Implement credential change request review flow

This commit is contained in:
2026-06-27 22:57:21 +02:00
parent 8c1e64d5e0
commit 815b124ab1
7 changed files with 772 additions and 14 deletions

View File

@@ -0,0 +1,72 @@
id: CCR-2026-0001
kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: "whynot-design npm publish token lane"
status: proposed
created: "2026-06-27"
updated: "2026-06-27"
requester:
agent: ops-warden
message_id: "551031d1-335e-4db8-9535-820fea52d0a3"
reason: "Allow ops-warden to proxy caller-scoped access to whynot-design's npm publish token."
review:
required: true
required_approvers:
- platform-operator
comments: []
target:
domain: financials
tenant: whynot-design
workload: whynot-design
environment: production
purpose: "npm package publishing through ops-warden caller-scoped fetch/exec"
openbao:
mount: platform
kv_path: platform/workloads/whynot-design/whynot-design/npm-publish
fields:
- NPM_AUTH_TOKEN
policy_name: workload-kv-read-whynot-design-npm-publish
policy_file: openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl
auth:
method: oidc
mount: netkingdom
role: whynot-design-workload-kv-read
user_claim: sub
groups_claim: groups
bound_claims:
groups:
- whynot-design
bound_claims_confirmed: false
policies:
- workload-kv-read-whynot-design-npm-publish
ttl: 15m
access_frontdoor:
type: ops-warden
catalog_id: whynot-design-npm-token
selector: "npm auth token"
activation: "draft-until-ccr-verified"
risk:
classification: high
notes:
- "Grants read access to the credential used to publish npm packages."
- "The proposed OIDC bound claim must be confirmed before apply."
- "ops-warden must proxy the read as the caller and must not retain the token value."
verification:
positive:
- "Approved whynot-design identity can fetch field NPM_AUTH_TOKEN through OpenBao or ops-warden."
negative:
- "Non-whynot identity cannot read the path or field."
activation_conditions:
- "Policy applied with platform-admin/operator authority."
- "OIDC role bound to confirmed whynot-design claim or approved service account."
- "Secret value provisioned directly in OpenBao through approved operator custody."
- "Positive and negative verification recorded with non-secret audit ids or timestamps."
lifecycle:
deactivate: "Disable ops-warden catalog entry and remove or detach auth role policy."
rotate: "Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation evidence."
compromised: "Immediately deactivate access front door, rotate npm token, record blast-radius notes, and open incident follow-up tasks."
state_hub:
workplan_id: RAILIANCE-WP-0007
related_workplan_id: RAILIANCE-WP-0006
ops_warden_reply_message_id: "b175c561-7858-43f5-a309-949b0dede1b4"