Record whynot identity group evidence

docs/whynot-design-npm-publish-handoff.md

@@ -12,6 +12,7 @@ This is the next-session handoff for `CCR-2026-0001` and the
 - Catalog id: `whynot-design-npm-publish`
 - Tenant/org: `coulomb`
 - Workload/project: `whynot-design`
+- Bound IAM group: `whynot-design`
 - Secret path: `platform/workloads/coulomb/whynot-design/npm-publish`
 - Field: `NPM_AUTH_TOKEN`
 - Token source: Gitea package token for
@@ -24,6 +25,13 @@ binding and redirect URIs, the secret metadata has the expected catalog id, and
 the `NPM_AUTH_TOKEN` field is present. No secret value was printed, recorded,
 or copied into Git, State Hub, chat, or workplans.
 
+On 2026-06-28, the attended positive OIDC login advanced from a missing
+`groups` claim to a bound-claim mismatch. That means the role now requests the
+`groups` scope correctly, but the authenticating identity is not a member of
+`whynot-design`. The `whynot-design` LLDAP group was created and verified; no
+user membership was changed. Add only the intended publisher/verifier identity
+to that group before retrying positive verification.
+
 ## Safety Rules
 
 - Do not paste `NPM_AUTH_TOKEN` into Git, State Hub, chat, shell history, logs,
@@ -178,6 +186,16 @@ bao read auth/netkingdom/role/whynot-design-workload-kv-read
 Positive verification proves the approved whynot-design identity can fetch the
 field without exposing it in logs.
 
+Before retrying, confirm the account used for OIDC login is a member of the
+`whynot-design` LLDAP group. If OpenBao reports:
+
+```text
+claim "groups" does not match any associated bound claim values
+```
+
+then the groups claim is present, but the account is not in `whynot-design` or
+KeyCape did not emit that membership in the fresh login.
+
 Use an attended shell, keep tracing disabled, and suppress command output:
 
 ```bash