coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Record whynot positive fetch verification

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-28 17:26:10 +02:00
parent 2c1e76efca
commit 1e769c75a0
2 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docs/whynot-design-npm-publish-handoff.md
View File

@@ -9,6 +9,7 @@ This is the next-session handoff for `CCR-2026-0001` and the
- Decision: `e6381a56-6b04-4fd5-b2de-f3ef59cde888`
- Status: applied; non-secret OpenBao apply checks passed 2026-06-28
- Front door: `applied-pending-verify`, `resolvable=false`
- Positive verification: passed 2026-06-28; negative verification pending
- Catalog id: `whynot-design-npm-publish`
- Tenant/org: `coulomb`
- Workload/project: `whynot-design`
@@ -28,9 +29,9 @@ or copied into Git, State Hub, chat, or workplans.
On 2026-06-28, the attended positive OIDC login advanced from a missing
`groups` claim to a bound-claim mismatch. That means the role now requests the
`groups` scope correctly, but the authenticating identity is not a member of
`whynot-design`. The `whynot-design` LLDAP group was created and verified; no
user membership was changed. Add only the intended publisher/verifier identity
to that group before retrying positive verification.
`whynot-design`. The `whynot-design` LLDAP group was created and verified.
The intended publisher/verifier identity was later added, and positive
verification passed.
## Safety Rules
@@ -196,11 +197,16 @@ claim "groups" does not match any associated bound claim values
then the groups claim is present, but the account is not in `whynot-design` or
KeyCape did not emit that membership in the fresh login.
The positive verification passed on 2026-06-28. During that run, the CLI printed
the short-lived OpenBao login token; it was revoked immediately by accessor.
Prefer `bao login -no-print` for future attended verification if the installed
CLI accepts that flag.
Use an attended shell, keep tracing disabled, and suppress command output:
```bash
set +x
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
bao login -no-print -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
bao kv get -format=json platform/workloads/coulomb/whynot-design/npm-publish \
| jq -e '.data.data.NPM_AUTH_TOKEN | type == "string" and length > 0' \
>/dev/null