Record whynot identity group evidence

2026-06-28 16:05:17 +02:00
parent 3527bc1cae
commit 2c1e76efca
2 changed files with 27 additions and 0 deletions
--- a/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml
+++ b/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml
@@ -118,6 +118,15 @@ verification:
    - Positive login reported missing groups claim because the role did not request the groups scope.
    - Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups.
    - Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks.
+  - at: '2026-06-28T14:01:47+00:00'
+    actor: codex
+    kind: non_secret_identity_group_check
+    result: applied
+    details:
+    - Positive login advanced from missing groups claim to bound claim mismatch; this confirms the groups scope is now requested.
+    - Live LLDAP group inventory did not contain whynot-design before this check.
+    - Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim.
+    - No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design.
 lifecycle:
  deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
  rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation