Add credential approval workflow plan

This commit is contained in:
2026-06-27 22:48:24 +02:00
parent 9d42c73833
commit 85a4278a55
8 changed files with 1103 additions and 0 deletions

View File

@@ -0,0 +1,13 @@
# Least-privilege read policy for the whynot-design npm publish token.
#
# This policy intentionally grants only read access to the single KV-v2 secret
# path used by ops-warden's caller-scoped access lane. It does not grant list
# access to sibling workloads or mutation capabilities.
path "platform/data/workloads/whynot-design/whynot-design/npm-publish" {
capabilities = ["read"]
}
path "platform/metadata/workloads/whynot-design/whynot-design/npm-publish" {
capabilities = ["read"]
}