Files
ops-warden/workplans/WARDEN-WP-0018-whynot-design-npm-lane-activation.md

4.3 KiB

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated state_hub_workstream_id
WARDEN-WP-0018 workplan Activate whynot-design npm publish lane + resolvable readiness flag infotech ops-warden finished claude custodian high 18 2026-06-29 2026-06-29 1256aca2-5979-4d21-818e-0de42c5d811b

WARDEN-WP-0018 — whynot-design npm lane activation + resolvable flag

Trigger: railiance-platform completed provisioning the whynot-design npm publish lane (CCR-2026-0001, commit 8f617fc): status=active, access_frontdoor.readiness=ready, resolvable=true, positive fetch passed + negative (non-whynot) login denied. They asked ops-warden to activate the dedicated catalog selector and notify whynot-design. This is the first concrete warden access --fetch-resolvable non-SSH lane — the end-to-end proof of the WP-0014 conduit + WP-0017 discoverability work.

whynot-design's spec (msg 2687dc31) drove the shape: zero-placeholder command keyed by a stable id, owner-confirmed concrete path/field/role, a machine-readable readiness flag, and a publish-vs-read scope split.

Boundary unchanged: ops-warden holds no token; the lane proxies the read as the caller.


Tasks

T1 — Concrete catalog entry + playbook

id: WARDEN-WP-0018-T01
status: done
priority: high
state_hub_task_id: "189d0883-22b9-42dc-bda0-89460509a87d"
  • Added whynot-design-npm-publish to registry/routing/catalog.yaml (status: active, exec_capable, lane: secret) with the owner-confirmed, zero-placeholder handoff: path platform/workloads/coulomb/whynot-design/npm-publish (the superseded whynot-design/whynot-design/… form is not used), field NPM_AUTH_TOKEN, OIDC bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read, policy workload-kv-read-whynot-design-npm-publish, flex-auth secret.read:whynot-design.
  • wiki/playbooks/whynot-design-npm-publish.md — worker checklist, scopes, operator go-ahead note (publish is immutable + outward-facing). Catalog wiki_ref points to it.
  • Passes the _assert_no_secret_material guard (templates/identifiers only, no value).

T2 — resolvable readiness flag + stable-id resolution

id: WARDEN-WP-0018-T02
status: done
priority: high
state_hub_task_id: "b5dc1013-5334-43ff-afd6-1f99d521358f"
  • RouteEntry.resolvable — true when a lane is active, exec_capable, and its fetch command/path carry no unresolved <…> placeholder. Surfaced in the route/access --json (_entry_summary). Generic openbao-api-key and the <domain> login lane report false; whynot-design-npm-publish reports true.
  • Catalog.find now resolves an exact catalog-id match first, so warden access whynot-design-npm-publish … is deterministic regardless of keyword collisions (whynot-design's "stable keyed command").
  • Tests: tests/test_routing.py (concrete+resolvable lane, template lanes not resolvable, exact-id wins); fixed a test_access no-match query that incidentally substring-collided (nowhynot). 213 pass, lint clean.

T3 — Close the loop

id: WARDEN-WP-0018-T03
status: done
priority: medium
state_hub_task_id: "95b00ef8-477a-4f0d-bd71-6154fba401f5"
  • Notified whynot-design (reply 744977ae) with the zero-placeholder command warden access whynot-design-npm-publish --exec -- npm publish, the resolvable gate, the coulomb-tenant path correction, and the operator-go-ahead reminder.
  • Confirmed activation to railiance-platform (reply f76d3a9e). Sibling lanes (issue-core-ingestion-api-key, openrouter-llm-connect) stay draft per their deferral, pending CCR-2026-0002/0003 provisioning.

Acceptance

  • warden access whynot-design-npm-publish resolves to a concrete, owner-confirmed, zero-placeholder lane; --json reports resolvable: true.
  • Template/generic lanes report resolvable: false; exact-id lookup is deterministic.
  • No secret value in catalog, playbook, tests, or logs; ops-warden holds nothing.

See also

  • WARDEN-WP-0014 (proxy lane), WARDEN-WP-0017 (discoverability)
  • railiance-platform CCR-2026-0001, docs/workload-kv-access-lanes.md