Provenance Record

Well-structured, appropriately technical News piece at 896 words. Clear three-step workflow explanation, logical section flow, and good use of direct CLI command examples. The historical context section adds meaningful depth without padding.

All 5 sources verified from local snapshots. source-0.html.gz (GitHub Changelog, status 200): confirms staged publishing GA, npm CLI 11.15.0 requirement, the three new --allow-* flags, and the recommended OIDC + stage-only configuration. source-1.html.gz (npm staged-publishing docs, status 200): confirms the exact quote 'Staged publishing adds an approval step before packages go live on the npm registry,' the three-step workflow, and the prerequisite that packages must already exist on the registry. source-2.html.gz (The Register, status 200): confirms the avail-themselves quote and OIDC first-publish limitation. source-3.html.gz (Socket.dev blog, status 200): confirms Leo Balter quote verbatim, classic token timeline (November disabled, December 9 revoked), 2-hour to 12-hour session token extension, Adam Jones / domdomegg context, and Nicholas C. Zakas proposals. source-4.html.gz (npm trusted-publishers docs, status 200): confirms OIDC trusted publishing details and CI provider support.

Two minor misattributions identified. First: the article states 'According to [The Register]..., staged publishing applies to all publish types, including CI/CD workflows and OIDC trusted publishing.' The Register does not phrase it this way; that specific claim (word-for-word) is from the GitHub Changelog (source-0), which reads 'reinforces proof of presence on every publish, including those that originate from non-interactive CI/CD workflows and those using trusted publishing with OIDC.' The substance is correct but the source citation is wrong. Second: the article calls Adam Jones a 'security researcher' — source-3 describes him only as 'Adam Jones, commenting under the GitHub handle domdomegg' with no professional title given. The 'security researcher' credential is not sourced. Both are minor subordinate-body misattributions; neither affects the headline, summary, or lead.

Substantively solid, well-reported article. Two minor misattributions in the body — one source misattribution (GitHub Changelog claim cited to The Register) and one unsourced credential (Adam Jones called 'security researcher'). Both are correctable. Article publishes with a corrections record. APPROVE_WITH_CORRECTIONS.