From ff695beff93b8ba927de8d952dadd93fa28e8bee Mon Sep 17 00:00:00 2001
From: Theo Ephraim <theo@dmno.dev>
Date: Fri, 22 May 2026 13:45:01 -0700
Subject: [PATCH 1/3] feat: add `npmStaged` publish config for npm staged
 publishing

Adds support for npm's staged publishing feature (`npm stage publish`),
which stages packages on npmjs.com and requires manual 2FA approval
before going live.

- New `npmStaged` boolean in publish config (default: false)
- Validates publishManager is "npm" and npm version >= 11.5.1
- Updated docs and added test coverage
- Updated frog clipboard image
---
 docs/configuration.md                         |   1 +
 images/frog-clipboard.png                     | Bin 11527 -> 11532 bytes
 packages/bumpy/src/core/publish-pipeline.ts   |  22 ++++++++-
 packages/bumpy/src/types.ts                   |   8 +++
 .../bumpy/test/core/publish-pipeline.test.ts  |  46 +++++++++++++++++-
 5 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/docs/configuration.md b/docs/configuration.md
index 99976f9..9121236 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -68,6 +68,7 @@ The `publish` object controls how packages are packed and published:
 | `publishManager`     | `string`               | `"npm"`  | Which tool runs `publish` (npm supports OIDC/provenance)              |
 | `publishArgs`        | `string[]`             | `[]`     | Extra args passed to publish (e.g., `["--provenance"]`)               |
 | `protocolResolution` | `"pack" \| "in-place"` | `"pack"` | How `workspace:` and `catalog:` protocols are resolved                |
+| `npmStaged`          | `boolean`              | `false`  | Use `npm stage publish` — requires 2FA approval on npmjs.com          |
 
 ### Version PR config
 
diff --git a/images/frog-clipboard.png b/images/frog-clipboard.png
index b77834d919eeb37bfe33a72f7d61f61197357591..df350e084f4a7af4513329d707af5791b346d9fc 100644
GIT binary patch
literal 11532
zcmV+nE%VZeP)<h;3K|Lk000e1NJLTq002+`002-31^@s6juG;$000mGNkl<ZcmeF1
z2b@*a)%O4UoOAD;8H%VBMWn;f>&(!GCV~pa#1a$ri?6Z7-jdj(#x#v4#;z!8Vpr@a
zA{_(<m_{2qLse9In{w|x=X}pT19_tnWr+H|zwh_$IqRHr_g=d_XRWo@UV9w=fBKIQ
z_}>O#sM*wp#Qr~f{ciy<0&UsjM^jncnCgYc;(vNO!6!G9{Nx7Gn{TCh<F845toKbf
zk}N%v)uS6*<f3|dIq=l$_j@_tZ+HLJTQu<%k2GS<=%et{0p$e&YiA`{{pMpNKYJcm
zBMgJRc%Fyj#0U+T#+T6Y2WPY3fkq@3HX^n7I5s@l5T&R+J-@e0!~5R)`f^9%lD{>k
z^!~=Q%J*p5KZ_1S>(DMgM(aT?RRVLvoGMm~9Rpim7q~7#klx=$NZ`ll{NtZfJ}V#;
zY|Zks@XMN0{J_zcM>+QK-P8XRfZ_6ok0Ozgq{9g*(teewLK5a;jEA2J=r}Y+%Ym^7
zfemv~_*=)|m_Q%~;?b~8JSuDbqw^%ORZ)IAnWFQM7z^(I{y@}7qH%nmw{Yo0N8`Bx
zE%WQ(IWC@X3OYVQRrdW-QJ<KXfWQz20j&nOR3&}Z%}&9#S8;bw!fcy>vwJ*f^scE-
zoBShLF?Fwg2hlt_56@)nQw{BVXm8&oX$aqC^Z(X%IQQNorJf<j_jd$Pl2qq0_#K|W
z^%_V5J;Kn(57XG0JC1`V+t+?*TxEvUAMLG?H1QY#9Bh3-lKBiYK9lOu5%3<aYb2oo
zP4i+D{OKr^Y*TuCH`n(DU@R63%bz@w26YTwPgJ*#(ToC|5ZstYz&_043ov>!Dsha7
zKn!KzLWx?N!7=t$1~_I1@ncRGke{k<TKs9!pFK_2VKLTzv|Ba7N^Te=>3ND_(St|W
zywKjh3(`!!i)R0=&9L~s2BgxCBuSE|rPOFjVV6gdAdybSu)j^{sbbBLLR%p40+At5
zKEz|ONR<QP7~>)|QB!)@dX~izu;P_8+HyyB(k@Jij4WIDolwnazmul_yHTr(z7vp2
zg6nGHQIUgFb`{1+gQrQCT@ry26-59TgfT`L7DQ<+*+V?pOh+PCL8y#C=o#^f1q*od
z{0x>&uU4C3^xN^G+AO+1Q!G~2_4t-Ajpkc!@!y*Z*NkpRmd5YJAe|Oqj-8lg6d;SQ
zz*};Oek25pgE1;I0akUfQmEg?7(!I$_#~4_mcRNq7Cha=AEFu&S^l_*DO-6i1Zh15
z@bP`p7%SrH<=eiTZ@a;-YA@}F`z0^L_XAc<lavS)O)&x{q(%jeG125LcoHs*KzEFV
zhe*XOK&=LQ_{Jg1mwIcVj=;8c5Pv+w$3BsS+WLVQ94F4I$B!Z-BNhUDo9R0T&}g*j
zQ0nWa^`=X!BwAT(giC-02ml|e=614{-xzxb``ZFz$ruxXtrn=8Fa!e6n3|`}vt*2s
zYm{K!OgZ2)QY@QM#hQX7Yv%^~fFbhDQOlut50GB}v+KJCFkJFTLrf52jE1hUN=PDk
z+cYOY!ibTmIVJ?Tc@8e2kd440z}Vj+BQ=avA25z2FaXQDVrq&tGn1?qmCs7CdU}$z
zGt)SpOZMOd9S6tB9u%jYp3SvW*;mwn<btC}St@HvBEwb3SmJQgcMTw}z%j;PjESTS
zB`Z-WiNm_tY0%;#EhBKj4}*x$7y)S|%yk4%CFQfLSwA<e_iD;#RLcy6teI6syCH_`
zVHva^l0i%DT3QZ>b9|qG7JX$~CFP+$PRf3~#+MQ_xq`6CO>pcD1jk&3-{=x{Z@P<(
zFE=6<*B~{n!@0hD00n|E1`C?we6c%UAAjBKB*IIJOA^-$1(u{}RyC_<r78cY##Xi&
z>d<0<q0NxE_RKCV`lo4sLWb%&SSj}P1wy@qCQYFIvfJbW0d^s7)5~xgolE-T$64|E
zUs(I<-K>A(&y@Y+Au<}@MWW$vIR2b1a<2|w2){U^!}$c?P{%GBvSt`#1X5ZmYbzL}
zsZpK<b@fb1)C^cQ)whMT8Yr;x<FwX-(Mo}ZAZ_HnxP$`A*DfV~?6rgq<a9T=3b&zv
zYJ3r~rq>W_ay{-b7qR@Ezq5SoQ>=dL30A-TJc;g~(d8H0>2&RO+F!Ga{JVDZ*_O$C
z@a9d?7?9vc9UsQ+I|a~!V~oM75>h2QPG3C+#wR9QX2)yyxoxF>9fu|8ENam|rUf)Z
zbwULdz@Q`>ST?beO$8wv3mlfd{3sj8KTcLlNl~-A@s9lyUX$BN9Crtq$3H;l%eT_)
z%B^Jo;xjtwef9@`V&jI_`1G^4)n>rHeLkU6P3N5MOnvuvGA&XCb#pkErgJ#e4y}%n
z4NA)Ia~xNLbY$*AkV}J>fad*EBwPnS@K`z{&H92$mMadpOp8E9?@y?gyMsEtKO@m?
z3s!=9-%?4N%eRqz`4)QodKWD(+CiwDO|Of4^OtFPbo;L!bh@+~H;(JYOY{43-XC(J
zLC&A@XIkfW!^_GdaO8+axdF!<J&NYd&!yMEK1_P+PK{6YBPy%i&8Z!GExFaYi_5;s
z6fFlC+78X4^*~8i;IQ^1ht|Ik7}swl_nNJ=zkCN>F5614Yqw&h_4MC$<BxCTGpp!l
zyj6Gx-U+?P7}ASd$K}!e@;rK6oX0Ki_hiJW@bpV5&iOx11ZX0|!>;sbak8VetG5a5
z8yI8wbn82My4Ymx@(~S2(5X*%f*@_PYE4e9YaC*QL?RKcdZH1b!d4vyS5r1A%?7QU
z8w#rFdi7R1T)B<eAO4X|o5!;8^S9Y7_4@eJci8;-`^@~{F2>$k#H^AelRsZWD%j4m
zcO?{Yv8oqv&&3V6@9IYKe5x4xdIe8j+ltZ8r?~LvF&51X_}owFBbaEU!Ynce$mkkl
zBA|>pP-X<CA@rQ+8C9s|&8a2-A+uLkSF<mjA}%#u_EBAW{&Huef*r5ij?5u5#{ZU9
zJ-QN))zbuBlG=7PZE_mNG#W{E?;cEe^A_I!{e0Gzc`Vvpg=e5klN5EcpmfJprf=Uu
z+at3W(lNmcAFOA1rvw3pnD}On2gO!v#_AZUr=vbn5g9x_)(1oRDA{*|E#EJu)GmEz
z0NP<xC0*KGwvC?Gey+iXT>V_0Y#z)We<#_wy@<IA<sE%8O`DubED`6E&)&1uWUE}d
z4eU?pocs944YRZbOS8PHlCv+%RGHz~=R#f`lVZ1g$u@&sn)h>PnQtViK0SvAc-mG+
z4e4eC&dTCauz=YwXP+jN<i8mKX^a8wj+`&KSR7*dP65olZX4(PzB`vb)`NN@a@oAn
z#~4EkNm!tTuTjI(qG4KFbZo;@aTTfgbj!O^zZz-Sx35~|K@`QYfz^1z;rYL(xj0t<
z-qwQ$A4wAU9)s$&;e`6_^l>DE#wDmWl5!LEW&I}CIBG}DV)P+h*-C>2%#kNx`(81(
z7^vaVORcWMtM$!YgnyYfh(Arqqg|IQKG|R}i5M0DJ75z!7){hRV~ol~Hs2wwEJw8e
zl7!ib8e^giM@ovqU)C)eH=&Fx`nbyR2^1%rv}*+e>NOQ`Aw5p^Ny}dxep`3?4!Z@R
zMtRY~s0||*YJb=G`YSJ4Br_ws5S7;c_AjHYedUAH2><Y5ANn<^kE=M}>ScSGFsX{<
zzTL#LY9vtJO{8w0ZhK#ItC2SQo{CmND@7)f5FCRID4?`pa+2*klbn85OveEp+1lUQ
zGnMvPnQSq#tEn_IcWeN=Sfm{W|1cp*bQ$sM90r_x2eDY3@{$FjMXW7dOnK>2)|V_M
z5zk=A4{laJ^48T)ZLe<|!0@j3^XPv>LkeeXBC*P6=~~T6K$vQ|7qT-}(p=*Zb6f%~
zGMhhri;qS29U-erp!%$wTcnC1R`$e-ulcPjsG~B6g_}cClCajX7Bn-*5QNoqsb81C
zhc<Q63~kVs!CCDYFepi~%4OJfx%55hW*pDOaXoCSHa_U9johI($wY)4ZgLK{;=$@Q
z+UinRw1piNF~(@;U@|js>txWbMV!jLnxQJLEGfYlqY1?@k_=bmDB2o5WtUbK7iywD
z`KR2$<@faxXaP>jV5Gh>llTg(){7;`>-qxydcIC;uRUo}oYJTpExiu(>H0FgI{uv@
zP1-Q>oEnK9bY&j~oOm1kN8HN5lYYa1;kPpAq~CJJjos9K$l)gEa4R0H-mV=<8XW2J
z*5V|tY}nG`YU<Q+agOu_TFpSU2(rAO5E}saay#Y4i*ZSifAa4*?>BvD*3V_dbZ9#y
zq^Tk;X|-vk7}-&jtR$sL(jwMMpr;9C1_~DZP$e*L@5guvk0Gb0bP|}N-xa;dzcQEp
zSLcv_bsht+?#;OQY5M%4JF>MkgNte&`pr3X)<ffbNdtOvb`?&hi)$Rh3Qg|VQ06R7
z*;<El@9M>%Q|=^@NU*A?lvVRfSXErYn$j8y!W8+Z+|G}0>qh&0hbJGd;<!F&Q3z!6
zLykTwPNVuBtM={X&$IIAeR+2#?^%Vx)d#U!Z<x7vGk4F<A<S^7PQs$e4yT`Q$m{N~
zV4b0OL5kvqRg^3VIB{Tt%l_*K`d`xx$MI?nqQke8j6|W+Wqnw-CL~$m5zCO1R~LN6
z<pLS_z<Rc^kj0xku6Zn%0VmxS^<15-qPnt5Ds?*pPQ0D`lWyn2dwP?5n!_tERB_f>
z2}0RQUwi1|8pH^K8X$dHvcNH%b-stISxnixENag&M(aory`!+cAjLD{R{f@(U2ea{
z<?NF@esW3%XAX;#Gcdr*bh!6tUDbBFrd}=X>be%(Ut+ai>;V04dLPa{D<rGF!@3PV
zJ&yNTwba3jySN!KEdr3!I$+-(cyFfRss|;BBk$m(GwzA#wu!yD@%3KZJ}E~5QN!a8
zIh^_vmy_Bz;mC5IGn%#`xgQV<isLxgNVf3As<e?xPu{x%OVL8)80<69LeY7I5jc({
z*eCj(RZT|$XH1Iqg@(<Q)l{eU();`#7zqNkNKP$yzrgD37x&@?KjZ3$dhpo80iTrk
z4A1j8XM|KY?drTYO}lJ|bSmV$9zJtccnr(&ab3f^vqNtEpf5L%>rL~sd-BpVA+Nt_
zc>Y;b4p&^|(6FJyqK`I^naE;h#k#0}3yOV7Yss}_B{B>{0b_)#NQE{pttgOQvG0VQ
zef=i|d6|T+b%k7vfL}U2O<~n1{OroQ|KvH;m%|3oc5v@wy_h<?jMMU)aZ;}op?t8M
zQ7Md$8XOU7Jry`yrfpWH4ua5D%GV<B^UDK%aizzrFDH5BwSY@5GZ9^;yeqHrh)a5s
zX$XZ@b<a$yx|-<SE;^QM-$UxO<AgdL7+SXj`Fakl+nS;ET603(whR>wuHS|MSuL=9
z{W6-WN{w0{Fmk>=s_VLRIl+sF7;?x1I-lF6R<_Vl%eB6oZn}E4000mGNkl<Z{nD3|
z{y3WCqIsV&ePLXZW<gZ=Jr9|5qu&~?4m<W$q!~TWRX<Jy1O$pO!=;zTxcCx>9$81z
zyWTOli>vV#tM0-I*)0c0(qUA~UipbO0;fIFL!Gk0b5qyw!nBpVFli-YXRPAYY32I8
zntv$Ymc2S<9j{GY&x=#bd3DNq*3WlD0UPFv3PU!P1gx1`t?~GxkVGub-im5Qp5DNA
zcgW-%GUtCYh7T6>X5_8ixcl`qsURsIEFd$}kXb**=!fDw`nM2YlfU@PSXArj`7-_j
z`h>2~eh}8q@YLuUiLhWUNNuI0^0WP*LAtk8%n|r*nl&G#SU)cmI4gN(;!2r`fHA)+
zX7n!$dGz{19>1Z8NA!H`mqk2weTnjmBeK6ARo>_u^!ug~p89n$Ph4LVmD%SL*A?m`
z##l8cWcB<c*XGS8kpagX<73C9+aX=G0?<m{AE)KAWOl%!6)yGVPCPi(<Kd|x`JDrv
zc_Yc#+uCzlZotIiP>W#5;7;j?26jl(T$1TarJo&RFj@qxeF_9Dfk9_NRCbNAa96;J
z8L)Cz$V$cb#@xJ6lP=`R8wG-Zc=VSGxZ>WPa$$0qTXF$Ki!Y+2>=NcL{4WX@UC8{!
z7t}oUUby&T3S^__FS&^MOU~u}qLI8m?=<e6-G@u>@5kt07cu6>Ql7kC(Ha7rn8A$@
ziEbQ9I&{wct*y~{t~J`jyM~-PAmoPw0!HQeIC5YUafh+R%b2t%gUhZ6L9H7Dtrd-K
z(ce)()L`w-MZXC7#bv6a^7Zq4%GKtE`LJeAnrCjB&oeg`MKtEdV(mnFb5B8EW)_{p
z+=b^;P;xHE>Vz&W*JR4RMU3B3%m>?xnYd>$AMRejhdUQW&q;e0GI4h)Q}-?5iSZ>`
zotLvP`6-Knk0YP*_}mn~ozzPoB2UzpyJz%a`wqiXPwk;LNmHl|JA6<G=}H#~67PIu
zcvHIs+k)fBz8Ncp0YiFLv07)jHcbBFhgGbYl2qW-pv4!PZt7R0!|;$bvr|0zs}i2R
zsU%V{t7f+R^832-fTZN^>A4)=PyJ~{{itd+Q+6*EAS)xA73%A(o$t%hc6j_zhtZFP
zJo%U$@5kZk#|=+E>F~_xkjMY(Yo#@;(8=Gb8G)qRR~La63fWjiX~X@lk>|Kfcn6j|
zyBLjIpIvN+a2+y$&i;kNZt6o1#=f_Qx9`ek+#kF0$~0HLo6F6=NpO0;`VOFljwN55
z5HjU&-ROF>L)m15qwv0w#YE`|N!REb7jea3a=G;0Jnos(o4?NO%b(`t&|D{Tl?uy;
z@las-teI;fTV*A+Tz=cy0>j!lV6=3elxH}(mtjPA!%02i<eo0Wdpew`-@~-?IH_L@
zn_O}G#=#huRkP6tb}26)YIlVse@#J}(x(ftf?)X%m7GImw0xI8kV~^;LSB1o4+Z}?
zk*O7{n7nfl$z&i$G)4Jrecdo5d#KBLovtC<R#3PUqdCl3W@Hls0t^q&8yu<4J#%se
z796jG@<1Y8tsRF6AqZWT3#3&a`B<<V)q<L#nzULlb~GVD5Ju`)BSor5h&8Ex7+`lU
zX$?n?f@&L#fb*m!wq}j597N->b?2{wCvKjPqcH@525p%Rk!nWu4a|<D@7ia3V5K4}
zBgEC>F=6sN9H~H=R<U#{VADK1NX=fWXIc{rT_=*BrP~rL+2XR{vw(GT)Sbq+H(jaN
zNmW#CySA#m>LaVthSjsshX}PoI#PM@i^1`YCYJ)o&~`wAY)NRSuEM~@{skDo_Gd^7
z1e<Ti)Lz;U>f?48;L@gFfPJ>_XK2?K+V}U#9uTM=EPk>Wqu1JkXDd7Q_I2b4yx+dl
zOXCYDEKXA;`<LDa%VluaOi%Iphdy09xD>DVa0MDdW9?i7fZ^Dtb@|78DINOwoPTl}
zyP(*A*$6dSBR9wQeXO*s{K$<|$4Y};pnOdReS`o5j;o_k=rAx&`+V`q5nMW>igp7$
z+T}yr{)Tn~4Q&PzJ=^C8wAb$rgF_t2UMD%qwoUu~m%mjh&uE+pZ2v1|8WwJFuu0#;
z*k^62ruH}0(#+@1bBNc~Ff{2<+k`hIDbI~d(m7keX+?B2Sy!I@t6DHF9M)FS6>@T3
zK;tGc0hxg@hKVIEj^j`+7o}W-x9Yi8_Q=&4?##s@T?QxUG(`Qxq0>N@P6El7EnKA!
zvSN-TP=MgMbR3i*lq6fg)f~&FRYx<hdG;lce22zi#jJq94P@(l9{wxbd}9W#?5a;S
zE46@4ElE=RSh1~g*yMauO|3}0_a3-1F6Ey)R0zQA&IzeXAW%Y-P4|{Cuv5s`St)M+
zZ6>p;?JmG4rTywjeKcGhtdE~#sHzB=T<S($x|*PUv4C0$8PYT4{`-?W{5Kyp%yK!<
z%jP7p<&#Qa(p;C70%YaPDgu+1jjQP&EohyGB}k<aZ<?$GJowj;Wm6pSBv?8VLdVGE
z3bX>JsnS?B7a2-6yR3VqjGh<v=08c_2%v3zQORD4MeqNq6W3jp#oFB-=bezr&wo^h
zRSMg`IKgLUWs)ECHQfDsxaSW6XKEn{1B8WPq*Th<EaUiuX@O_~k)!QM-KA5wo`YjT
zMk#nYBFDi3I(b1&-B2UE{%S`-h?KB07>V4f89rV-Eom|&E5qm`CM31_bzAbleTLg_
zNRW{g5K7WeB-=4AZx?&m|6W~J6f!~fdeP&hbiX2pw9z0@(i*3GtuGDlo9kq1;fTvi
ze|hc-)~-)ts?(&k&3fVeBzOEVlW7mPWoDU?1UQ^I#OFt{KSnJ_ghR(ZDPFs?HKz@5
zIHgaBl`3NdhG<HW&y>=TN!p*fC{OjmAYizFbX0EhR?l~Fgyf_Jp)}awW|(M~vP?k6
z6R>oWb#-9mZ7UhlEy==JDW1J$A^*6gl;>|P!rJW9<krku5$D<QNdhg;=l`KQmAg{H
z*XP*NdU4OJe3U{_tuE&qxWk46JLA-m&5396#w(RnRXg~SwgyM2FUJt*J5SxUfzLL9
zQEPU>@5;e;tZpla8HnRg_qd#S#~OvOd;){~w6p*sO2c}&kn-_VdD6Uq86}38<6^Xk
zSV^=@Nd;p=CuBs9$Ml6Ee%is)=HC^l<uVPKS)Rt^^1B<4z;zRhxuJyF3&t^T=>!Uv
ze!$ar%xBUZpT)&{xNuY^0|cg4Tu$txc3i`by@tx&X&u83Kq(X*@}((%9j_sjYPss9
zdl#3TJ441io#JOBGou3{qX_s~`D*JlI76U`8{VD?XK3s8>`Qx8*OfZL4Y$b#Nxe_)
z>+#-f6A|La2u-y=G}q;X9%%9gM;~R{B9|Ep9bSGvjgZ6<nDI=HKp&)U2T5Vf03pWF
z@B_Vt;Cen~1=ZTs%x7-d2P%gly-#P`^3PEhtbM11VBRvqq`}(Ej)OCB<Zlkob?9(x
ziu?auP2Eg4s#lwvM(}m)`r3*nr}ieP*p()`eVmRxJPKADGSr!$426N=l}Va~oZ!GX
z)TtZr#IK8J)8z;a+?Sgn8>NA^5vVQYcb$@(<U|D<-khnr>N=2d3<XR|2D5LMGy}R?
z{xmkPX|p&ly^`d40r|qaQa6hyF6pGpQ@<)=j3O*g-&CacLdM*z=S{_t)T!C%nqK@C
zM|Wt<dvE@O@ozpC<&C+ugqsEwaLa(XJbGOz_g_@P&>;yLG=RJQnvCWXF&^UW3jqFG
z9Z7@hgj#V!RxYhz)y6c|SSRYIsHh0|$q0|<##JMe#W|;DFuuU2{N++wpWQ<$YB(+j
zd^y3!7(zL{M*7=YzFdgI>GI#E6o)lkY80UX$CCu8PaE0k-%U}R?r9pg$)eG5nFN&q
zV<)9}<J}5L**q>C(TiUU@5!~pI`GR89l3s3N3|N#ugl5*MyH;2K9*3res~A2JD~%Y
zoY;%Aa*kIHwC(0`;g1viY`B%?XiWBIDJuWEn}&XnVl9i8-`j_?hG%fvi5Z;x(|W|}
z1(YpHQB~pc!ni72>Be~@V^|=k6ghZ7pf8BPgIUWI-q!&)N>XGV9qkhc9M5=k80tuY
zwX$}X4-$X@j4`56K&NP{)3|m6U0e(&^h`0VYZX5`J%*_gbG=N>k|@=oGI}1kU3X$f
zzKIU-9(X!#j9yut7}Tyg<0e+oU_hs+=r_;FGyi8#QPx-9oUh7tq<nvw+J~kJQ&q^g
zb|0pRdMVBs9@jBtisZgD?b>>LxG+vqdsA1&97$LCoAOUIX}Nzqcu5QGGSURvIsEN!
zhHI{L7@XCNzyvr}DrMJZ6$f~Z0|F2I4plLGKpdNlF*M5yG0I1>WmoRAe-z`q;Tnr&
z_z!3wnXK8ojqQ@^K#uxL^A^i~$G{b0^%EM7p-$@*KmN6%6UzF!t~B~D78~ufZ+$73
zBkI>-$2P;vh2VK{TII#rt!3Yhxfsu3#nNi7yt0~XspR-V@i@qCq3B8;Z_jl3sA?lc
z<`Xu^JyDYcGWs(rH}LR-aV&^dwaZ?ePfFn=yV_cSvIk{EgR#Fg4s2fA0Wl^h9RJRI
z!^8rY$9`3SRo^d5UsSP{x2a_tx%9r?G-)01+RQcbS7ZGAhjDEG&p)tNnj%oYp-oNu
ziyXG{R_!>JF51V-F9r;fVK+J&+`AKE0x!E`g3q@a+{_qzWCxci8lB-7O_nGL4<s;@
z&-AI3zZm!qBm1U#^e-Wg-w#(_lfr`O$+z@84<qAe{l513A%Ttu%BF>C$H7RVEj@Hk
zH80%Qn$7PN^6C2v)U;9ge|A;u*%dVq$mGNvS6@D^z;I)#9iLs>ZU3<BjWYJFi}C23
z5tg?m)4qL)oG<+j8|Qb`%D0=>-wQc!Sd1Q{5^UL);_pwUAsHhtJ7mkdr5q7=x&M!b
z=}QcuaR?Okuu@a9D#oe#KJQ6d9{dAR2ah&=U9Px3<dSPca@;1$bOjIsOi*eSZrwM|
z(upo^;Bo1w_Hr-4e#obviL-h9Von+Q4mZD^OQ@Cpk`X=mPo;13-ZYaJug9i%B4l%E
zB^TcNF)7(tlQ!HrF+b{`z_6mE(y|?toG+I+M;XpJ>nKL`O;M>0<~}t#?D!U3bDfck
z;$!!-#(odkt796)QAA518Pc8`b=n{+NxS|o*WF+^ZBUxleYJSV_J@+RK^e{E>&5td
zxr47Qos|IB(-4f@ouRODc9NMo9Jk<E3M#Zv$;kie#ZJ8TLIr`^u;YDj%1SK#ZQ=?Z
zn7Ewv+pBGMt*O<iJ$e3}Bx9!=P91DNs^NlDn$WP0#-!H9&8nbEPPSeTdev~+Vu$e9
z(|T~*9Y-^9Q598{hTU2~vUHxiuxb-2C)6&)f*M9Zc}FF1C3z0=;$<6CRTfon<1lYR
zob}qCwe1%dP!53>jXvJ-BsI^sKKhu4E}F;Fx7q~<#@tZEQD2Pl000cBNkl<Z?Stjy
z>YO&6a(VIrsMzb%+^tLbYx3D%=|Mex)HSaxRlkO3rY)x1Pjb2F?(RHZ(1-Kx%;Alq
z@<Rr3%buj2ZA9BYO|fTtijjF~{E8H9a^sYycc`Bbt4&68nl^WD#Cx!t^Une+CHq23
zChg+7D`G5I9pGxG@r2G5TqnV%Vi&uZOk3nde%`uQ3P~$e6sAM4b<;k^MF2YVIw?hE
zMUpjzKAW_EjXMq>mVd&nFMZ7GvmEZ6(1#n|>cbzV<a4>A+!x*3l{-!>;_tT?Q~pLF
zzaLr3c>|_%&YgMGZ5Z<Wvko~I_2%{uMdN$&<4ck_vhO7YGApi+gZbw)zUk$F`q~;t
zwy8_gj&-TmAVIT!UUaNkl}fU+QeRpP#j_F^?Ys4Q(98MP5~CeKvf4<3l5E`W(%`5J
zM)k?yzI*ntZ?{0vqVU5(0r7f?=qrVLQuvAuwrg93T`{eil7iXqhV0yxpjD15`)Alw
zS&7%6ik=-)Tzo|(gN|y&kYk#Xo7tGt@|s2GDZiW9gCF17n>Ihpq0Je+=<xGA>K~bA
z<6^krN|&Er?2xHg-pV;XPbuv6)UQi<=9WTUyt9PUb6RmIY17WCf3meYGgt2+KfNfW
z0BnMX9!RodS4i2^eLV4({Zg0ZN@zUs9sK%N0L|v<i+FEpildsw2-0ajT2RfdZB?A0
z!x_hTWYux;WmpaAsKt~-&dG>Vw{9jzDozlxbZJr{t`O_GJo$uAPS^t1bxHdkKkC+!
zK3;R?Rj=jx(Vvi3AAuw{&uu~X^fB1z^tqR4QOa-`q%EDVk5N_WQ?Vmp>C9?gebM8U
z-<Puf{iWiCE@$U(@n3Tpw`c>0k`k`N)UuBwR=+C6!0amOXF;!^HRJB+sUyua2?Z&_
zz=;GzlVbTx^3lL>ko2zrMl4?3<)t@L7}<oBK3L(hYKqpSh-a!;Dm!OYl2|H5<6+(S
zcwCX}TAJd;zP5V-%}3?1`n{4!8fDUOwW_`_cO8Bz&i3U2;}&e<-I7hre6Nb%Us|87
znU!4o<Q67vS%+~wE*a4ZCjmz!Jgl#1WEwmzPV0(Oq}5>Wc2!*X=U!ZNZ%@v>vpeTp
z;9^}MjqDpQYx|xrSVQ*tIaoMMBE~V@Lju|7pWL&I8GBaBEEqhUZ6Dp(V2r`vz7M<5
z@iplS06LDuwT>v6L{avr^2W~%b&kl;iGG?;Kx|y0Dn?%@?(J_@?_nsn#Ko6HH9Iwj
zHRFp}Q0CL}Sf8m=e4cwIAdzrE5*o@)SSUL>ZQd5jR&Qm5R{L$sUEVDCgm;QJ^4U_z
z?UG{NLQfM41%9Xlpak6pWzt$kzJ31~p?a>P5Z01{Bv0R1$`86VSI)sN3!b%omSfr9
z=hEVbz4*Z(pHrK4#`k^v>X3*2SV5>&-pNXl(V%8-%c7kX#@0I+35_on?HE^zQGCw2
z5u4VB<o1Y>8CKK05xnrmZbr%`e!MZjs%67r-P!bBQB4D(ALZE}%}(hh=`3N@YOQ#g
zaR&8*MJr;G*3cH?W*K2=NbQI*c3hfR%pnn1S>Q)J1=?4;%5x-rUM!?~yTjw7)7&<6
z9yj!#&$IR*{-$DH{LKP_AZn5p@(OC+4t_UAA5q0Ny40$7499V>CS;Vhtf8cSR8ES?
z>U+UcO9ZCS1j9F^F8~+>3UG_I&02~p5%=oEC|wb<r%Dss=a8LUhjFtj$(Bv5mKxi(
z8xQHiC*w;%A|E&|8j_^fr^WCdtbcDIaT8;<&LH;e3Yat-;^O&%Lj3Q}40-j#6ekS?
z1pWu}VtN6iuvV3Duh^Luzk^L%HYOP+b!+>h?wXh%ftHYeXcvz&b6Q%KgVL5gYD}e5
z%huE7{5-uuOtHn3#{0@g%ZSJ0I10_3uEVU-r4Cg(ZA>eG8!;Zj%{d5<`FzU4$j>v{
zaIae!ux4eY!U8_sdKp%)b8)m{D?){W!!$Xu2OFifCQJzokNWi>h#Oj*-j`Lc&u8r$
z^W{^f@DvE0RBD(~6r*m;WkjAA^)Xqebl3eTlj*YrwodLmD}6HLp1_`_eehJBJy**H
z4jY)@>PH6f^FQS1Aio9}D|wa<GLI;`MtvO?KR=gt=MUgi#s8L1PjhrvSTh5n_0Oc)
ztZkf!!F62@H923yXg(WXN>EXa8;{|*E^EuvELq`V>`E;4vUQDQE>tT`PU<NTOG#^2
zVO(g~NVZBY&ao$Vp~b1WtQ}XvhIdLSf2D|(FU-N!-(2~Kvlr@3U_bWOUX0Wgfn5GZ
z39H|p&+?ZGSSf#V<=9f5`%Nj+7D4sCq@IqZ>F`a-N?)}fFlEVl+Wt5fyMszsC-H@t
zD<i)}g3(&r&cM+}T^#4gqq11@b}`m2s_oDiTSISObAA0N{IuCIXF1!ZF9i8S_An=q
zgPhz`6@|5SOj^XYsf!|`Ze&mFi&eqhJ7a9y63D)U#2l9}NNWOp$UZNJc4zb?`>Z}J
ze{~+q#|q5Xidg+xX|(HD{%RpBUM%FQhjVFrMs76hGjm#VM(<V;t$MDQrxbZ!KemuF
zzCm?uWec7SS-Fz-mFmytd8vR2bCXO~l*pHB_W9BbKA0^-s$G{aa4k>EGrD8x`bYZP
zpEAyNX8$Cc_fPtI0Qa*Ub#gbhPgo#Y#I7le**UF@?K2m1w4|=_$lh$3xPVVTD3&f5
z*+UujFbyWaxVCwRq4{wt_DO|h@r^N93GMjPzF5lsiNKO{v_88R?SGm}_K*AW{<Jh+
zMgp6xdRnsYXY_6n0eO0_miFh@E*zWoJIz@h_yWyVX!E1q1j1ohFNYER43kPik~*ul
zJ*AUAD_<(&xDlPPHgVmX3we81ATyN11;6Xd{RJbq{^5a`FG;1Hp>6wX$@M&rKCv5(
z<)Sn?Me#G)yoOq7(O`^RlVe8q<hW5iLGO0;-uS*$ABRwjgEE;h*C+0JlFAf;Kn!r@
z2!|p=D05)zc*H@rpr0bpY4I$3X%;qAe_&u1#4po<vM)amfM=!e-O}~67}bMTXXY`i
zKMd31R!qKLOlCt)1n<xC2_&Jh1Qr~O=kUXR8Ql0pe;rTEWBpqtOfF5aVDdInS~x?)
z7t+@O7>YAI?)09V|AP#L_7fzx>_qeBT!q(1Y44b-tcre*>X+cuff+P9p_{4*hcJxX
zn@u0c?!8}x5ip_l%rSvzA_|37Al?8Ap1$e<yThzf4_ExY7AY}c?O1IoA<4INL_)?`
zjr8y8F=~LLgD_~_&!Jh5kQO?Pa~w~*teAlDv3B-|er-sZ1TRiV^6923g|+%~*}XYz
zdaIb{ZZGCB9hMP%5kg1pf7KQK@}a@}b=C>|{L*@C-&)Q1rEzx7Tdf^Iie^3IQG~=(
zP&K7R=IuGv(bpR}s1C=D>V~5~z<#TU){dLc`VR_OH@=7!ugzyu+2?Fpu?^30@Io)*
zHg;T+yqFu}NXI+<q(AphT*iy@*4LU|m|KpeceL|4_xF96Ja-q5{BkbMy2r8czw&vG
zRM#UrKSmv$BBJC7%-z~GZTVmUTgNY8$^xH#S~QP1+QXKK#aK5_&o5kG380mToeC+f
zEU94Uno6GiO$i(SAtz2%f2KpEJ&IQB-CM!735(b{ql|4Il=9}xN)n0%4$IA;(TVNE
ziIrgcv=jlUm*}}~;TkGS%2}#acG=iDtY5W-_2r+jK|7PRE4Hw1&8Mtg^(mRXT9fF}
z{E$f#ltlY9J+TWvy{!)y{vnr{3(|Z(Z6!awxjTERQ`%F*q{1Z2W>?FEK)n8c4^#Cc
zknD5w_%iOlqKNx0nUDR=L6Y-T`BE$M%&oH+ea&1Rxw24$vf>d*6b-U7h-bxU(IxXh
z)d-Z&W%u4wq-5fp3YBLaC_C6Qs-wc_X~Fz9NbSj7gv5`o%WOrGpS*cCA8R{y&11dk
zIx>S*Q>uC9#sz%*RvGo`x>PA({J^E9`n~YqK(e46AlvT2=qmx-&m2uo@Aj!j&9!w&
zHEX6-vvplilkqS2Pu^a@=M$H(@!e9J`-OTo<7>$Bek-I=nf0#~vS~tD)ZGPt%%yd1
z7Dv>r7yUkPYmpPjb8VOW8+ZqJ4(0iE0De_{^TdrsjJc(lN3JTe<uxO)Z$uJme;**e
zqx6l<9*`VsyXw@9QTkyuci+5;SO2U?#s1o5GpboFHQxX8uphMr&~|hHAp5kx|5wvv
z*UjVkJ4)C*d37|-1K_@N*8={2v$i%-?&04K2f)Mc?R&0y0IYv~9vH$`<sB%i&GY|h
y0BZxp;qv}p00030|Hm|0pa1{>21!IgR09A$a){06Z1ju(0000<MNUMnLSTaZiq@L|

literal 11527
zcmV+iE%?%jP)<h;3K|Lk000e1NJLTq002+`002-31^@s6juG;$000mGNkl<ZcmeF1
z2b>kv-S@v|X70VaOA(c#h;&$b-K8!~1Qm>lB_`?{A7hEVC9y}1X&Oz8T~XB73w9Kd
z4gw2oqb;4KDk{Bgx%bY@`#ZDX6O9N<)aUuUpZDziXXc)Me)DhVf7apur~e3n|7`$<
zT1`zz)&FO&|1AJUpe=p;Xex>tQnlb%{LgMD`1EFypWZ-v)2&o(_${eV^uF;%k|js7
zYE(muT+~i4`=5IKVK3*09q!*oix$58kp`?DbrgO&pe#RN&CDdL-g=DW=P%%DhGDP=
z&+~Ac7@+~v@DiH;=xpXc(17HE2Ba1p$NDGhqZIY0=MQ#idOz4$Umqx3{Evo|+~1HE
zc^=LCWzlX(E!yP8XgScOQedv1UCHt>qhZS%0@o!7();=d3H%rxfBH+xW(I_Utw~-M
zerZ#R9yr?8QI36l|MWivV7Tnzqex^VX?H@3v|lMI7l*kR<Kd?Q+7F4*d_XKhVEybA
z{+7`=CJ=~$>S)>~9+kEH$$8?~$|ygbOwn<0jQRKfa3E?X(L8?0Te#$*qw(B;=6SX7
z92ZYG1??Z9GW&jss87sGKwt=ifEN8-Dw95IXQg24Yq+~6Vz!RQ*)<L{d)L&ZRo;;-
zpRz~4gJ>Nchh?(nsrvRkw72h*G==Z8`+w^@oOADy63>w1`#AzANvh*${B}>^diBJC
z9%1O?hiUA}9mm0w?rS?Ft}?@_kM~q_n(7z<9Bg?}ocRniJd>)>5%3<aYs8@ejeEt&
z|I1M**{<~Xey$%3z*sC6mOXhS^=cV9pQvFSqZI`>A-FM*fW4SS7hv>eRN@#Dff!1`
zg<`c<gJSHd2yo1H;>VmWAU{*vwCblxfBrO`hsId*@h-Il%ei5Yr28p`g%2KK^Fn+3
zK1eJ1KDzz4KEtB>>XAx2;v{jNOsUb5!cLDOMk1YzVSk&@Q^V>hg|<N81tLSBe2B+l
zkthemF~&t`qOSC??Q9iCz^bme(Uv>Xlh!aLGO}#p_d?aP{a(8M?@p~K`c6P939hS!
zM@0@!=~Wmf4W1TVdPxLER1^VV5XKl~SP&((WDoYFGaa#5IiWHFp=VTARj`0J&C6iv
zv?}!(M!y{|YR$s?GgZa%x*p&0rP+MPJ^p)l;p$QK$<qA27^Kqz%&`lz6$QwmEASRy
zq8|wX<6w-+On?<#EEnpxF@_M8IX=l`l4Y+wjs;IQ)eljNh;041i78uoE(B>k1@Q5`
z(-_O*8s)pbobS5BZ|X1Yhx<4$#P<VMP8F936fH3VCZt*fjWN;UEqG!sj6ipcg@;JQ
zEkG>>dHBX5%9nV{P)A_fHmH6)!^b`mhuZdmDmYG@m5(1qMn)_I_%74;4xrI&)1k!I
zPwP#WtR%9m)yyTp0tA4M6?3~-Ti+Oa2m9LsW62m3fvp~>oiGFf&zS0`&9h{Tk!zG-
z?F>2K(^D*+UdihGBx~jb`hX$w%~8*x>h34K{%6<s4PdzVk@}b*#28Ioa}|?B{I+p+
zfS3^@R&z`Ua`PNqLLnQ0Lx8crMMh#6i9TQ)abN(p?(!)qR?kSXN>ny8#j0sZ*33xb
zcrMw460{!_CwpL=HhMPIPGxUlJ(BZ}B4w$xF^LRU17nH9P2V?wxB|x*gE1!JGL$Sw
zrNj<vXQe^LMN&rKf*%G^J!1r<<uKO~KoykDs$$)owBD;In_eX~5VCq^C2a;9vWI5S
zc5nvGwQFhKKhE*J1Df@bZWWh@`Zy{3@fu!A(C7-nMmNE+HxL|i6@G(D*tPL4HoVe+
zSX`6TybkC3{s9yS#uzMUj`P*we0}`2vyuoe8J8rk7YZzK(ab7V%}i7FakZ{&HN>G=
ze?zOmaqXF1n)OT5_Jj<zbFf_O>kEW>2~C<n`(?M$1p@3s+{TyTG&q;^Cy%rIjlZ$x
zwYypO=3gm&?jbT7-bJGR?>PRP&2p~}p9#OZqQm(F2WexChO`;R7=e_Q$l3-5Notg5
zL0vUN95o%5PVsFaEd~gzyf`goFj^?E5TuRV7ne{#`P!w#kG+<#o}BJRSK-zdPz^64
z*7zD?jjqQ%<|3B8`%jjQd5TqUKf$VZULeu+b2|NM8y&9QM%!z4l6TiGKHofv58t{e
znge3|XyC)ReXjsoaEvinQ9`0*=jm(2!1%<Z%j|sZKDV{Rul>*j9YxLh#biJ;)FxC=
z0Srpgfu$2F*q9%(A>U!iE03~a+~Z_57Z)|T8}Hb^;5E9P#Bq0!dHe%(ynG8?uG~WQ
zuRf=P-e-OI7dEVaozFghM|}qD-Rl!NRdmeh%9Qv1Ak`vK&@hK{X*q|}?9kd6>7b<i
zKF4u2Nk{4~1i3WG1T^iJBH=ptfya{RY1ZXeuuO5lr7{8;JwK&R?sjVR{G3FW%~%fV
zc}oSYF5gP_<(ujD+nqGOXgi^HHa#xx$={~-qRW4Eqr;_LxN&R`UY^&7^Zt|*O>*Ak
zztS?d3tm<hfg?vW$_+T?=#eySdM-T%^k(AQcWQppA5mG&Zcfdr*RZyFcX8QUk)ruP
zL+c?~v>YJr3LMsa?9lR80^|BE<X*FdwwG_G(`8%eaqSi?x1RooF8uk;JZ2XDg0~CK
zz&oJ_8H0Op>)2j&y}TFQF7CxGA9QE<sqpm6DbD#nP6TKo!^2v7WSs15t@SpceFI|*
zpKW<pPZyi4UOuAUa60tvN)V)NR*lK2af?H2kVquLl}|JvRM@KBpejlyrdcn`xjw&&
z&R1`t-IZIJ_0gZ%xM>U<zIcaC60c7_dzVdLe87wk?_$iYh0H8YGU<!eq=Iccdsjjc
z7b|)J_gq|$`>t*v&!>_xZ<O=owJjL+LW&E28Drs$fG_-%K7xs6D$F8vfRwH=CIZTs
z{bfdA8bZ&Bo>7Au-kciNKji9FRaNXwr-(~TmwsHE?!Vp<iD3IHw;^@N^l`tZMYqnx
zV|BDZm!!5`jT@cDF%3qL-Lo6x-@1hl{y2{{r5+1+RpJ@w)F?&mEGXH&g=yP1)B4CP
z2DeY};)m-P)*(TFA*OmW#(`q1)pK=>#M99jsfY|7pXh_3e3b0F!Itl1Q)-sJHvsK4
zDw8g4F561?YroLsL#}?lmvkP?8h0nzxjl%v3gsPrGL0LZN-PoQ)6d_x&7`Ybx(w(?
z$?W@h?uMD#f~8qjS;5(tWva~Z?DHY7jZU#kzGSOGE=~J7G|w~QRG;p{0z7T2qmFbl
z0%t{030T1Fm$Oe3iu2!!fHcN{c1O<FTr3VTeXjuKUbmHV{@9gEAL~Y);kj&D;bV-U
znK&$v;cHO;v}l@E7ad#wR9r=BKHL1B#IKqg_U^4xc@RZ$Y+yB>aCqULX)ewcfVXwy
z!AFt=zQ@2itvI1>8+{z{pm7PRjJVuHV_Cn+HIDjGw-|j$SGv+*0dwRD*s+(-DFUkN
z=%q&2;k7#W5aHjZ4&*PBd(oy-7N4#+m_!T<fSs@j9gG%gyD>&(BAf4!R+b~$cZtL7
zLX9y|h9e<G;V<hJjU8Xg6}?^M_ymfRP29Ph{&gA)xR7oq`=sSB4!f-@eTLqGP@}AH
zLDYwl3$<@(eEpRbFO-^*UWiI-e*2f%*1YinT7-Z4s5gBZ)x}kuZ`IO0jGtIZa_=tU
zS=AgU?<Nwr&$fP`wN-PQeNRP}&~lN9I0VOF0}3e3pOj?VjwGj_71MEmN4EC2_DrR1
zRwkQ`^lB>2jP2{e8jG~UpdTm1i7vx`n?wJT?;sY7Q&v1*w2(C=izq8u!n)!`B;pwi
z{?W}EN8Y-|sp<7y0~p@*K`;6pQJ;e88%eD6S+YiJ5)h_J?uGP><uung#2lAEMrPAz
zZ}W-Bz9VFH2~?jIa|+ck#PXi1;%j|t^J}ThVZo-5lsK$qtQk$rF$7^1o$A&m@S#<$
zG(+mOW>8jJ`VUN!taKTAT`ql2x*5lFaa<4EtBnu(>LYi^O;Qmdhnt+kZFrz|4Ys%x
z6mDjFd5qE8Ihf20+*%p5X%?qqk5;ILD~gLT#%Mt?j5xy;If}MMPwAx<MFm=@Pu?ka
zaQS^b1X_TTG8l=k)Fi$Ft94=tdUbx0zTMxTrPr1;DNbq7h2~y6dUt+>9_|0h;6|+&
zaZWWy54^HB{ZG7&e#38Nz)8QO|FBybc+&4V<Hj!PKjd(ebGQu;)NbeYB=wGTd3#Y3
zS2}D-Q5Cgnxj0Aq0<C(YGJ-72FTe%>zTQt+(IQ+D<emHn&ih?&n)G#9J`GwA4r#1N
zOIm$eE=GD3CCf=^k~E985a?+_se%0YKUN9M-SY`v!ej91DV+qS=zB#^@~+IK-_<$f
zUEPZTSNCM>yfnRk)fMU5>d8ed5B=sGdeuX#`LZVT<g7}ZOc&QUgymY?v7yvioYFN8
z=ib$Wfv4O_B9UNaVF@ee6|=IanAIiK6oe`APPv_*-qwY-c@9rLT*-00kx>Yw@<Wb3
zDo%sC9xM0m;jc4$(ev`IOxnE?gR2i>rQR@O&nE7kl|z`}P?dy*lN?Sz-_Wb8!~C^|
zqWLL`7F1HaIN-zq2`>AuBj|Tc7aYf{F^CS|Q8HqM4wv<2>FSVVxkoHRPF`*B6_*R7
z-~;Q~#zGct^tk4+T>77MTQqW2vXZKbN{Q6%^gr=-@=m&)3-9Sk?r9FMzF5gwXC(-w
zD}C*ukE<6W2&#efrO5)vaMt-Au2wO5&(f$r#~9g>AbLk(eL;$6R9o#EcXYY^7MHV6
z^7z>)8JsyZPR@V;FVo@PUvyUA>FRbhxNGPd)c#sk`^EOtAEx!@?6X3$>N>1l@6+vg
zpOs4-yts>-5t9*soR$H5cf<QL3|BoUP8@LuC!KLmM7K@o$&GLH;P#0*3WypWf5_p~
zpShgWwh>2``JB<X70G>oSWq0t!A7!$Csw45M0(Pm<yeXgkz=sWK!&2@a3gRWaj;MH
zJFANJ0?wEe>k15;DypbT?V;!S-7sPVYLJ{7)cs0TXCJ#4&Hn{gKh%xK9uD}l*k@QT
zk8_4gbknZRd(*VZc1Wi}&g<qgd%4HZ93R&;yf-W4)(`t|^Vps=J-a(EKNIrCTZR{&
zMdfhCRSxy*J1qQoJ(-CtW|Xgu#<!r@m$Xc-CCiav7z!98TtzChd1*y~^oo5a^z7@G
z6!gj@bge7oVg&q>X=w^7Kjjx!*8Z~2p}rh8fOdd;AM3%CS*4to*MyULqzL7M<%~>W
zbkyL8Q17Y0;WBNrGIbDywo<-~z%MTk_|=sjuf3Aw)z<?qxy(d#newi@$|ElBNv0tb
zT2<XMsqAc`cWZPk*|7)LYQqV&+A*YdJM#1#P`f2V>a^s9+N~KP8dSFx{j-{3>-EiO
ztR~fBy<f@s`lzn!(&+>*B4WrP59oMqryA)(M?Kg0a`tgw8p<Mq000mGNkl<ZQu5<y
zkqhU3&a?$_ahe5D;rCuhr5pX$bamLVw>-_Lxvs`>A|N18gc&ZqG{(i3ICRT8nx1uz
z!Ch2^w@7UlluK_pIN}bYR`$wEv=TUNksRuj4W6H}nir?8;Khk67&Cn(uT3q}?^Qgf
zd|UR~<h8s$WgRa~DdV-t>sU9>5e2NDCn^ZpSRAl=PL<~4i$W5yID5*g7;$<%JKQ0Y
zbI3LSyJGlYeosc++J(E{NRtYZ^1%W!GYy$_V~lzz&ZGYb@wNDi&x}Q_o}MS=FQ8B8
z3~dKu^$bsqs^$m_=KRzaiYq?f2O6Y%O2iz2@1|M(af)?wLxHn`XC|zWng|&En<7U2
zx`0QoFW~VT3VB4&$9`SNW7iiezbGR6`%&eMx<S8hD(0!*7V*UOg;AM(K5<=vK4OfO
zvqM(ROLA?mStK&xm}7kGoOC;+t407?&inJ!To%s?Sh(D!uH1<Sr+7R(B_yw7z%y?q
z8FO1(PRk9LP!!4th79VEj%Yx;G)={szC`-j(FP+UVD(cVU<nL56QZJXj0HObmQRNj
zGecG=wm16b1zL0gPu?gH1jM7ip3fEcc9#p2!<^y^C|q<A#if@pZ^3_2u<%0WExMrk
zsrQ0K7n3g?J#X<v%v*de9~6$@gSn@1@2uWjdVgO={kD+NH<s|^^@`RI;KU4Wgh+Jb
zP|~5-+}GP`o#$GmJ*;!csr^HK+&^GsFCRw^Y$EP3rf4Y>7iMtT6(Oj1W1yv?(arif
z3Wyr4-nr;kA-}pzZB)K)u1}fzTt5$1&rb8qP4jr>#=?k3-&mxbNKfv`@57A3bC|Q>
zeDaIW<yf82rRADT-n)=-+l%;cTM-j>FXE$J^Z97Ug6KJM_W~yDDq+gr#XK>tSk`$N
z3zDC)F!&_$DUZ)h@%xEA^dWkQ`f&I3-fY`$c<QO$)Ff#MHK`6C7C^efMU2F|9~<7%
zF2VNTIMQ#%a$&&W?v<?4S*{I}zw}Wh%O@ulI5o)lV$)513w0PCvU*mECx27S(>E1I
zB4)+RmS28fXC4rj+&wLq<NInnS=5g!S220l5&^Oz(pjOt&YF3?9BqfkA9Wb@Sjdx)
z$?<+1o_^f$^pg(Hj0$=D@4hUpVYyEJR!$GZ-M)qhWGJL#6{QXLxkjGjGX7my{Olq$
zZ+&)EJA~_y0d)2m4!fxjJs9);Zr-^oo3VfH%&Svf`ED*Z|1QDlc^W%_W;&L9X?)1!
ze{`Yq(GI1P435J4Mj8{PC&XQ&Zd}L}f6L|4dwX%u?4JC6P9Od<JBOw^nX6D(K8%L~
z%V+f*6X`0;sb%up*5n)3%myRVc~URK$vq6iyBbdF4kvea8P?t5MExGBoySRiW7y=X
zwr?DaaalPFePEZee4>7ri}P3Krzv^50Luur{-Kg{s1<F!%OA+4$uS|XzrCCM=T2lw
z`AR13SV%G%$PrCZHcMYO49OnivQDRKNVnw|EWv0EvzHp_#DD<9!*d5kVsp>zT!970
z>!3UkOIK;fVL}K(mt_KJ<;Ol2EJv-Nda5R^9*mt$NDzdPI979!+7V(^svic}ol9EN
zk)xp21|#4+Nr`P)?JEb-d~Dl!E8&To=iz7$L7++7N{2|*vpPs+N8ESqv)!;<k(CkR
z%6N>QG#5uAP%0~yP6ce7YbUAI%X+4@u+ViP?pd-m!Q#y>>pu@zJ6pqPetXgtik(zO
z<#uQ*+ABY{B5hbT6McwK7SfT(tG+5YzR}`R;22u>PmnDR4K-94xY)k{1K9BlX@Ow#
z?VQ?58bW>CcKuyi^$oDkwtWq4`as)$KH2>PwSz@Z7Gd;SQ}AqK$KJk;9D(=ycYA1l
z0R=^ADy9F@dtsRr?&@hN-uTF;b32!!bsnxjLujm-g8(ob+qgE*y`R#dkI(rhr?Cdb
z{>w(F*&4YyzVBnXWyQyCBs!KGtby{i81xYW3^=ZiLZRJ&IBoM(PmbV{>6NtU@6jd?
zTK6-w8DMBNfauvaFQBb{w;L4Vi1#|kQMP^B_rLw4Qh7%6Okl@fA=R*8y@O5q9>zXv
zO4Y3o)=Dd%GuI(rThq{@Lv0h@5~n;rHc7{90Vj*-XtAz5``2VJE*#og+!b<iuYiV)
zVgfP)V+<3DT^z@uOfE{9CU3=ajr5VLGu#=ALOKmf&|$E~i9?40E*%7tFI~7&A7uG#
zai9Rfb7?;?K`2hPfU7%}POXYoVDs!tApQ=G!}6H{fg4EI`8@o0xcSBmT<KMxDptsV
zO({-N^jMK?a@gb?tfedx@4pYOluOwc4&?$cyJJG45(tzKWz)4e4CoLtW@d`pf1k;$
zD!U8tNol`&Qg2OH2kYZz8!F2~CY89+kggVJUo4=OLk4#bx&Qto5C6kQ9kWah^wQZ$
zZ281um^jB}g#cMGqmsa+rQ@o{M+U9q&;+S8s+%S&0T2E?Wa(r_brLL@0ik2$as{%$
zX(~0BO@)TyO)hI+Ev5T~J^4@4K>@U#FD%|ek?4cJbl|$HvRJdr<Gd3x`Q=Y)u~K3C
zm&W_-s7UgoK8Cyh2>1Lc;7l2kFhE!sMo6Tr&N7Zqm==f@5INe8#9cCl>p3_kWTb+p
z!*d)gpp)iTw+%JJ>#uecgh&Z1gAvQEobKbr)8ZyWvLcK=VnSS-SGze6+-JD`h6EW|
z0iiezMY0{^@=lS5{qNPag(2gmuNOXELf0#DNE=NOCD}OLYkX;X2XB)p!x5L4{>q%?
ztXY@DRHaF4oAu%cN$&V_CQ~17&5Tkb4sbYgu+LAVe~fyL2#5B)Q@nm>OHS+Wa7ynG
z%T>k*4AJC5pUEX56SY5eQJ&g`LBKEp>8RZ1t(xcJ2+4`_LrJi~%`nj}WvPISCt%4$
z>*~OW+g32ROOgdMQ#^ai0-n32gcoit#OmzR<krkw9_QI{NdlSY^Z(S9ik&Ip>vQaB
zJ-BCP9!jC8MwfGt+F|_x9dT+&=ftyk^VJF}s~miBTfHMRmSYI?ou}+v&*vM#s5iUd
z_vBzZR<;$y3{>MU_qd#S$7+SJd;){~w6p*sN<(|Nkn-`=c;eiE>BWYa<6>k)EGODZ
zNd;p=CuDez$Fv0@e%is)=HC^lWl{~9S)S(P@`oFbz;zRhzM+^|^T#rG$$0XYe8|&x
z%wytgpG8Hxxo~7A{RO5hE+_U@Kdxc>9z(^hw2oo>Q`4j+e_InnDA95?NY_p-J9dPO
zemcc3Mr1|@L`D(tHS*QgYI24^3pczo1J2Oa?b(-itF0?>gd1*?4w87E+Q;MlStcS>
zA0sr?|Bzgl6S|?r8ytO<sS91EFK~F}gET@CM_|S?Jpz4@KJCPXF$07cN7E1V7J}>f
zl;&4yS2K?}r5~ys2KPLjt;@bZL$K!EVuHC#36ln^Gusc!z>&W>EZ3pku_^BVYZbLK
zUE40Sw?ie(;M=O|Yb%<Z+LNSwXPWG`aoTtD$X{j1&|rQt6b6P@Cu$XPf&=4Ft9HN>
zzb&Lyrz13RUv7qUlqT9rpf;D^bxLlM6BTTDYlhlt=s?Ob6fh|%%s!pc^zUrzr?GjB
zo5Xqf)g&(n$QR#}xLG`LNhe*N`b{CD6=8Y$rb4|JF#2XaZz_toPTfY=w4%2;x?Mxw
zf9pBMz4d&QH~Q9MZt9=UE&b>4=yfIBe^D_*1}CUj5AOPVGFnem@eprc0r212h#Ood
zl*J8Mv80@p8`4;1ov53lygcA%!#$oKTZL2>=bW0sxO|_oS4wDkb~lNr;kX>|<pdjJ
z2<7w|$!|;fav=_<%YU0(6jl$ZS%d~0PaL2zZDglk7e#TprfJwJiw4JK5>y0?nV90u
z_sYd(bGdYQ4}LYQJJ$|v$FGOC=lY@T)oV!KPAC5xoqE>!SVHOgVePo?gmzqVVh_&B
zIbJ!?x{Jq!KTYt9VV0YtIoX?~sQlY*n)(5XWfm{Lw>M`E%iy#VGdTC>b%@moC|#JM
zvfSmxv6Z-zjq^stus}{Obnt>eUl4%@GnXp7uLEwBB*;8E$|n#wp7Cfm#E}5YvUZgZ
z5`Y1WF``gFr)aIyxHbb^Tns04PcgJ}CBHa5hN)ELI+<D}QL05n^xS{D?!@*SjP}>v
z|8(3KJ+eA5uuW6OPN<|_{|-^n@1B=u{^dwf);HdqZ_0Hfe1DtLo5l)Ll}ovH9jb+T
zDb5)d*D+;^<lZ!GT6=u7AWl+yQ&-9yaaY+}@=vsAxqm!(Ni*#-(gfN${No>nYp!${
zl+}d51UQx}rPpQ_1$d4F0uTKT)iAq%9Gi?WH0c#$l#h7JTJE!d663sKnv1RQAJASh
zS-oj1+r-s@9QBvyE|UI^fh)x7CNv#Gt(GZ%`ddXOl=W>xY4%?&Hri?5`f@Hu)UCz#
zt%ey3!1Lm?=oM#|%)T3QF`mQnB~@H`Wfj>H$#Dg$;~>3-qAR_4XNJqil^ZBDpR!)=
ziMk|^(w|<jo`)ZdV?nf{UHaNQQVJ(oYij|@9+(kL#{Skkuz9Wf#~810{JZlE6Y^ai
z`%OMpe80|pQNtSErj%~r())VSsAa(GGgixAjq%GL$FbwT@W38Pia<R`pIY`;YuLtH
zwBuN^a4)aC6fjVV-RNj=&kl$QyzKS~zSv@LGh^(Q9$czubcSQJSfV665W`S5!>2<2
zV&FTB=#%ErzlA)0KU{fD3Jazu-_r9ujFg}C``YG(1Ueolof@hi2P2NQ^w2$3ym(_v
zHoaTGXCKU0*GA?4*;T%KXVgI;l@oJZefhWo!wso&e0FZL<HOQ7OWC_N#-p=`+q%`6
z_U&ureC>DGFt4*L-!9&GKjgfjF}jURuz72We?FOpWQ<<fA)DVT;fT1){eL!0TWko8
zL!hXK<(lG^F;30%d0*V};Gd8<c(m%{a>ex_ms}f?<2F*JD}WGSf>KtvWuG`pCb+nP
z$E73N%Dn*lA)kIG&ZcpTIAzGY-26r^p)CC+!@KjJa^I#sX(laNhfVQB$flACF1+^>
zQqr*|ZMbtnUNk;|VR><dt#&|izFy)SWjN=oqZrvIMTIt)d)4XC<C}5Kbw)0VkKNB2
z`#q$uj%g4_5iNmaNPBKHXuYf?ZTh)fcZ1=yfoWRyk@1l355;K%Gn&fRi}A%W2VYw{
z%K@&ZDHypsLtw?MBr|k4Zo#t@l*>>_$^Yi14!r(iIf44H^L=pg3M~C&!g3y%u#9!v
zs%&<Rsl}<?dEwn8W2PBS9b`YM;et~dQNNbvq~6BPET>XVwq6f-RoAq|4&kw<b>p@>
zj%LEbN-8T1yJSGJbe_AQaw91x)Gow=8b&~QM<sB@c@Fa8r5jU~7FBTLFn4^Mb=sb_
z?i&|S4uOnDZ|``LTIbszf5Jl-&E@G^t-*oOHxzRFAUU}@@uDdT000c6Nkl<Zr%k6^
zo_qkx_xLn*Yg6{Re70A+QAZzj^{Y!XuHl)fi|F#RTrRr1E05>*=Da&|c(btVkU`wM
zJ84%N(YDW0?B14QM6Wb{d5TuKaZ1wLHBN|?CZjb?owFyZd!U>1Wr5|Ay&=UDcXHho
zG3KudaJAETLgxyulVD?!i!~-w7kZJOxAxTn(h3!Y=@4w&w2yHSfDS!QN>NdsWOaeh
zM(tnYj>AV~pK|NVpYX;^hdamj=7zU>^QXyqT&^hhMfY~*juQ*{=j}z5y;;B?N0e}0
z|7o0aXD@2k4|(BPhn$Oga{EW3aozdpB}p9V_u_o171zhXe7TH+z3dlX+v3PpwQ1bG
zHg)PHXwuh<jx{S&Np@7|ORJ-JRsy4aw_Xo;IsaN>v?EAX8F5gO4clDm9hJez-Wl9?
z&u;ea5-2hXKOPtmuak(rQn)*Xuh?Ll)|FU`X~mQj%z7_m$Ib*Ta$M;@!|sX-yn2;%
zZ=d4gD=HXxR0{?l)0o`MhMd-`Npzm_hZ)`Y>76}k_2V2`oza7KzwAZbBhzeH1Q%TC
z^7D%wG8M~PG27=Ug}t8oZ3)lZQou`h7IS(|3l1f1+)?>uwH9aQ>OJJ=7o`+{P4LhI
zNw)6{DV?&HC;qmN>#|%iji-7CzWx<JvuWBw-k*}<sKzmZbefOnSFv+zB`4@`#xWjQ
zwOo8DRzo`KF(sCBGUC*(or#f%6ND^Tl2nK*#JVm|KH-xSHp6vY(!R$}x-_S^*Oa+c
zYq);Yr=&GTAkOXOHlu6$7;JR<+)HGXGF%2~OXurjR95(uZx2{9ql(vF@_6-+C9L~k
ziRwb9vvauk@41X!xSm5v3D;pt=_gTDzcR&u>`LlpL64v%WAEs$Bh54k1u4S7i5NtS
zV%f{`(ZFzk^sfL$RlK;%%WtMI(g`Vju!5yk6s}DX&s4EQcJ|67u~dqNL%Z<F*h1;G
zG)0SiZTAA2j?7`z`^6DAN~Ph-s=hd9Eq*G_wq*fh=Wpb_;*HFBzmh**T9+-E6<qt|
zW+rZ4i*Y?J8QuaX0Y@Y}tgmRK8ax@NwM8k?>ab^<N-q3s4=%d5JLlfnm2)m|u`ZBi
zcF@b}z8CUWlYM>;77mk$aZJ~cK>GP-_bg@l?iErC22W?(M>jMWWAL}_#Tq)kC4B`z
z#}T{M5+#!;${sb|@P(n)5g9tsPZJ7=4a?QU=nKWYeckFk4CR)%_~NK0r{=JFToLn2
zeVQNZGi9>R^Unk%5-x~CL%9hHq(`UD-Aw7KEew~n-@44@t^7}Uw`c>OFM-@nDdsNl
zw4hMnhdKaC&}CpIEv4k!_KOi}<XQ@0EzVE!^o=F_s7q7j9Qd-}S>0!AEdA#kn*F#3
zKN{$BYLkxmzK>rO^3b2l31#J-tP~mbs@JwO+F4<2y91HX_-fJiu_YMA=d2sCaa~Am
zw-}jW6-^t!i*N2?gmmI38v?9Y)*srHjqev$cM$qfp8e6}lpf;FVpgt_#mkH{um>z$
z9uv2Qwiq|d2unk1dyFw-)5Ky9iMYxFKdO_jeYLARN8IPdLaMeoJU%MTZA0dAL%(@E
zYY*aYD&nQz%_j(=E@>vOp!)5=cVqMsRcxb6Eqcaq90#jHMrz9%it9(_q?n|!=RdVr
zU<yqz93*`Oz#ve7TeNlN5?rykS1U%z@{rw?TG(EP?Ce^MomD}$bYhjn*!JCUa3?+;
zR}5nLz;V%(#JxVvhIM1z`wNJh7_)Q+v3qC0#90tmogXR0|K5y{*FH*d(f~l<e>gX$
z7cdHIRSNg=9ck5fuxay#Bts=`t$)&03-cq;67mnN@i;T5xvg?Q+PqtxsdP%|Iy#--
zOK%WUY%!(zzWVV};_*0+LUX6<Fso#VL#0j|(+c256%XO&9H5T*V)BB>&okO^uU!zZ
zdPRl80zO@O7*?%yab&R-p+do78lBjU4H8=urUZsZ-8vA&4b4vP!^$`2vF6Qr@+nhz
z3WQE9F-$IuQ9I@`yq6b^F-fO%*Zm}uX)^`3PVPL*eNyC}z@Dmo@D!arS4jsB9gyJa
zNBZ;2Kjr8kzZw|Jd6o{ajwriYd>t0OFo!nh_vci_|CUWlb984|Jsl$ZXVPraHqOJ~
zx-N&BoNuXUJ|9;?P+o-_kKwp3Ys%6rUhZP7C6;*EwnjV`s+UG5br*;wq_wLsF4S)z
zT_qRi*poZa?9^P=j4fvUyCsypTF8nQXXEN`j(o&f3-l(iAA5TbM&gP<E_<_>RqxDW
z*(>?1kiWTNObO5bu7s%zp=xhZPe;piI9RgWSLFvxUc8RhKh4GNpwd-Id?Dsa$!`{8
zwA8jUaP(0Z#X0h*ELOi$gw>1cJ2b|&(A&3M-#!aJZMM%|#@1;IKt7Q@%n9TmCwEsy
zVXf^G7qWHA!bqtb=@a{6MR3=S7+W_7(k~$~$0ZEXT0n2I&&#3B8QsY~t2fJDo6E8>
z0`v7kR=r*l?K+mdR>1O?3b^XwTw0%z8%_JnoR*x?vqeNJpD*GmMV{A<Dd3EQh^}pH
z!LuPNSKPir<Jmkf6)=8Il1YjZ`Et#^Sdzhqv!qD1>+%Jzt<(IBu2{PMk$(24l(Svg
zmt^z4q;CgsU$vu7?!vb5^F<5UIe8H~rk1j8#v+au*EJl`lg$(6^Vx?*k_97uD8(M8
z!2}rBcJDAGFHZShiLf-jF$T+_?SI|}OW8jYSmKVBXZN7(&vVKCX&*kAn#RjWV3QS3
zOZNSYp3Nd4Pw&y({`^+Mv2mZ%oaKQp&}@TNKj}#z9ESFA7~a<~u{b2DvuZn1I_b0G
z<wA}d-Vv)4*S@uYcV-4sLpfaVhd$h&Kb-3y9)S58SK1ZYzQ2`R&*SJ5yU<WBN`q4r
zKa<X@FH4IiW8|6~Gom}kjqDD3x7K^Z2NHc8LKz2TGJTFu-1WqjDFT5Q;K~sWMTSu7
zz_#&-gLFY(MWEBFv-IVe*iilciCGZ8PW#Kg{@f3q<-Yey*3oQaH(H$8i=q8ss1CPc
z^7Ud;8*(D}V5UzX4vi(S;9xw5ANS4R#wYsecw#Q=-Y#ZRNs9TCwvv+J3=LmN-v(f)
zn&EM$cjx>cWhk_tAh~%5S}*4+ygpKU$5cgS^m}CA1g8$jpuq`U)I>OhVdUOy{7`!D
zgF=je3AJaA2}Bc7D69h24Y1(ptM1o3%q;P6Ro|D9QU$CYt0^VK`Ie4INExe>ew{r=
z_IGp;1}*zKH0c)7Os8><<7t-_6EHqj&mPgY6)BV8rSVBV+gPcvRzEJgH;0XH7xDb<
zMLed%GJ>x{=&1j1y24*SG>E^?Jb_<cT8C|0su;H<&W^dOv?EB-q<cJyka!BJretK^
znOzlqy%7UzaqP%0IQj$Zw~A=Z*m<n`uz<DW3R(X8JT{ho!N%oV@f-&)^rG6v&P$vZ
zb3+`-c!!_$<NgUtd1>yt8q<q&%CPjVc0T9+u{V?E?BtPO&!I`zI5z%QHrJ8pdSvIt
zsHIaxlpKM%OS`7cAI@jXxcN+;@3U7%^N6E8Y?-PU>*neCmFpV;v>dTRA*B_?<?L8p
z!Lz?BX2WxG;?(pPIz-y7XvLmA<!l|lkR8)Y+4^A#Z_TJ6p;+M1+zc9=*hV$69BiMK
zA|Uk=J@+nHO+|4TOJrr2j+xE6m77^t_BrddGg-5IGiz6W#+sF%k=dgqiEd2~nY2K0
zv`^y`JMr_|dUN5Qa+xtd%@<Qw@bjCyvb!p!JvB@$NV0TRl~f4C>;CsN)jk5rJ~xdk
z<^C%Qx$lyB*xwu=Ip35ou`<uxI+Ib?%;AwM3p6Rq9uY@TFFS*HR*YtyGWR!)K>0#?
z?|nr|Cd@8ZdDi~213jZQDvX{M%<qEKpVUQ2{OH=uQY87wn`iNfwqw^k)|1X7GFUme
zif3+|&nIt}Qm3{{r2@teTw0>v3;qox3)+6N{T_(E5x{+wqs8gnKJ}=+wk)n<_0%f1
ztPQF&{^kDZJM;Ns!eTbOS7LL&(#~dl3)#Bg329bl-RlKx9A6p@cfp@?X_=eF5w+{^
z%H0d?7*T$+oH(9a{nG*!Wgf=u+W`Eg?#vT67Bc#lA|AP_(3V%vz`hZ2sQta4_@2^1
zyS0E=vbw8Q?HDB=RdM&t8?7$;QeI1^SFuWBe9+DgQlX{*+V1uPWS{o;|7v>dy1Be?
zM=_fwt%~MpfwlDVUGw?p&Dz>Txrcu{8~_i0v>&*o1?uaxe+vJazd!GAp8rn+csPL6
tw9Wqo00960Hz0(I00006Nkl<Z0|1skiOmk`>a+j=002ovPDHLkV1jxdy7K@4

diff --git a/packages/bumpy/src/core/publish-pipeline.ts b/packages/bumpy/src/core/publish-pipeline.ts
index 7281059..116279b 100644
--- a/packages/bumpy/src/core/publish-pipeline.ts
+++ b/packages/bumpy/src/core/publish-pipeline.ts
@@ -132,6 +132,24 @@ export async function publishPackages(
   // Set up npm authentication before publishing
   setupNpmAuth(rootDir, publishConfig.publishManager);
 
+  // Validate staged publishing config
+  if (publishConfig.npmStaged) {
+    if (publishConfig.publishManager !== 'npm') {
+      log.warn('Staged publishing is only supported with publishManager "npm" — ignoring staged option');
+    } else {
+      const npmVersion = tryRunArgs(['npm', '--version']);
+      if (npmVersion) {
+        const [major, minor, patch] = npmVersion.split('.').map(Number);
+        const meetsMinVersion = major! > 11 || (major === 11 && (minor! > 5 || (minor === 5 && patch! >= 1)));
+        if (!meetsMinVersion) {
+          log.warn(`Staged publishing requires npm >= 11.5.1 (found ${npmVersion})`);
+        } else {
+          log.dim(`Staged publishing enabled — packages will require 2FA approval on npmjs.com`);
+        }
+      }
+    }
+  }
+
   // Resolve "auto" pack manager to detected PM
   const packManager = publishConfig.packManager === 'auto' ? detectedPm : publishConfig.packManager;
 
@@ -302,7 +320,9 @@ function buildPublishArgs(
   const args: string[] = [];
 
   // Base command
-  if (publishManager === 'yarn') {
+  if (config.publish.npmStaged && publishManager === 'npm') {
+    args.push('npm', 'stage', 'publish');
+  } else if (publishManager === 'yarn') {
     args.push('yarn', 'npm', 'publish');
   } else {
     args.push(publishManager, 'publish');
diff --git a/packages/bumpy/src/types.ts b/packages/bumpy/src/types.ts
index 5181ab6..3a82b99 100644
--- a/packages/bumpy/src/types.ts
+++ b/packages/bumpy/src/types.ts
@@ -79,6 +79,13 @@ export interface PublishConfig {
    * Default: "pack"
    */
   protocolResolution: 'pack' | 'in-place' | 'none';
+  /**
+   * Use npm staged publishing (`npm stage publish`).
+   * Stages the publish on npmjs.com, requiring manual 2FA approval before going live.
+   * Only works with publishManager "npm" and requires npm >= 11.5.1.
+   * Default: false
+   */
+  npmStaged: boolean;
 }
 
 export interface BumpyConfig {
@@ -157,6 +164,7 @@ export const DEFAULT_PUBLISH_CONFIG: PublishConfig = {
   packManager: 'auto',
   publishManager: 'npm',
   publishArgs: [],
+  npmStaged: false,
   protocolResolution: 'pack',
 };
 
diff --git a/packages/bumpy/test/core/publish-pipeline.test.ts b/packages/bumpy/test/core/publish-pipeline.test.ts
index bae70ba..32ba4b4 100644
--- a/packages/bumpy/test/core/publish-pipeline.test.ts
+++ b/packages/bumpy/test/core/publish-pipeline.test.ts
@@ -4,7 +4,7 @@ import { mkdtemp, rm } from 'node:fs/promises';
 import { tmpdir } from 'node:os';
 import { writeJson, readJson, ensureDir, writeText } from '../../src/utils/fs.ts';
 import { makePkg, gitInDir } from '../helpers.ts';
-import { installShellMock, uninstallShellMock } from '../helpers-shell-mock.ts';
+import { installShellMock, uninstallShellMock, addMockRule, getCallsMatching } from '../helpers-shell-mock.ts';
 import { DependencyGraph } from '../../src/core/dep-graph.ts';
 import { publishPackages } from '../../src/core/publish-pipeline.ts';
 import type { WorkspacePackage, ReleasePlan, BumpyConfig } from '../../src/types.ts';
@@ -15,6 +15,11 @@ const IN_PLACE_CONFIG: BumpyConfig = {
   publish: { ...DEFAULT_PUBLISH_CONFIG, protocolResolution: 'in-place' },
 };
 
+const STAGED_CONFIG: BumpyConfig = {
+  ...DEFAULT_CONFIG,
+  publish: { ...DEFAULT_PUBLISH_CONFIG, npmStaged: true, protocolResolution: 'in-place' },
+};
+
 describe('publishPackages', () => {
   let tmpDir: string;
 
@@ -266,4 +271,43 @@ describe('publishPackages', () => {
     expect(deps.react).toBe('^19.0.0');
     expect(deps.jest).toBe('^30.0.0');
   });
+
+  test('staged publishing uses npm stage publish', async () => {
+    const pkgDir = resolve(tmpDir, 'packages/staged-pkg');
+    await ensureDir(pkgDir);
+    await writeJson(resolve(pkgDir, 'package.json'), { name: 'staged-pkg', version: '1.0.0' });
+    await setupGitRepo();
+
+    // Mock npm --version (for staged validation) and the publish command
+    addMockRule({ match: 'npm --version', response: '11.5.1' });
+    addMockRule({ match: 'npm stage publish', response: '' });
+
+    const packages = new Map<string, WorkspacePackage>();
+    packages.set('staged-pkg', makePkg('staged-pkg', '1.0.0', { dir: pkgDir }));
+
+    const depGraph = new DependencyGraph(packages);
+    const plan: ReleasePlan = {
+      bumpFiles: [],
+      warnings: [],
+      releases: [
+        {
+          name: 'staged-pkg',
+          type: 'patch',
+          oldVersion: '1.0.0',
+          newVersion: '1.0.1',
+          bumpFiles: [],
+          isDependencyBump: false,
+          isCascadeBump: false,
+          isGroupBump: false,
+          bumpSources: [],
+        },
+      ],
+    };
+
+    const result = await publishPackages(plan, packages, depGraph, STAGED_CONFIG, tmpDir, {});
+
+    expect(result.published).toHaveLength(1);
+    const publishCalls = getCallsMatching('npm stage publish');
+    expect(publishCalls.length).toBeGreaterThanOrEqual(1);
+  });
 });

From 9159334468519d6ca0b65fd7889e8173eb7242bb Mon Sep 17 00:00:00 2001
From: Theo Ephraim <theo@dmno.dev>
Date: Fri, 22 May 2026 13:45:31 -0700
Subject: [PATCH 2/3] chore: add bump file for npm staged publishing

---
 .bumpy/npm-staged-publishing.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .bumpy/npm-staged-publishing.md

diff --git a/.bumpy/npm-staged-publishing.md b/.bumpy/npm-staged-publishing.md
new file mode 100644
index 0000000..10c2e5e
--- /dev/null
+++ b/.bumpy/npm-staged-publishing.md
@@ -0,0 +1,5 @@
+---
+'@varlock/bumpy': minor
+---
+
+Add `npmStaged` publish config option for npm staged publishing (`npm stage publish`), which stages packages on npmjs.com requiring manual 2FA approval before going live.

From 88c2eca16970b61bcab23a0e6c0cde610061627c Mon Sep 17 00:00:00 2001
From: Theo Ephraim <theo@dmno.dev>
Date: Fri, 22 May 2026 20:07:55 -0700
Subject: [PATCH 3/3] docs: add npmStaged examples to README, config docs, and
 GH Actions docs

---
 README.md              |  2 +-
 docs/configuration.md  | 21 +++++++++++++++++++++
 docs/github-actions.md |  2 ++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fff2bee..d0146f7 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ Fixed locale fallback logic in utils.
 
 - **All package managers** - npm, pnpm, yarn, and bun workspaces
 - **Smart dependency propagation** - configurable rules for how version bumps cascade through your dependency graph (see [version propagation docs](https://github.com/dmno-dev/bumpy/blob/main/docs/version-propagation.md))
-- **Pack-then-publish** - by default, publishes to npm (resolving `workspace:` and `catalog:` protocols, with OIDC/provenance support). Per-package custom publish commands let you target anything - VSCode extensions, Docker images, JSR, private registries, etc.
+- **Pack-then-publish** - by default, publishes to npm (resolving `workspace:` and `catalog:` protocols, with OIDC/provenance support). Supports [npm staged publishing](https://docs.npmjs.com/about-staged-publishes) for 2FA-gated releases. Per-package custom publish commands let you target anything - VSCode extensions, Docker images, JSR, private registries, etc.
 - **Flexible package management** - include/exclude any package individually via per-package config, glob patterns, or `privatePackages` setting
 - **Non-interactive CLI** - `bumpy add` works fully non-interactively for CI/CD and AI-assisted development
 - **Aggregated GitHub releases** - optionally create a single consolidated release instead of one per package
diff --git a/docs/configuration.md b/docs/configuration.md
index 9121236..f5b49b8 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -70,6 +70,24 @@ The `publish` object controls how packages are packed and published:
 | `protocolResolution` | `"pack" \| "in-place"` | `"pack"` | How `workspace:` and `catalog:` protocols are resolved                |
 | `npmStaged`          | `boolean`              | `false`  | Use `npm stage publish` — requires 2FA approval on npmjs.com          |
 
+#### Staged publishing
+
+When `npmStaged` is enabled, bumpy uses `npm stage publish` instead of `npm publish`. This stages packages on npmjs.com, where they must be manually approved with 2FA before going live. This adds an extra security gate to your release process — even if CI credentials are compromised, packages can't be published without maintainer approval.
+
+Requirements:
+
+- `publishManager` must be `"npm"` (the default)
+- npm >= 11.5.1
+- [npm trusted publishing (OIDC)](https://docs.npmjs.com/trusted-publishers/) configured for your repo
+
+```json
+{
+  "publish": {
+    "npmStaged": true
+  }
+}
+```
+
 ### Version PR config
 
 The `versionPr` object customizes the PR that `bumpy ci release` creates:
@@ -211,6 +229,9 @@ See the [Changelog Formatters](./changelog-formatters.md) docs for full details
   "dependencyBumpRules": {
     "peerDependencies": { "trigger": "minor", "bumpAs": "match" }
   },
+  "publish": {
+    "npmStaged": true
+  },
   "aggregateRelease": true,
   "packages": {
     "@myorg/vscode-extension": {
diff --git a/docs/github-actions.md b/docs/github-actions.md
index cd23231..b1543dd 100644
--- a/docs/github-actions.md
+++ b/docs/github-actions.md
@@ -72,6 +72,8 @@ jobs:
 
 **Trusted publishing setup:** Configure each package on [npmjs.com](https://docs.npmjs.com/trusted-publishers/) → Package Settings → Trusted Publishers → GitHub Actions. Specify your org/user, repo, and the workflow filename (`bumpy-release.yml`).
 
+> **Staged publishing:** For an extra layer of security, enable `npmStaged` in your [publish config](./configuration.md#staged-publishing). This uses `npm stage publish` to stage packages on npmjs.com, requiring manual 2FA approval before they go live — even if your CI credentials are compromised, nothing gets published without maintainer approval.
+
 ### Token-based auth (NPM_TOKEN)
 
 If you can't use trusted publishing, use an npm access token instead: