feat: publish --access=private alias for restricted

[reggi]

Summary

Adds private as a valid value for --access in npm publish, as an alias for restricted.

Motivation

The --access flag on npm publish currently accepts restricted and public. However, in everyday usage, the npm community colloquially refers to non-public packages as "private packages" — not "restricted packages." The npm website, the npm registry, and npm access all use the term "private" to describe these packages.

npm publish --access vs npm access

These are two different commands that deal with package visibility in different ways:

• npm publish --access=<public|restricted> sets the visibility of a package at publish time. This is only relevant for scoped packages, where the default for new packages is public.
• npm access set status=<public|private> changes the visibility of an already published package. Notably, npm access already uses private (not restricted) as its term for non-public packages.

This inconsistency means that a user who runs npm access set status=private might naturally try npm publish --access=private and get an error. Since everyone already calls them "private packages," the CLI should accept that term too. This PR resolves that by accepting private as a synonym for restricted during publish.

Changes

• Added private to the valid values for the access config definition
• The flatten function maps private → restricted so the registry always receives restricted
• Updated documentation to note that private is an alias for restricted
• Added tests for the --access=private flow