generated from coulomb/repo-seed
railiance-platform finished provisioning the whynot-design npm publish lane (CCR-2026-0001, commit 8f617fc: active, readiness=ready, resolvable=true, positive fetch + negative denial verified). First concrete warden access --fetch-resolvable non-SSH lane — end-to-end proof of the WP-0014 conduit + WP-0017 discoverability. T1 — catalog entry whynot-design-npm-publish (active, exec_capable) with the owner-confirmed zero-placeholder handoff: path platform/workloads/coulomb/whynot-design/ npm-publish (the superseded whynot-design/whynot-design/... form is not used), field NPM_AUTH_TOKEN, OIDC role whynot-design-workload-kv-read, policy + flex-auth ref. Added wiki/playbooks/whynot-design-npm-publish.md. T2 — RouteEntry.resolvable (active + exec_capable + no <…> placeholder), surfaced in route/access --json; Catalog.find resolves an exact catalog-id first so `warden access whynot-design-npm-publish` is deterministic. Tests added; fixed a no-match test query that substring-collided (no ⊂ whynot). 213 pass, lint clean. T3 — notified whynot-design (zero-placeholder command + resolvable gate + path correction) and confirmed activation to railiance-platform. Sibling lanes stay draft per their deferral. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
100 lines
4.0 KiB
Markdown
100 lines
4.0 KiB
Markdown
---
|
|
id: WARDEN-WP-0018
|
|
type: workplan
|
|
title: "Activate whynot-design npm publish lane + resolvable readiness flag"
|
|
domain: infotech
|
|
repo: ops-warden
|
|
status: finished
|
|
owner: claude
|
|
topic_slug: custodian
|
|
planning_priority: high
|
|
planning_order: 18
|
|
created: "2026-06-29"
|
|
updated: "2026-06-29"
|
|
---
|
|
|
|
# WARDEN-WP-0018 — whynot-design npm lane activation + `resolvable` flag
|
|
|
|
**Trigger:** railiance-platform completed provisioning the whynot-design npm publish lane
|
|
(CCR-2026-0001, commit 8f617fc): `status=active`, `access_frontdoor.readiness=ready`,
|
|
`resolvable=true`, positive fetch passed + negative (non-whynot) login denied. They asked
|
|
ops-warden to activate the dedicated catalog selector and notify whynot-design. This is the
|
|
first concrete `warden access --fetch`-resolvable non-SSH lane — the end-to-end proof of the
|
|
WP-0014 conduit + WP-0017 discoverability work.
|
|
|
|
**whynot-design's spec** (msg 2687dc31) drove the shape: zero-placeholder command keyed by a
|
|
stable id, owner-confirmed concrete path/field/role, a machine-readable readiness flag, and a
|
|
publish-vs-read scope split.
|
|
|
|
**Boundary unchanged:** ops-warden holds no token; the lane proxies the read as the caller.
|
|
|
|
---
|
|
|
|
## Tasks
|
|
|
|
### T1 — Concrete catalog entry + playbook
|
|
|
|
```task
|
|
id: WARDEN-WP-0018-T01
|
|
status: done
|
|
priority: high
|
|
```
|
|
|
|
- [x] Added `whynot-design-npm-publish` to `registry/routing/catalog.yaml` (`status: active`,
|
|
`exec_capable`, `lane: secret`) with the **owner-confirmed, zero-placeholder** handoff:
|
|
path `platform/workloads/coulomb/whynot-design/npm-publish` (the superseded
|
|
`whynot-design/whynot-design/…` form is **not** used), field `NPM_AUTH_TOKEN`, OIDC
|
|
`bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read`, policy
|
|
`workload-kv-read-whynot-design-npm-publish`, flex-auth `secret.read:whynot-design`.
|
|
- [x] `wiki/playbooks/whynot-design-npm-publish.md` — worker checklist, scopes, operator
|
|
go-ahead note (publish is immutable + outward-facing). Catalog `wiki_ref` points to it.
|
|
- [x] Passes the `_assert_no_secret_material` guard (templates/identifiers only, no value).
|
|
|
|
### T2 — `resolvable` readiness flag + stable-id resolution
|
|
|
|
```task
|
|
id: WARDEN-WP-0018-T02
|
|
status: done
|
|
priority: high
|
|
```
|
|
|
|
- [x] `RouteEntry.resolvable` — true when a lane is active, exec_capable, and its fetch
|
|
command/path carry **no** unresolved `<…>` placeholder. Surfaced in the route/access
|
|
`--json` (`_entry_summary`). Generic `openbao-api-key` and the `<domain>` login lane
|
|
report `false`; `whynot-design-npm-publish` reports `true`.
|
|
- [x] `Catalog.find` now resolves an **exact catalog-id** match first, so
|
|
`warden access whynot-design-npm-publish …` is deterministic regardless of keyword
|
|
collisions (whynot-design's "stable keyed command").
|
|
- [x] Tests: `tests/test_routing.py` (concrete+resolvable lane, template lanes not
|
|
resolvable, exact-id wins); fixed a `test_access` no-match query that incidentally
|
|
substring-collided (`no` ⊂ `whynot`). 213 pass, lint clean.
|
|
|
|
### T3 — Close the loop
|
|
|
|
```task
|
|
id: WARDEN-WP-0018-T03
|
|
status: done
|
|
priority: medium
|
|
```
|
|
|
|
- [x] Notified whynot-design (reply 744977ae) with the zero-placeholder command
|
|
`warden access whynot-design-npm-publish --exec -- npm publish`, the `resolvable` gate,
|
|
the coulomb-tenant path correction, and the operator-go-ahead reminder.
|
|
- [x] Confirmed activation to railiance-platform (reply f76d3a9e). Sibling lanes
|
|
(`issue-core-ingestion-api-key`, `openrouter-llm-connect`) stay `draft` per their
|
|
deferral, pending CCR-2026-0002/0003 provisioning.
|
|
|
|
---
|
|
|
|
## Acceptance
|
|
|
|
- `warden access whynot-design-npm-publish` resolves to a concrete, owner-confirmed,
|
|
zero-placeholder lane; `--json` reports `resolvable: true`.
|
|
- Template/generic lanes report `resolvable: false`; exact-id lookup is deterministic.
|
|
- No secret value in catalog, playbook, tests, or logs; ops-warden holds nothing.
|
|
|
|
## See also
|
|
|
|
- `WARDEN-WP-0014` (proxy lane), `WARDEN-WP-0017` (discoverability)
|
|
- railiance-platform CCR-2026-0001, `docs/workload-kv-access-lanes.md`
|