Record whynot identity group evidence

This commit is contained in:
2026-06-28 16:05:17 +02:00
parent 3527bc1cae
commit 2c1e76efca
2 changed files with 27 additions and 0 deletions

View File

@@ -12,6 +12,7 @@ This is the next-session handoff for `CCR-2026-0001` and the
- Catalog id: `whynot-design-npm-publish`
- Tenant/org: `coulomb`
- Workload/project: `whynot-design`
- Bound IAM group: `whynot-design`
- Secret path: `platform/workloads/coulomb/whynot-design/npm-publish`
- Field: `NPM_AUTH_TOKEN`
- Token source: Gitea package token for
@@ -24,6 +25,13 @@ binding and redirect URIs, the secret metadata has the expected catalog id, and
the `NPM_AUTH_TOKEN` field is present. No secret value was printed, recorded,
or copied into Git, State Hub, chat, or workplans.
On 2026-06-28, the attended positive OIDC login advanced from a missing
`groups` claim to a bound-claim mismatch. That means the role now requests the
`groups` scope correctly, but the authenticating identity is not a member of
`whynot-design`. The `whynot-design` LLDAP group was created and verified; no
user membership was changed. Add only the intended publisher/verifier identity
to that group before retrying positive verification.
## Safety Rules
- Do not paste `NPM_AUTH_TOKEN` into Git, State Hub, chat, shell history, logs,
@@ -178,6 +186,16 @@ bao read auth/netkingdom/role/whynot-design-workload-kv-read
Positive verification proves the approved whynot-design identity can fetch the
field without exposing it in logs.
Before retrying, confirm the account used for OIDC login is a member of the
`whynot-design` LLDAP group. If OpenBao reports:
```text
claim "groups" does not match any associated bound claim values
```
then the groups claim is present, but the account is not in `whynot-design` or
KeyCape did not emit that membership in the fresh login.
Use an attended shell, keep tracing disabled, and suppress command output:
```bash