railiance-platform finished provisioning the whynot-design npm publish lane (CCR-2026-0001, commit 8f617fc: active, readiness=ready, resolvable=true, positive fetch + negative denial verified). First concrete warden access --fetch-resolvable non-SSH lane — end-to-end proof of the WP-0014 conduit + WP-0017 discoverability. T1 — catalog entry whynot-design-npm-publish (active, exec_capable) with the owner-confirmed zero-placeholder handoff: path platform/workloads/coulomb/whynot-design/ npm-publish (the superseded whynot-design/whynot-design/... form is not used), field NPM_AUTH_TOKEN, OIDC role whynot-design-workload-kv-read, policy + flex-auth ref. Added wiki/playbooks/whynot-design-npm-publish.md. T2 — RouteEntry.resolvable (active + exec_capable + no <…> placeholder), surfaced in route/access --json; Catalog.find resolves an exact catalog-id first so `warden access whynot-design-npm-publish` is deterministic. Tests added; fixed a no-match test query that substring-collided (no ⊂ whynot). 213 pass, lint clean. T3 — notified whynot-design (zero-placeholder command + resolvable gate + path correction) and confirmed activation to railiance-platform. Sibling lanes stay draft per their deferral. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
3.0 KiB
whynot-design npm publish token
Date: 2026-06-29
Catalog: whynot-design-npm-publish (status active, resolvable: true)
Owner: railiance-platform (OpenBao) · provisioning CCR-2026-0001 (commit 8f617fc)
The NPM_AUTH_TOKEN that publishes @whynot/design to the coulomb Gitea npm registry
(https://gitea.coulomb.social/api/packages/coulomb/npm/). ops-warden does not hold
this token — it is the access front door: warden access proxies the read from OpenBao
as the caller and never persists, caches, or logs the value.
Owner-confirmed lane (no placeholders)
| Field | Value |
|---|---|
| OpenBao path | platform/workloads/coulomb/whynot-design/npm-publish |
| Field | NPM_AUTH_TOKEN |
| KV mount | platform |
| Read policy | workload-kv-read-whynot-design-npm-publish |
| OIDC login | bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read |
| Bound group | whynot-design |
| flex-auth ref | secret.read:whynot-design (if tenant policy requires pre-approval) |
| Runbook (owner) | railiance-platform/docs/workload-kv-access-lanes.md |
The
platform/workloads/whynot-design/whynot-design/npm-publishpath from early in the provisioning thread is superseded — the live path is under thecoulombtenant.
Worker checklist
-
Authenticate as yourself (you need your own identity; ops-warden adds none):
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-readYour token must carry the
whynot-designgroup bound claim; a non-whynot identity is denied by policy (verified negative case). -
Fetch or run via the front door — keyed by the stable catalog id, zero placeholders:
warden access whynot-design-npm-publish --fetch # stream the token to you warden access whynot-design-npm-publish --exec -- npm publish # inject into the child onlyThe value transits to you (or the child env) and never enters ops-warden's memory, disk, or audit log (metadata-only audit).
-
Readiness gate (for automated callers). Before attempting
--fetch, check the flag:warden route show whynot-design-npm-publish --json | jq .resolvable # trueresolvable: truemeans the lane is concrete and--fetchwill run; a template lane reportsfalse. -
Publish is outward-facing and immutable.
npm publishis irreversible and public. Even once the token resolves, hold for an explicit operator "yes, publish" — do not auto-run it from an agent.
Scopes
This lane is the publish token only. A separate read/install token (for consumers
of @whynot/design) is a distinct need and would be its own catalog id
(whynot-design-npm-read) once railiance-platform provisions it — do not conflate them.
See also
wiki/OperatorAccessAssist.md— thewarden accessfront door + guardrailswiki/CredentialRouting.md— routing modelrailiance-platform/docs/workload-kv-access-lanes.md,workplans/RAILIANCE-WP-0006-workload-kv-access-lanes.md