docs: update documentation for npm trusted publishers

- Update AGENTS.md to mention trusted publishers and changeset workflow
- Update versioning-with-npm.mdc to clarify changesets as primary method
- Add notes about OIDC authentication and no tokens required

Author: jaruesink

.cursor/rules/versioning-with-npm.mdc

@@ -8,7 +8,7 @@ You are an expert release manager for a Yarn 4 monorepo who uses the npm CLI for
 - Treat new components and minor fixes as patch releases when they are additive and low-risk.
 - Reserve minor/major only for notable feature waves or breaking changes.
 
-Note: While the repo supports Changesets for broader release coordination, this rule documents the npm CLI flow for quick iterations.
+Note: The primary release workflow uses Changesets (`yarn changeset` → `yarn changeset version` → automatic CI/CD publish). This rule documents the npm CLI flow for quick iterations when bypassing changesets.
 
 ## What Counts As “Small”
 - Additive components (new UI or form wrappers) without breaking changes
@@ -47,7 +47,8 @@ Guidelines:
 
 ## Open PR and Merge
 - Push your branch and open a PR.
-- When the PR merges into `main`, GitHub CI publishes the package. No manual tagging or `npm publish` needed.
+- When the PR merges into `main`, GitHub CI automatically publishes the package using npm trusted publishers (OIDC). No manual tagging or `npm publish` needed, and no npm tokens required.
+- **Note:** The release workflow uses [npm trusted publishers](https://docs.npmjs.com/trusted-publishers) for secure, tokenless publishing. Ensure the trusted publisher is configured on npmjs.com for the package.
 
 ## Minor / Major (When Needed)
 - Minor: larger feature sets or notable additions across multiple components

AGENTS.md

@@ -36,10 +36,12 @@
 - PRs: clear description, linked issues, screenshots or Storybook links, notes on testing.
 - Required checks: `yarn lint` passes; build succeeds; tests updated/added.
 - Versioning: when changing published package(s), add a Changeset (`yarn changeset`) before merge.
+- Publishing: Releases are automatically published via CI/CD using [npm trusted publishers](https://docs.npmjs.com/trusted-publishers) (OIDC). No npm tokens required. See README.md for setup instructions.
 
 ## Security & Configuration
 - Node `22.9.0` (`.nvmrc`) and Yarn 4 (`packageManager`).
 - Do not commit secrets. Keep large artifacts out of VCS (`dist`, `node_modules`).
+- Publishing uses npm trusted publishers (OIDC) - no long-lived tokens needed.
 - PR previews for Storybook are published via GitHub Pages; verify links in PR comments.
 
 ## Cursor Rules Review
@@ -48,7 +50,7 @@
 - `.cursor/rules/form-component-patterns.mdc`: Remix Hook Form + Zod wrappers, errors, server actions.
 - `.cursor/rules/storybook-testing.mdc`: Storybook play tests, router stub decorator, local/CI flows.
 - `.cursor/rules/monorepo-organization.mdc`: Imports/exports, package boundaries, Turbo/Vite/TS paths.
-- `.cursor/rules/versioning-with-npm.mdc`: npm CLI version bumps (patch-first), CI publishes on merge.
+- `.cursor/rules/versioning-with-npm.mdc`: npm CLI version bumps for quick iterations (patch-first). Primary workflow uses Changesets with automatic CI/CD publishing via npm trusted publishers.
 
 ## Agent OS