Record whynot positive fetch verification

credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml

@@ -127,6 +127,16 @@ verification:
     - Live LLDAP group inventory did not contain whynot-design before this check.
     - Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim.
     - No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design.
+  - at: '2026-06-28T15:22:29+00:00'
+    actor: bernd.worsch
+    kind: positive_fetch_verification
+    result: passed
+    details:
+    - Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read succeeded with workload-kv-read-whynot-design-npm-publish policy.
+    - NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish exited successfully with output redirected to /dev/null.
+    - The secret value was not printed or recorded.
+    - A short-lived OpenBao client token was printed by the CLI login output and was revoked by accessor immediately after the report.
+    - Negative denial verification is still pending; keep the front door non-resolvable until it passes.
 lifecycle:
   deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
   rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation

docs/whynot-design-npm-publish-handoff.md

@@ -9,6 +9,7 @@ This is the next-session handoff for `CCR-2026-0001` and the
 - Decision: `e6381a56-6b04-4fd5-b2de-f3ef59cde888`
 - Status: applied; non-secret OpenBao apply checks passed 2026-06-28
 - Front door: `applied-pending-verify`, `resolvable=false`
+- Positive verification: passed 2026-06-28; negative verification pending
 - Catalog id: `whynot-design-npm-publish`
 - Tenant/org: `coulomb`
 - Workload/project: `whynot-design`
@@ -28,9 +29,9 @@ or copied into Git, State Hub, chat, or workplans.
 On 2026-06-28, the attended positive OIDC login advanced from a missing
 `groups` claim to a bound-claim mismatch. That means the role now requests the
 `groups` scope correctly, but the authenticating identity is not a member of
-`whynot-design`. The `whynot-design` LLDAP group was created and verified; no
-user membership was changed. Add only the intended publisher/verifier identity
-to that group before retrying positive verification.
+`whynot-design`. The `whynot-design` LLDAP group was created and verified.
+The intended publisher/verifier identity was later added, and positive
+verification passed.
 
 ## Safety Rules
 
@@ -196,11 +197,16 @@ claim "groups" does not match any associated bound claim values
 then the groups claim is present, but the account is not in `whynot-design` or
 KeyCape did not emit that membership in the fresh login.
 
+The positive verification passed on 2026-06-28. During that run, the CLI printed
+the short-lived OpenBao login token; it was revoked immediately by accessor.
+Prefer `bao login -no-print` for future attended verification if the installed
+CLI accepts that flag.
+
 Use an attended shell, keep tracing disabled, and suppress command output:
 
 ```bash
 set +x
-bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
+bao login -no-print -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
 bao kv get -format=json platform/workloads/coulomb/whynot-design/npm-publish \
   | jq -e '.data.data.NPM_AUTH_TOKEN | type == "string" and length > 0' \
   >/dev/null