Record whynot identity group evidence

credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml

@@ -118,6 +118,15 @@ verification:
     - Positive login reported missing groups claim because the role did not request the groups scope.
     - Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups.
     - Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks.
+  - at: '2026-06-28T14:01:47+00:00'
+    actor: codex
+    kind: non_secret_identity_group_check
+    result: applied
+    details:
+    - Positive login advanced from missing groups claim to bound claim mismatch; this confirms the groups scope is now requested.
+    - Live LLDAP group inventory did not contain whynot-design before this check.
+    - Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim.
+    - No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design.
 lifecycle:
   deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
   rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation

docs/whynot-design-npm-publish-handoff.md

@@ -12,6 +12,7 @@ This is the next-session handoff for `CCR-2026-0001` and the
 - Catalog id: `whynot-design-npm-publish`
 - Tenant/org: `coulomb`
 - Workload/project: `whynot-design`
+- Bound IAM group: `whynot-design`
 - Secret path: `platform/workloads/coulomb/whynot-design/npm-publish`
 - Field: `NPM_AUTH_TOKEN`
 - Token source: Gitea package token for
@@ -24,6 +25,13 @@ binding and redirect URIs, the secret metadata has the expected catalog id, and
 the `NPM_AUTH_TOKEN` field is present. No secret value was printed, recorded,
 or copied into Git, State Hub, chat, or workplans.
 
+On 2026-06-28, the attended positive OIDC login advanced from a missing
+`groups` claim to a bound-claim mismatch. That means the role now requests the
+`groups` scope correctly, but the authenticating identity is not a member of
+`whynot-design`. The `whynot-design` LLDAP group was created and verified; no
+user membership was changed. Add only the intended publisher/verifier identity
+to that group before retrying positive verification.
+
 ## Safety Rules
 
 - Do not paste `NPM_AUTH_TOKEN` into Git, State Hub, chat, shell history, logs,
@@ -178,6 +186,16 @@ bao read auth/netkingdom/role/whynot-design-workload-kv-read
 Positive verification proves the approved whynot-design identity can fetch the
 field without exposing it in logs.
 
+Before retrying, confirm the account used for OIDC login is a member of the
+`whynot-design` LLDAP group. If OpenBao reports:
+
+```text
+claim "groups" does not match any associated bound claim values
+```
+
+then the groups claim is present, but the account is not in `whynot-design` or
+KeyCape did not emit that membership in the fresh login.
+
 Use an attended shell, keep tracing disabled, and suppress command output:
 
 ```bash