feat(WARDEN-WP-0018): activate whynot-design npm publish lane + resolvable flag

railiance-platform finished provisioning the whynot-design npm publish lane
(CCR-2026-0001, commit 8f617fc: active, readiness=ready, resolvable=true, positive
fetch + negative denial verified). First concrete warden access --fetch-resolvable
non-SSH lane — end-to-end proof of the WP-0014 conduit + WP-0017 discoverability.

T1 — catalog entry whynot-design-npm-publish (active, exec_capable) with the
owner-confirmed zero-placeholder handoff: path platform/workloads/coulomb/whynot-design/
npm-publish (the superseded whynot-design/whynot-design/... form is not used), field
NPM_AUTH_TOKEN, OIDC role whynot-design-workload-kv-read, policy + flex-auth ref. Added
wiki/playbooks/whynot-design-npm-publish.md.

T2 — RouteEntry.resolvable (active + exec_capable + no <…> placeholder), surfaced in
route/access --json; Catalog.find resolves an exact catalog-id first so
`warden access whynot-design-npm-publish` is deterministic. Tests added; fixed a
no-match test query that substring-collided (no ⊂ whynot). 213 pass, lint clean.

T3 — notified whynot-design (zero-placeholder command + resolvable gate + path
correction) and confirmed activation to railiance-platform. Sibling lanes stay draft
per their deferral.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

registry/routing/catalog.yaml

@@ -67,6 +67,29 @@ entries:
     policy_ref: "flex-auth check secret.read:<domain>"
     exec_capable: true
 
+  - id: whynot-design-npm-publish
+    title: whynot-design npm publish token (@whynot/design → coulomb Gitea registry)
+    need_keywords: [whynot-design, whynot, npm, publish, npm_auth_token, gitea, registry, coulomb, package]
+    owner_repo: railiance-platform
+    subsystem: OpenBao
+    warden_executes: false
+    wiki_ref: wiki/playbooks/whynot-design-npm-publish.md#worker-checklist
+    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
+    reviewed: "2026-06-29"
+    status: active
+    # Concrete, owner-confirmed lane — railiance-platform CCR-2026-0001 (commit 8f617fc):
+    # status=active, access_frontdoor.readiness=ready, resolvable=true; positive fetch
+    # passed and negative (non-whynot) login denied. Zero-placeholder fetch: an automated
+    # caller can `warden access whynot-design-npm-publish --exec -- npm publish` directly.
+    # The path was corrected to the `coulomb` tenant — the whynot-design/whynot-design/…
+    # form is superseded; do not reintroduce it.
+    auth_method: "bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read"
+    path_template: "platform/workloads/coulomb/whynot-design/npm-publish"
+    fetch_command: "bao kv get -field=NPM_AUTH_TOKEN platform/workloads/coulomb/whynot-design/npm-publish"
+    policy_ref: "flex-auth check secret.read:whynot-design"
+    exec_capable: true
+    lane: secret
+
   - id: flex-auth-policy-check
     title: Authorization decision — may this actor perform this action
     need_keywords: [authorization, policy, permission, allow, deny, may, flex-auth, topaz, pdp, decision]