generated from coulomb/repo-seed
railiance-platform finished provisioning the whynot-design npm publish lane (CCR-2026-0001, commit 8f617fc: active, readiness=ready, resolvable=true, positive fetch + negative denial verified). First concrete warden access --fetch-resolvable non-SSH lane — end-to-end proof of the WP-0014 conduit + WP-0017 discoverability. T1 — catalog entry whynot-design-npm-publish (active, exec_capable) with the owner-confirmed zero-placeholder handoff: path platform/workloads/coulomb/whynot-design/ npm-publish (the superseded whynot-design/whynot-design/... form is not used), field NPM_AUTH_TOKEN, OIDC role whynot-design-workload-kv-read, policy + flex-auth ref. Added wiki/playbooks/whynot-design-npm-publish.md. T2 — RouteEntry.resolvable (active + exec_capable + no <…> placeholder), surfaced in route/access --json; Catalog.find resolves an exact catalog-id first so `warden access whynot-design-npm-publish` is deterministic. Tests added; fixed a no-match test query that substring-collided (no ⊂ whynot). 213 pass, lint clean. T3 — notified whynot-design (zero-placeholder command + resolvable gate + path correction) and confirmed activation to railiance-platform. Sibling lanes stay draft per their deferral. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
76 lines
3.0 KiB
Markdown
76 lines
3.0 KiB
Markdown
# whynot-design npm publish token
|
|
|
|
Date: 2026-06-29
|
|
Catalog: `whynot-design-npm-publish` (status `active`, `resolvable: true`)
|
|
Owner: `railiance-platform` (OpenBao) · provisioning CCR-2026-0001 (commit 8f617fc)
|
|
|
|
The `NPM_AUTH_TOKEN` that publishes `@whynot/design` to the coulomb Gitea npm registry
|
|
(`https://gitea.coulomb.social/api/packages/coulomb/npm/`). ops-warden **does not hold
|
|
this token** — it is the access front door: `warden access` proxies the read from OpenBao
|
|
**as the caller** and never persists, caches, or logs the value.
|
|
|
|
---
|
|
|
|
## Owner-confirmed lane (no placeholders)
|
|
|
|
| Field | Value |
|
|
| --- | --- |
|
|
| OpenBao path | `platform/workloads/coulomb/whynot-design/npm-publish` |
|
|
| Field | `NPM_AUTH_TOKEN` |
|
|
| KV mount | `platform` |
|
|
| Read policy | `workload-kv-read-whynot-design-npm-publish` |
|
|
| OIDC login | `bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read` |
|
|
| Bound group | `whynot-design` |
|
|
| flex-auth ref | `secret.read:whynot-design` (if tenant policy requires pre-approval) |
|
|
| Runbook (owner) | `railiance-platform/docs/workload-kv-access-lanes.md` |
|
|
|
|
> The `platform/workloads/whynot-design/whynot-design/npm-publish` path from early in the
|
|
> provisioning thread is **superseded** — the live path is under the `coulomb` tenant.
|
|
|
|
---
|
|
|
|
## Worker checklist
|
|
|
|
1. **Authenticate as yourself** (you need your own identity; ops-warden adds none):
|
|
```bash
|
|
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
|
|
```
|
|
Your token must carry the `whynot-design` group bound claim; a non-whynot identity is
|
|
denied by policy (verified negative case).
|
|
|
|
2. **Fetch or run via the front door** — keyed by the stable catalog id, zero placeholders:
|
|
```bash
|
|
warden access whynot-design-npm-publish --fetch # stream the token to you
|
|
warden access whynot-design-npm-publish --exec -- npm publish # inject into the child only
|
|
```
|
|
The value transits to you (or the child env) and never enters ops-warden's memory, disk,
|
|
or audit log (metadata-only audit).
|
|
|
|
3. **Readiness gate (for automated callers).** Before attempting `--fetch`, check the flag:
|
|
```bash
|
|
warden route show whynot-design-npm-publish --json | jq .resolvable # true
|
|
```
|
|
`resolvable: true` means the lane is concrete and `--fetch` will run; a template lane
|
|
reports `false`.
|
|
|
|
4. **Publish is outward-facing and immutable.** `npm publish` is irreversible and public.
|
|
Even once the token resolves, hold for an explicit operator "yes, publish" — do not
|
|
auto-run it from an agent.
|
|
|
|
---
|
|
|
|
## Scopes
|
|
|
|
This lane is the **publish** token only. A separate **read/install** token (for consumers
|
|
of `@whynot/design`) is a distinct need and would be its own catalog id
|
|
(`whynot-design-npm-read`) once railiance-platform provisions it — do not conflate them.
|
|
|
|
---
|
|
|
|
## See also
|
|
|
|
- `wiki/OperatorAccessAssist.md` — the `warden access` front door + guardrails
|
|
- `wiki/CredentialRouting.md` — routing model
|
|
- `railiance-platform/docs/workload-kv-access-lanes.md`,
|
|
`workplans/RAILIANCE-WP-0006-workload-kv-access-lanes.md`
|