generated from coulomb/repo-seed
feat(WARDEN-WP-0018): activate whynot-design npm publish lane + resolvable flag
railiance-platform finished provisioning the whynot-design npm publish lane (CCR-2026-0001, commit 8f617fc: active, readiness=ready, resolvable=true, positive fetch + negative denial verified). First concrete warden access --fetch-resolvable non-SSH lane — end-to-end proof of the WP-0014 conduit + WP-0017 discoverability. T1 — catalog entry whynot-design-npm-publish (active, exec_capable) with the owner-confirmed zero-placeholder handoff: path platform/workloads/coulomb/whynot-design/ npm-publish (the superseded whynot-design/whynot-design/... form is not used), field NPM_AUTH_TOKEN, OIDC role whynot-design-workload-kv-read, policy + flex-auth ref. Added wiki/playbooks/whynot-design-npm-publish.md. T2 — RouteEntry.resolvable (active + exec_capable + no <…> placeholder), surfaced in route/access --json; Catalog.find resolves an exact catalog-id first so `warden access whynot-design-npm-publish` is deterministic. Tests added; fixed a no-match test query that substring-collided (no ⊂ whynot). 213 pass, lint clean. T3 — notified whynot-design (zero-placeholder command + resolvable gate + path correction) and confirmed activation to railiance-platform. Sibling lanes stay draft per their deferral. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
75
wiki/playbooks/whynot-design-npm-publish.md
Normal file
75
wiki/playbooks/whynot-design-npm-publish.md
Normal file
@@ -0,0 +1,75 @@
|
||||
# whynot-design npm publish token
|
||||
|
||||
Date: 2026-06-29
|
||||
Catalog: `whynot-design-npm-publish` (status `active`, `resolvable: true`)
|
||||
Owner: `railiance-platform` (OpenBao) · provisioning CCR-2026-0001 (commit 8f617fc)
|
||||
|
||||
The `NPM_AUTH_TOKEN` that publishes `@whynot/design` to the coulomb Gitea npm registry
|
||||
(`https://gitea.coulomb.social/api/packages/coulomb/npm/`). ops-warden **does not hold
|
||||
this token** — it is the access front door: `warden access` proxies the read from OpenBao
|
||||
**as the caller** and never persists, caches, or logs the value.
|
||||
|
||||
---
|
||||
|
||||
## Owner-confirmed lane (no placeholders)
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| OpenBao path | `platform/workloads/coulomb/whynot-design/npm-publish` |
|
||||
| Field | `NPM_AUTH_TOKEN` |
|
||||
| KV mount | `platform` |
|
||||
| Read policy | `workload-kv-read-whynot-design-npm-publish` |
|
||||
| OIDC login | `bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read` |
|
||||
| Bound group | `whynot-design` |
|
||||
| flex-auth ref | `secret.read:whynot-design` (if tenant policy requires pre-approval) |
|
||||
| Runbook (owner) | `railiance-platform/docs/workload-kv-access-lanes.md` |
|
||||
|
||||
> The `platform/workloads/whynot-design/whynot-design/npm-publish` path from early in the
|
||||
> provisioning thread is **superseded** — the live path is under the `coulomb` tenant.
|
||||
|
||||
---
|
||||
|
||||
## Worker checklist
|
||||
|
||||
1. **Authenticate as yourself** (you need your own identity; ops-warden adds none):
|
||||
```bash
|
||||
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
|
||||
```
|
||||
Your token must carry the `whynot-design` group bound claim; a non-whynot identity is
|
||||
denied by policy (verified negative case).
|
||||
|
||||
2. **Fetch or run via the front door** — keyed by the stable catalog id, zero placeholders:
|
||||
```bash
|
||||
warden access whynot-design-npm-publish --fetch # stream the token to you
|
||||
warden access whynot-design-npm-publish --exec -- npm publish # inject into the child only
|
||||
```
|
||||
The value transits to you (or the child env) and never enters ops-warden's memory, disk,
|
||||
or audit log (metadata-only audit).
|
||||
|
||||
3. **Readiness gate (for automated callers).** Before attempting `--fetch`, check the flag:
|
||||
```bash
|
||||
warden route show whynot-design-npm-publish --json | jq .resolvable # true
|
||||
```
|
||||
`resolvable: true` means the lane is concrete and `--fetch` will run; a template lane
|
||||
reports `false`.
|
||||
|
||||
4. **Publish is outward-facing and immutable.** `npm publish` is irreversible and public.
|
||||
Even once the token resolves, hold for an explicit operator "yes, publish" — do not
|
||||
auto-run it from an agent.
|
||||
|
||||
---
|
||||
|
||||
## Scopes
|
||||
|
||||
This lane is the **publish** token only. A separate **read/install** token (for consumers
|
||||
of `@whynot/design`) is a distinct need and would be its own catalog id
|
||||
(`whynot-design-npm-read`) once railiance-platform provisions it — do not conflate them.
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `wiki/OperatorAccessAssist.md` — the `warden access` front door + guardrails
|
||||
- `wiki/CredentialRouting.md` — routing model
|
||||
- `railiance-platform/docs/workload-kv-access-lanes.md`,
|
||||
`workplans/RAILIANCE-WP-0006-workload-kv-access-lanes.md`
|
||||
Reference in New Issue
Block a user