secrets-engine (SECRETS-WP-0003) shipped a native secret-exec front door (`secrets-engine route/exec`, decision e6381a56) and asked ops-warden to route to it. Bernd's call: route-primary, proxy-fallback — surface the secrets-engine exec as the primary path for owned lanes, keep `warden access --exec` as a transparent fallback. T1 — RouteEntry gains exec_owner/exec_command/pointer_command (+ has_native_exec), screened for secret material like the other handoff fields. whynot-design-npm-publish points its native exec at secrets-engine. `warden access` renders Primary (secrets-engine exec) + Fallback (warden proxy); route/access JSON gain the fields and a native-exec-aware next_action. Tests added; 217 pass, lint clean. T2 — credential-routing.md adds secrets-engine as the secret-exec owner (route primary, proxy fallback); SCOPE adds secrets-engine to Related Repos and records the npm lane as production-exercised (@whynot/design@0.4.0); playbook leads with secrets-engine exec and fixes the fallback one-liner (--field NPM_AUTH_TOKEN, --no-policy) per whynot-design. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
3.6 KiB
whynot-design npm publish token
Date: 2026-06-29
Catalog: whynot-design-npm-publish (status active, resolvable: true)
Owner: railiance-platform (OpenBao) · provisioning CCR-2026-0001 (commit 8f617fc)
The NPM_AUTH_TOKEN that publishes @whynot/design to the coulomb Gitea npm registry
(https://gitea.coulomb.social/api/packages/coulomb/npm/). ops-warden does not hold
this token — it is the access front door: warden access proxies the read from OpenBao
as the caller and never persists, caches, or logs the value.
Owner-confirmed lane (no placeholders)
| Field | Value |
|---|---|
| OpenBao path | platform/workloads/coulomb/whynot-design/npm-publish |
| Field | NPM_AUTH_TOKEN |
| KV mount | platform |
| Read policy | workload-kv-read-whynot-design-npm-publish |
| OIDC login | bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read |
| Bound group | whynot-design |
| flex-auth ref | secret.read:whynot-design (if tenant policy requires pre-approval) |
| Runbook (owner) | railiance-platform/docs/workload-kv-access-lanes.md |
The
platform/workloads/whynot-design/whynot-design/npm-publishpath from early in the provisioning thread is superseded — the live path is under thecoulombtenant.
Worker checklist
-
Authenticate as yourself (you need your own identity; ops-warden adds none):
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-readYour token must carry the
whynot-designgroup bound claim; a non-whynot identity is denied by policy (verified negative case). -
Run via the owner-native front door (primary). secrets-engine owns the secret-exec for this lane (SECRETS-WP-0003, decision e6381a56); ops-warden routes to it:
secrets-engine route whynot-design-npm-publish --json # pointer / readiness secrets-engine exec --catalog whynot-design-npm-publish -- npm publishops-warden transparent fallback — same lane via the
warden accessproxy (fetches as you, holds nothing). Field-verified flags (whynot-design, @whynot/design@0.4.0):# --exec needs the env-var name; --no-policy is required while the gate is advisory # (policy.enabled=false), else the call exits 4. warden access whynot-design-npm-publish --no-policy --field NPM_AUTH_TOKEN \ --exec -- npm publish warden access whynot-design-npm-publish --no-policy --field NPM_AUTH_TOKEN --fetchOn either path the value transits to you (or the child env) and never enters ops-warden's memory, disk, or audit log.
-
Readiness gate (for automated callers). Before attempting
--fetch, check the flag:warden route show whynot-design-npm-publish --json | jq .resolvable # trueresolvable: truemeans the lane is concrete and--fetchwill run; a template lane reportsfalse. -
Publish is outward-facing and immutable.
npm publishis irreversible and public. Even once the token resolves, hold for an explicit operator "yes, publish" — do not auto-run it from an agent.
Scopes
This lane is the publish token only. A separate read/install token (for consumers
of @whynot/design) is a distinct need and would be its own catalog id
(whynot-design-npm-read) once railiance-platform provisions it — do not conflate them.
See also
wiki/OperatorAccessAssist.md— thewarden accessfront door + guardrailswiki/CredentialRouting.md— routing modelrailiance-platform/docs/workload-kv-access-lanes.md,workplans/RAILIANCE-WP-0006-workload-kv-access-lanes.md