I am not sure weather it is possible or not.
Is it possible to prevent publish when npm publish
ran directly and make it accessible only via scripts.
User must be denied when npm publish
is executed directly. i.e. User mush be able to publish via any scripts or npm run <script>
or
is there a way to tell npm only to publish <folder>/
or to look for a tarball when published.