railiance-platform finished provisioning the whynot-design npm publish lane (CCR-2026-0001, commit 8f617fc: active, readiness=ready, resolvable=true, positive fetch + negative denial verified). First concrete warden access --fetch-resolvable non-SSH lane — end-to-end proof of the WP-0014 conduit + WP-0017 discoverability. T1 — catalog entry whynot-design-npm-publish (active, exec_capable) with the owner-confirmed zero-placeholder handoff: path platform/workloads/coulomb/whynot-design/ npm-publish (the superseded whynot-design/whynot-design/... form is not used), field NPM_AUTH_TOKEN, OIDC role whynot-design-workload-kv-read, policy + flex-auth ref. Added wiki/playbooks/whynot-design-npm-publish.md. T2 — RouteEntry.resolvable (active + exec_capable + no <…> placeholder), surfaced in route/access --json; Catalog.find resolves an exact catalog-id first so `warden access whynot-design-npm-publish` is deterministic. Tests added; fixed a no-match test query that substring-collided (no ⊂ whynot). 213 pass, lint clean. T3 — notified whynot-design (zero-placeholder command + resolvable gate + path correction) and confirmed activation to railiance-platform. Sibling lanes stay draft per their deferral. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
4.0 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated |
|---|---|---|---|---|---|---|---|---|---|---|---|
| WARDEN-WP-0018 | workplan | Activate whynot-design npm publish lane + resolvable readiness flag | infotech | ops-warden | finished | claude | custodian | high | 18 | 2026-06-29 | 2026-06-29 |
WARDEN-WP-0018 — whynot-design npm lane activation + resolvable flag
Trigger: railiance-platform completed provisioning the whynot-design npm publish lane
(CCR-2026-0001, commit 8f617fc): status=active, access_frontdoor.readiness=ready,
resolvable=true, positive fetch passed + negative (non-whynot) login denied. They asked
ops-warden to activate the dedicated catalog selector and notify whynot-design. This is the
first concrete warden access --fetch-resolvable non-SSH lane — the end-to-end proof of the
WP-0014 conduit + WP-0017 discoverability work.
whynot-design's spec (msg 2687dc31) drove the shape: zero-placeholder command keyed by a stable id, owner-confirmed concrete path/field/role, a machine-readable readiness flag, and a publish-vs-read scope split.
Boundary unchanged: ops-warden holds no token; the lane proxies the read as the caller.
Tasks
T1 — Concrete catalog entry + playbook
id: WARDEN-WP-0018-T01
status: done
priority: high
- Added
whynot-design-npm-publishtoregistry/routing/catalog.yaml(status: active,exec_capable,lane: secret) with the owner-confirmed, zero-placeholder handoff: pathplatform/workloads/coulomb/whynot-design/npm-publish(the supersededwhynot-design/whynot-design/…form is not used), fieldNPM_AUTH_TOKEN, OIDCbao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read, policyworkload-kv-read-whynot-design-npm-publish, flex-authsecret.read:whynot-design. wiki/playbooks/whynot-design-npm-publish.md— worker checklist, scopes, operator go-ahead note (publish is immutable + outward-facing). Catalogwiki_refpoints to it.- Passes the
_assert_no_secret_materialguard (templates/identifiers only, no value).
T2 — resolvable readiness flag + stable-id resolution
id: WARDEN-WP-0018-T02
status: done
priority: high
RouteEntry.resolvable— true when a lane is active, exec_capable, and its fetch command/path carry no unresolved<…>placeholder. Surfaced in the route/access--json(_entry_summary). Genericopenbao-api-keyand the<domain>login lane reportfalse;whynot-design-npm-publishreportstrue.Catalog.findnow resolves an exact catalog-id match first, sowarden access whynot-design-npm-publish …is deterministic regardless of keyword collisions (whynot-design's "stable keyed command").- Tests:
tests/test_routing.py(concrete+resolvable lane, template lanes not resolvable, exact-id wins); fixed atest_accessno-match query that incidentally substring-collided (no⊂whynot). 213 pass, lint clean.
T3 — Close the loop
id: WARDEN-WP-0018-T03
status: done
priority: medium
- Notified whynot-design (reply 744977ae) with the zero-placeholder command
warden access whynot-design-npm-publish --exec -- npm publish, theresolvablegate, the coulomb-tenant path correction, and the operator-go-ahead reminder. - Confirmed activation to railiance-platform (reply f76d3a9e). Sibling lanes
(
issue-core-ingestion-api-key,openrouter-llm-connect) staydraftper their deferral, pending CCR-2026-0002/0003 provisioning.
Acceptance
warden access whynot-design-npm-publishresolves to a concrete, owner-confirmed, zero-placeholder lane;--jsonreportsresolvable: true.- Template/generic lanes report
resolvable: false; exact-id lookup is deterministic. - No secret value in catalog, playbook, tests, or logs; ops-warden holds nothing.
See also
WARDEN-WP-0014(proxy lane),WARDEN-WP-0017(discoverability)- railiance-platform CCR-2026-0001,
docs/workload-kv-access-lanes.md