Files
ops-warden/wiki/playbooks/whynot-design-npm-publish.md
tegwick e8bb469033 feat(WARDEN-WP-0018): activate whynot-design npm publish lane + resolvable flag
railiance-platform finished provisioning the whynot-design npm publish lane
(CCR-2026-0001, commit 8f617fc: active, readiness=ready, resolvable=true, positive
fetch + negative denial verified). First concrete warden access --fetch-resolvable
non-SSH lane — end-to-end proof of the WP-0014 conduit + WP-0017 discoverability.

T1 — catalog entry whynot-design-npm-publish (active, exec_capable) with the
owner-confirmed zero-placeholder handoff: path platform/workloads/coulomb/whynot-design/
npm-publish (the superseded whynot-design/whynot-design/... form is not used), field
NPM_AUTH_TOKEN, OIDC role whynot-design-workload-kv-read, policy + flex-auth ref. Added
wiki/playbooks/whynot-design-npm-publish.md.

T2 — RouteEntry.resolvable (active + exec_capable + no <…> placeholder), surfaced in
route/access --json; Catalog.find resolves an exact catalog-id first so
`warden access whynot-design-npm-publish` is deterministic. Tests added; fixed a
no-match test query that substring-collided (no ⊂ whynot). 213 pass, lint clean.

T3 — notified whynot-design (zero-placeholder command + resolvable gate + path
correction) and confirmed activation to railiance-platform. Sibling lanes stay draft
per their deferral.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 00:32:00 +02:00

3.0 KiB

whynot-design npm publish token

Date: 2026-06-29 Catalog: whynot-design-npm-publish (status active, resolvable: true) Owner: railiance-platform (OpenBao) · provisioning CCR-2026-0001 (commit 8f617fc)

The NPM_AUTH_TOKEN that publishes @whynot/design to the coulomb Gitea npm registry (https://gitea.coulomb.social/api/packages/coulomb/npm/). ops-warden does not hold this token — it is the access front door: warden access proxies the read from OpenBao as the caller and never persists, caches, or logs the value.


Owner-confirmed lane (no placeholders)

Field Value
OpenBao path platform/workloads/coulomb/whynot-design/npm-publish
Field NPM_AUTH_TOKEN
KV mount platform
Read policy workload-kv-read-whynot-design-npm-publish
OIDC login bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
Bound group whynot-design
flex-auth ref secret.read:whynot-design (if tenant policy requires pre-approval)
Runbook (owner) railiance-platform/docs/workload-kv-access-lanes.md

The platform/workloads/whynot-design/whynot-design/npm-publish path from early in the provisioning thread is superseded — the live path is under the coulomb tenant.


Worker checklist

  1. Authenticate as yourself (you need your own identity; ops-warden adds none):

    bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
    

    Your token must carry the whynot-design group bound claim; a non-whynot identity is denied by policy (verified negative case).

  2. Fetch or run via the front door — keyed by the stable catalog id, zero placeholders:

    warden access whynot-design-npm-publish --fetch              # stream the token to you
    warden access whynot-design-npm-publish --exec -- npm publish # inject into the child only
    

    The value transits to you (or the child env) and never enters ops-warden's memory, disk, or audit log (metadata-only audit).

  3. Readiness gate (for automated callers). Before attempting --fetch, check the flag:

    warden route show whynot-design-npm-publish --json | jq .resolvable   # true
    

    resolvable: true means the lane is concrete and --fetch will run; a template lane reports false.

  4. Publish is outward-facing and immutable. npm publish is irreversible and public. Even once the token resolves, hold for an explicit operator "yes, publish" — do not auto-run it from an agent.


Scopes

This lane is the publish token only. A separate read/install token (for consumers of @whynot/design) is a distinct need and would be its own catalog id (whynot-design-npm-read) once railiance-platform provisions it — do not conflate them.


See also

  • wiki/OperatorAccessAssist.md — the warden access front door + guardrails
  • wiki/CredentialRouting.md — routing model
  • railiance-platform/docs/workload-kv-access-lanes.md, workplans/RAILIANCE-WP-0006-workload-kv-access-lanes.md