docs(libraries): document update-hashes authentication flow

Add an Authentication subsection to the JavaScript and Python build
configuration guides covering how `chainctl libraries update-hashes`
authenticates to Chainguard Libraries: logged-in session (and `chainctl
auth login --audience=libraries.cgr.dev` / `configure-npm` for no
prompt), `--parent` / pull-token, `--token` / `CHAINCTL_AUTH_TOKEN` for
CI, `~/.netrc` (and `--ignore-netrc`), and credentials for
`--registry-url` repository managers. Point the quickstart migration
note at these sections via stable anchors.

Missing docs were reported at
https://linear.app/chainguard/issue/ECO-2157/prospect-cyberhaven-chainctl-libraries-update-hashes-hides-bad-netrc

Author: ppalucha

content/chainguard/libraries/javascript/build-configuration.md

@@ -78,6 +78,38 @@ manager will accept packages from Chainguard.
 
 Learn more in the [JavaScript migration guide](/chainguard/libraries/javascript/migration/#step-3-update-your-lockfile) and in the [`chainctl libraries update-hashes` command docs](/chainguard/chainctl/chainctl-docs/chainctl_libraries_update-hashes/).
 
+<a id="update-hashes-auth"></a>
+
+### Authentication
+
+`update-hashes` fetches checksums from Chainguard Libraries (`libraries.cgr.dev`),
+which requires authentication. Choose whichever fits your environment:
+
+- **Logged in locally**: Run the command while authenticated; if you have no
+  other credential it prompts for an organization and authenticates with a
+  [pull token](/chainguard/libraries/access/#pull-token). Pass
+  `--parent <organization>` to skip the prompt. To avoid the prompt entirely,
+  scope your login to the libraries registry once with
+  `chainctl auth login --audience=libraries.cgr.dev` — that session is then used
+  automatically. (`chainctl auth configure-npm` also sets up this
+  libraries-scoped session as part of configuring npm.)
+- **CI or non-interactive**:
+  - For a session token, pass `--token <token>` or set `CHAINCTL_AUTH_TOKEN`. The
+    token must be scoped to the libraries registry; mint one with
+    `chainctl auth token --audience=libraries.cgr.dev`.
+  - For a [pull token](/chainguard/libraries/access/#pull-token) (an identity and
+    secret), pass it as basic auth: `--username <identity> --password <secret>`,
+    or set `CHAINCTL_REGISTRY_USERNAME` / `CHAINCTL_REGISTRY_PASSWORD`.
+- **From `~/.netrc`**: Credentials for the registry host are read from `~/.netrc`
+  (or `$NETRC`); see [.netrc for authentication](/chainguard/libraries/access/#netrc).
+  Pass `--ignore-netrc` to skip an unrelated entry.
+
+When you target a repository manager with `--registry-url` (for example
+Artifactory or JFrog), authenticate with **that** registry's credentials —
+`--username`/`--password`, the `CHAINCTL_REGISTRY_USERNAME` /
+`CHAINCTL_REGISTRY_PASSWORD` environment variables, or a matching `~/.netrc`
+entry. Chainguard-scoped tokens are never sent to third-party hosts.
+
 
 <a id="npm"></a>
 

content/chainguard/libraries/python/build-configuration.md

@@ -165,6 +165,37 @@ When using a repo manager, pass the full repository URL with `--registry-url`.
 Learn about using this command with repo managers in the [Global
 configuration](/chainguard/libraries/python/global-configuration/) page.
 
+<a id="update-hashes-auth"></a>
+
+#### Authentication
+
+`update-hashes` fetches checksums from Chainguard Libraries (`libraries.cgr.dev`),
+which requires authentication. Choose whichever fits your environment:
+
+- **Logged in locally**: Run the command while authenticated; if you have no
+  other credential it prompts for an organization and authenticates with a
+  [pull token](/chainguard/libraries/access/#pull-token). Pass
+  `--parent <organization>` to skip the prompt. To avoid the prompt entirely,
+  scope your login to the libraries registry once with
+  `chainctl auth login --audience=libraries.cgr.dev` — that session is then used
+  automatically.
+- **CI or non-interactive**:
+  - For a session token, pass `--token <token>` or set `CHAINCTL_AUTH_TOKEN`. The
+    token must be scoped to the libraries registry; mint one with
+    `chainctl auth token --audience=libraries.cgr.dev`.
+  - For a [pull token](/chainguard/libraries/access/#pull-token) (an identity and
+    secret), pass it as basic auth: `--username <identity> --password <secret>`,
+    or set `CHAINCTL_REGISTRY_USERNAME` / `CHAINCTL_REGISTRY_PASSWORD`.
+- **From `~/.netrc`**: Credentials for the registry host are read from `~/.netrc`
+  (or `$NETRC`); see [.netrc for authentication](/chainguard/libraries/access/#netrc).
+  Pass `--ignore-netrc` to skip an unrelated entry.
+
+When you target a repository manager with `--registry-url` (for example
+Artifactory or JFrog), authenticate with **that** registry's credentials —
+`--username`/`--password`, the `CHAINCTL_REGISTRY_USERNAME` /
+`CHAINCTL_REGISTRY_PASSWORD` environment variables, or a matching `~/.netrc`
+entry. Chainguard-scoped tokens are never sent to third-party hosts.
+
 By default, Chainguard hashes are appended alongside existing upstream hashes. After updating the lockfiles, to switch your environment to use Chainguard packages, configure your tool to use the Chainguard index and reinstall. The command will output
 a "Next steps" section that includes the tool-specific command for reinstalling. 
 

content/chainguard/libraries/quickstart.md

@@ -210,7 +210,11 @@ and
 > **Migrating an existing Python or JavaScript project?** If you have an
 > existing lockfile with upstream hashes, use `chainctl libraries update-hashes`
 > to update checksums to Chainguard's automatically, without regenerating your
-> lockfile from scratch.
+> lockfile from scratch. The command authenticates to Chainguard Libraries; see
+> the authentication options in the
+> [Python](/chainguard/libraries/python/build-configuration/#update-hashes-auth) and
+> [JavaScript](/chainguard/libraries/javascript/build-configuration/#update-hashes-auth)
+> build configuration guides.
 
 ## Step 4: Verify your libraries