diff --git a/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml b/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml index 40aeb54..686046c 100644 --- a/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml +++ b/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml @@ -127,6 +127,16 @@ verification: - Live LLDAP group inventory did not contain whynot-design before this check. - Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim. - No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design. + - at: '2026-06-28T15:22:29+00:00' + actor: bernd.worsch + kind: positive_fetch_verification + result: passed + details: + - Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read succeeded with workload-kv-read-whynot-design-npm-publish policy. + - NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish exited successfully with output redirected to /dev/null. + - The secret value was not printed or recorded. + - A short-lived OpenBao client token was printed by the CLI login output and was revoked by accessor immediately after the report. + - Negative denial verification is still pending; keep the front door non-resolvable until it passes. lifecycle: deactivate: Disable ops-warden catalog entry and remove or detach auth role policy. rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation diff --git a/docs/whynot-design-npm-publish-handoff.md b/docs/whynot-design-npm-publish-handoff.md index 19c9093..6839fdb 100644 --- a/docs/whynot-design-npm-publish-handoff.md +++ b/docs/whynot-design-npm-publish-handoff.md @@ -9,6 +9,7 @@ This is the next-session handoff for `CCR-2026-0001` and the - Decision: `e6381a56-6b04-4fd5-b2de-f3ef59cde888` - Status: applied; non-secret OpenBao apply checks passed 2026-06-28 - Front door: `applied-pending-verify`, `resolvable=false` +- Positive verification: passed 2026-06-28; negative verification pending - Catalog id: `whynot-design-npm-publish` - Tenant/org: `coulomb` - Workload/project: `whynot-design` @@ -28,9 +29,9 @@ or copied into Git, State Hub, chat, or workplans. On 2026-06-28, the attended positive OIDC login advanced from a missing `groups` claim to a bound-claim mismatch. That means the role now requests the `groups` scope correctly, but the authenticating identity is not a member of -`whynot-design`. The `whynot-design` LLDAP group was created and verified; no -user membership was changed. Add only the intended publisher/verifier identity -to that group before retrying positive verification. +`whynot-design`. The `whynot-design` LLDAP group was created and verified. +The intended publisher/verifier identity was later added, and positive +verification passed. ## Safety Rules @@ -196,11 +197,16 @@ claim "groups" does not match any associated bound claim values then the groups claim is present, but the account is not in `whynot-design` or KeyCape did not emit that membership in the fresh login. +The positive verification passed on 2026-06-28. During that run, the CLI printed +the short-lived OpenBao login token; it was revoked immediately by accessor. +Prefer `bao login -no-print` for future attended verification if the installed +CLI accepts that flag. + Use an attended shell, keep tracing disabled, and suppress command output: ```bash set +x -bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read +bao login -no-print -method=oidc -path=netkingdom role=whynot-design-workload-kv-read bao kv get -format=json platform/workloads/coulomb/whynot-design/npm-publish \ | jq -e '.data.data.NPM_AUTH_TOKEN | type == "string" and length > 0' \ >/dev/null