Record whynot positive fetch verification

2026-06-28 17:26:10 +02:00
parent 2c1e76efca
commit 1e769c75a0
2 changed files with 20 additions and 4 deletions
--- a/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml
+++ b/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml
@@ -127,6 +127,16 @@ verification:
    - Live LLDAP group inventory did not contain whynot-design before this check.
    - Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim.
    - No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design.
+  - at: '2026-06-28T15:22:29+00:00'
+    actor: bernd.worsch
+    kind: positive_fetch_verification
+    result: passed
+    details:
+    - Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read succeeded with workload-kv-read-whynot-design-npm-publish policy.
+    - NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish exited successfully with output redirected to /dev/null.
+    - The secret value was not printed or recorded.
+    - A short-lived OpenBao client token was printed by the CLI login output and was revoked by accessor immediately after the report.
+    - Negative denial verification is still pending; keep the front door non-resolvable until it passes.
 lifecycle:
  deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
  rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation