fix(scripts): switch-network.sh — add NO_PROXY + GITEA_NPM_TOKEN management

- Add NO_PROXY/no_proxy/NPM_CONFIG_NOPROXY=localhost,127.0.0.1 when
  NETWORK=corp so local services (Gitea npm registry, Cosmos emulator,
  Azurite) bypass the corporate proxy. Previously NO_PROXY was only set
  in .zshrc line 5, making the script not self-contained.
- Add GITEA_NPM_TOKEN auto-load from ~/.gitea_npm_token file
  (regardless of NETWORK). Reads are public, but publish needs the
  token. This ensures local pnpm install resolves @bytelyst/* auth.
- Unset NO_PROXY/no_proxy/NPM_CONFIG_NOPROXY when NETWORK=home.

scripts/switch-network.sh

@@ -17,6 +17,8 @@
 #   - NPM_CONFIG_REGISTRY       → AT&T JFrog npm proxy
 #   - NPM_CONFIG_PROXY          → corporate proxy
 #   - NPM_CONFIG_STRICT_SSL     → false (proxy TLS interception)
+#   - NO_PROXY / no_proxy        → localhost,127.0.0.1 (Gitea, Cosmos, Azurite)
+#   - NPM_CONFIG_NOPROXY         → localhost,127.0.0.1
 #   - NODE_TLS_REJECT_UNAUTHORIZED → 0 (Node.js trusts proxy certs)
 #   - PIP_TRUSTED_HOST           → pypi.org, files.pythonhosted.org
 #   - GRADLE_OPTS                → JVM truststore with corporate CA cert
@@ -59,6 +61,10 @@ if [ "${NETWORK:-home}" = "corp" ]; then
   export NPM_CONFIG_STRICT_SSL="false"
   export PIP_TRUSTED_HOST="pypi.org files.pythonhosted.org"
   export NODE_TLS_REJECT_UNAUTHORIZED="0"
+  # Bypass proxy for local services (Gitea npm registry, Cosmos emulator, Azurite, etc.)
+  export NO_PROXY="localhost,127.0.0.1"
+  export no_proxy="localhost,127.0.0.1"
+  export NPM_CONFIG_NOPROXY="localhost,127.0.0.1"
   # Gradle: trust corporate proxy CA cert (TLS interception by cso.proxy.att.com)
   if [ -f "$_GRADLE_TRUSTSTORE" ]; then
     export GRADLE_OPTS="-Djavax.net.ssl.trustStore=$_GRADLE_TRUSTSTORE -Djavax.net.ssl.trustStorePassword=changeit -Djdk.http.auth.tunneling.disabledSchemes= -Djdk.http.auth.proxying.disabledSchemes= -Djava.net.useSystemProxies=true"
@@ -68,6 +74,7 @@ else
   unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY 2>/dev/null
   unset NPM_CONFIG_REGISTRY NPM_CONFIG_PROXY NPM_CONFIG_HTTPS_PROXY 2>/dev/null
   unset NPM_CONFIG_STRICT_SSL NODE_TLS_REJECT_UNAUTHORIZED 2>/dev/null
+  unset NO_PROXY no_proxy NPM_CONFIG_NOPROXY 2>/dev/null
   unset PIP_TRUSTED_HOST GRADLE_OPTS 2>/dev/null
 fi
 
@@ -83,3 +90,16 @@ if [[ $- == *i* ]]; then
 fi
 
 unset _CORP_PROXY _CORP_NPM_REGISTRY
+
+# ── Gitea NPM token (always, regardless of NETWORK) ──────────────
+# Local Gitea registry at localhost:3300 — token for publish access.
+# Reads: public without auth. Writes: need GITEA_NPM_TOKEN.
+# Store token in ~/.gitea_npm_token (one line, no newline).
+# Create: curl -s -u admin:PASSWORD http://localhost:3300/api/v1/users/admin/tokens \
+#           -H 'Content-Type: application/json' -d '{"name":"npm"}' | jq -r '.sha1 // .token'
+_GITEA_TOKEN_FILE="$HOME/.gitea_npm_token"
+if [ -z "${GITEA_NPM_TOKEN:-}" ] && [ -f "$_GITEA_TOKEN_FILE" ]; then
+  export GITEA_NPM_TOKEN
+  GITEA_NPM_TOKEN="$(cat "$_GITEA_TOKEN_FILE")"
+fi
+unset _GITEA_TOKEN_FILE