE 2026-06-21):** committed **`.npmrc`** holds the registry + an env-var
+    ref `_authToken=${FONTAWESOME_NPM_TOKEN}` (no token in the file, so it's safe to commit);
+    the actual token lives in the shell env (`export FONTAWESOME_NPM_TOKEN=…` in `~/.zprofile`).
+    `.gitignore` covers `.env`/`.env.*`/`.npmrc.local` as a safety net.
 - **One-off icons** (the 8 header, the couple FontMfizz spots) stay hand-inlined SVG — no dep.
 - **Text/display fonts:** use **`@fontsource/*`** (npm — versioned woff2 + `@font-face`) for fonts
   that have it; self-host woff2 for niche ones (Computer Modern). Declare all in `theme.json`