Activate whynot npm credential lane

This commit is contained in:
2026-06-29 00:13:09 +02:00
parent e88c7829f3
commit 8f617fcbf4
5 changed files with 67 additions and 31 deletions

View File

@@ -3,9 +3,9 @@ kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: whynot-design npm publish token lane
status: applied
status: active
created: '2026-06-27'
updated: '2026-06-28'
updated: '2026-06-29'
requester:
agent: ops-warden
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
@@ -78,9 +78,9 @@ access_frontdoor:
catalog_id: whynot-design-npm-publish
selector: npm publish token
command: warden access whynot-design-npm-publish --exec -- npm publish
resolvable: false
readiness: applied-pending-verify
activation: pending-positive-and-negative-caller-verification
resolvable: true
readiness: ready
activation: verified-positive-and-negative-caller-verification
risk:
classification: high
notes:
@@ -137,6 +137,22 @@ verification:
- The secret value was not printed or recorded.
- A short-lived OpenBao client token was printed by the CLI login output and was revoked by accessor immediately after the report.
- Negative denial verification is still pending; keep the front door non-resolvable until it passes.
- at: '2026-06-28T22:06:43+00:00'
actor: bernd.worsch
kind: negative_denial_verification
result: passed
details:
- platform-root was temporarily removed from the whynot-design LLDAP group for the attended negative check.
- OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read failed with a groups bound-claim mismatch.
- No OpenBao client token was issued for the negative identity, and no NPM_AUTH_TOKEN value was printed or recorded.
- at: '2026-06-28T22:08:50+00:00'
actor: codex
kind: identity_group_restore
result: passed
details:
- Restored platform-root membership in the whynot-design LLDAP group after negative verification.
- Verified whynot-design membership contains platform-root and no unexpected additional users.
- Positive and negative verification gates are now complete; access_frontdoor is ready/resolvable.
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation