feat(WARDEN-WP-0018): activate whynot-design npm publish lane + resolvable flag

railiance-platform finished provisioning the whynot-design npm publish lane (CCR-2026-0001, commit 8f617fc: active, readiness=ready, resolvable=true, positive fetch + negative denial verified). First concrete warden access --fetch-resolvable non-SSH lane — end-to-end proof of the WP-0014 conduit + WP-0017 discoverability. T1 — catalog entry whynot-design-npm-publish (active, exec_capable) with the owner-confirmed zero-placeholder handoff: path platform/workloads/coulomb/whynot-design/ npm-publish (the superseded whynot-design/whynot-design/... form is not used), field NPM_AUTH_TOKEN, OIDC role whynot-design-workload-kv-read, policy + flex-auth ref. Added wiki/playbooks/whynot-design-npm-publish.md. T2 — RouteEntry.resolvable (active + exec_capable + no <…> placeholder), surfaced in route/access --json; Catalog.find resolves an exact catalog-id first so `warden access whynot-design-npm-publish` is deterministic. Tests added; fixed a no-match test query that substring-collided (no ⊂ whynot). 213 pass, lint clean. T3 — notified whynot-design (zero-placeholder command + resolvable gate + path correction) and confirmed activation to railiance-platform. Sibling lanes stay draft per their deferral. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 00:32:00 +02:00
parent 46b340f45f
commit e8bb469033
9 changed files with 252 additions and 2 deletions
--- a/workplans/WARDEN-WP-0017-access-front-door-discoverability.md
+++ b/workplans/WARDEN-WP-0017-access-front-door-discoverability.md
@@ -11,6 +11,7 @@ planning_priority: high
 planning_order: 17
 created: "2026-06-27"
 updated: "2026-06-27"
+state_hub_workstream_id: "cf8b392e-7624-4585-8935-a85e29202935"
 ---

 # WARDEN-WP-0017 — Access front-door discoverability
@@ -55,6 +56,7 @@ tracked separately); any new fetch capability (the proxy already exists).
 id: WARDEN-WP-0017-T01
 status: done
 priority: high
+state_hub_task_id: "6e98df42-b5b4-49f8-a444-3c6346c8abd7"
 ```

 - [x] `warden route` table: three-valued `warden` column — `issue` / `assist`
@@ -73,6 +75,7 @@ priority: high
 id: WARDEN-WP-0017-T02
 status: done
 priority: high
+state_hub_task_id: "6e2a7067-1afc-4f38-8d99-4d5c36a4661c"
 ```

 - [x] `.claude/rules/credential-routing.md`: reframed the lead ("issues SSH certs **and**
@@ -88,6 +91,7 @@ priority: high
 id: WARDEN-WP-0017-T03
 status: done
 priority: medium
+state_hub_task_id: "7199625b-e78e-4495-8ca0-076100ae9f08"
 ```

 - [x] Registered the State Hub capability "Operator access front door (caller-identity
--- a/workplans/WARDEN-WP-0018-whynot-design-npm-lane-activation.md
+++ b/workplans/WARDEN-WP-0018-whynot-design-npm-lane-activation.md
@@ -0,0 +1,99 @@
+---
+id: WARDEN-WP-0018
+type: workplan
+title: "Activate whynot-design npm publish lane + resolvable readiness flag"
+domain: infotech
+repo: ops-warden
+status: finished
+owner: claude
+topic_slug: custodian
+planning_priority: high
+planning_order: 18
+created: "2026-06-29"
+updated: "2026-06-29"
+---
+
+# WARDEN-WP-0018 — whynot-design npm lane activation + `resolvable` flag
+
+**Trigger:** railiance-platform completed provisioning the whynot-design npm publish lane
+(CCR-2026-0001, commit 8f617fc): `status=active`, `access_frontdoor.readiness=ready`,
+`resolvable=true`, positive fetch passed + negative (non-whynot) login denied. They asked
+ops-warden to activate the dedicated catalog selector and notify whynot-design. This is the
+first concrete `warden access --fetch`-resolvable non-SSH lane — the end-to-end proof of the
+WP-0014 conduit + WP-0017 discoverability work.
+
+**whynot-design's spec** (msg 2687dc31) drove the shape: zero-placeholder command keyed by a
+stable id, owner-confirmed concrete path/field/role, a machine-readable readiness flag, and a
+publish-vs-read scope split.
+
+**Boundary unchanged:** ops-warden holds no token; the lane proxies the read as the caller.
+
+---
+
+## Tasks
+
+### T1 — Concrete catalog entry + playbook
+
+```task
+id: WARDEN-WP-0018-T01
+status: done
+priority: high
+```
+
+- [x] Added `whynot-design-npm-publish` to `registry/routing/catalog.yaml` (`status: active`,
+      `exec_capable`, `lane: secret`) with the **owner-confirmed, zero-placeholder** handoff:
+      path `platform/workloads/coulomb/whynot-design/npm-publish` (the superseded
+      `whynot-design/whynot-design/…` form is **not** used), field `NPM_AUTH_TOKEN`, OIDC
+      `bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read`, policy
+      `workload-kv-read-whynot-design-npm-publish`, flex-auth `secret.read:whynot-design`.
+- [x] `wiki/playbooks/whynot-design-npm-publish.md` — worker checklist, scopes, operator
+      go-ahead note (publish is immutable + outward-facing). Catalog `wiki_ref` points to it.
+- [x] Passes the `_assert_no_secret_material` guard (templates/identifiers only, no value).
+
+### T2 — `resolvable` readiness flag + stable-id resolution
+
+```task
+id: WARDEN-WP-0018-T02
+status: done
+priority: high
+```
+
+- [x] `RouteEntry.resolvable` — true when a lane is active, exec_capable, and its fetch
+      command/path carry **no** unresolved `<…>` placeholder. Surfaced in the route/access
+      `--json` (`_entry_summary`). Generic `openbao-api-key` and the `<domain>` login lane
+      report `false`; `whynot-design-npm-publish` reports `true`.
+- [x] `Catalog.find` now resolves an **exact catalog-id** match first, so
+      `warden access whynot-design-npm-publish …` is deterministic regardless of keyword
+      collisions (whynot-design's "stable keyed command").
+- [x] Tests: `tests/test_routing.py` (concrete+resolvable lane, template lanes not
+      resolvable, exact-id wins); fixed a `test_access` no-match query that incidentally
+      substring-collided (`no` ⊂ `whynot`). 213 pass, lint clean.
+
+### T3 — Close the loop
+
+```task
+id: WARDEN-WP-0018-T03
+status: done
+priority: medium
+```
+
+- [x] Notified whynot-design (reply 744977ae) with the zero-placeholder command
+      `warden access whynot-design-npm-publish --exec -- npm publish`, the `resolvable` gate,
+      the coulomb-tenant path correction, and the operator-go-ahead reminder.
+- [x] Confirmed activation to railiance-platform (reply f76d3a9e). Sibling lanes
+      (`issue-core-ingestion-api-key`, `openrouter-llm-connect`) stay `draft` per their
+      deferral, pending CCR-2026-0002/0003 provisioning.
+
+---
+
+## Acceptance
+
+- `warden access whynot-design-npm-publish` resolves to a concrete, owner-confirmed,
+  zero-placeholder lane; `--json` reports `resolvable: true`.
+- Template/generic lanes report `resolvable: false`; exact-id lookup is deterministic.
+- No secret value in catalog, playbook, tests, or logs; ops-warden holds nothing.
+
+## See also
+
+- `WARDEN-WP-0014` (proxy lane), `WARDEN-WP-0017` (discoverability)
+- railiance-platform CCR-2026-0001, `docs/workload-kv-access-lanes.md`