Implement credential change request review flow

workplans/RAILIANCE-WP-0007-credential-change-approval-workflow.md

@@ -4,7 +4,7 @@ type: workplan
 title: "Credential Change Proposal Review Workflow"
 domain: financials
 repo: railiance-platform
-status: ready
+status: active
 owner: codex
 topic_slug: railiance
 planning_priority: high
@@ -98,7 +98,7 @@ interactive runbook role, and compromise/deactivation path.
 
 ```task
 id: RAILIANCE-WP-0007-T02
-status: todo
+status: done
 priority: high
 state_hub_task_id: "d50fb9e2-68c2-4a2b-8476-ce646d13e60a"
 ```
@@ -117,11 +117,17 @@ Acceptance:
   secrets.
 - Example CCR fixtures include the whynot-design npm token lane.
 
+**2026-06-27:** Added `schemas/credential-change-request.schema.yaml`, the
+`credential-change-requests/` storage directory, and
+`credential-change-requests/CCR-2026-0001-whynot-design-npm-token.yaml` as the
+first non-secret CCR fixture. The whynot CCR is intentionally `proposed` and
+marks the bound claim as unconfirmed, so apply is blocked until review.
+
 ## T03 - Add offline validation and rendering
 
 ```task
 id: RAILIANCE-WP-0007-T03
-status: todo
+status: done
 priority: high
 state_hub_task_id: "012f05cd-30ce-43dd-802b-4acc938db133"
 ```
@@ -138,11 +144,17 @@ Acceptance:
   plan.
 - A secret-pattern scan rejects likely token values in CCR files.
 
+**2026-06-27:** Added `scripts/credential-change.py validate` and `render`,
+plus Make targets `credential-change-validate` and `credential-change-render`.
+Validation rejects secret-looking markers and broad/unsafe request shapes; render
+produces the chat/State Hub review summary and highlights unconfirmed bound
+claims. Unit coverage lives in `tests/test_credential_change.py`.
+
 ## T04 - Generate OpenBao apply plans from approved CCRs
 
 ```task
 id: RAILIANCE-WP-0007-T04
-status: todo
+status: progress
 priority: high
 state_hub_task_id: "1b2e7752-815c-46f8-a2e2-212e8d04da80"
 ```
@@ -159,11 +171,18 @@ Acceptance:
 - The applier uses an approved operator authority path and does not accept raw
   tokens in argv or logs.
 
+**2026-06-27:** Added `plan` and guarded `apply-plan` rendering for workload KV
+CCRs, with Make targets `credential-change-plan` and
+`credential-change-apply-plan`. `apply-plan` currently refuses any CCR that is
+not `approved` and also refuses unconfirmed bound claims. Remaining T04 work is
+to add a richer diff against existing source artifacts and eventually bridge
+from reviewed plan to the interactive live applier.
+
 ## T05 - Add chat/CLI approval commands
 
 ```task
 id: RAILIANCE-WP-0007-T05
-status: todo
+status: progress
 priority: high
 state_hub_task_id: "e6d4d2d1-1881-4db7-92f8-05e3fdb846ae"
 ```
@@ -180,6 +199,11 @@ Acceptance:
 - Agents can propose changes and respond to review comments without receiving
   secret values.
 
+**2026-06-27:** Added file-backed `approve`, `deny`, and `needs-changes`
+commands that require reviewer and comment text and append non-secret review
+comments to the CCR. Remaining T05 work is State Hub decision-event emission and
+tighter chat integration.
+
 ## T06 - Build an interactive runbook for apply and verify
 
 ```task
@@ -204,7 +228,7 @@ Acceptance:
 
 ```task
 id: RAILIANCE-WP-0007-T07
-status: todo
+status: progress
 priority: high
 state_hub_task_id: "07a7d8bf-5528-41c8-a791-d6ccd0466a33"
 ```
@@ -220,6 +244,10 @@ Acceptance:
   provisioning, verifies access, and notifies ops-warden.
 - ops-warden activates its catalog entry only after CCR verification.
 
+**2026-06-27:** The whynot-design lane is represented as `CCR-2026-0001` and
+can be rendered for review. It remains proposed/unapproved with unconfirmed
+bound claims, so live apply and ops-warden activation are correctly blocked.
+
 ## T08 - Add deactivation, rotation, and compromise flows
 
 ```task