Activate whynot npm credential lane
This commit is contained in:
@@ -3,9 +3,9 @@ kind: credential-change-request
|
||||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: whynot-design npm publish token lane
|
||||
status: applied
|
||||
status: active
|
||||
created: '2026-06-27'
|
||||
updated: '2026-06-28'
|
||||
updated: '2026-06-29'
|
||||
requester:
|
||||
agent: ops-warden
|
||||
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
@@ -78,9 +78,9 @@ access_frontdoor:
|
||||
catalog_id: whynot-design-npm-publish
|
||||
selector: npm publish token
|
||||
command: warden access whynot-design-npm-publish --exec -- npm publish
|
||||
resolvable: false
|
||||
readiness: applied-pending-verify
|
||||
activation: pending-positive-and-negative-caller-verification
|
||||
resolvable: true
|
||||
readiness: ready
|
||||
activation: verified-positive-and-negative-caller-verification
|
||||
risk:
|
||||
classification: high
|
||||
notes:
|
||||
@@ -137,6 +137,22 @@ verification:
|
||||
- The secret value was not printed or recorded.
|
||||
- A short-lived OpenBao client token was printed by the CLI login output and was revoked by accessor immediately after the report.
|
||||
- Negative denial verification is still pending; keep the front door non-resolvable until it passes.
|
||||
- at: '2026-06-28T22:06:43+00:00'
|
||||
actor: bernd.worsch
|
||||
kind: negative_denial_verification
|
||||
result: passed
|
||||
details:
|
||||
- platform-root was temporarily removed from the whynot-design LLDAP group for the attended negative check.
|
||||
- OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read failed with a groups bound-claim mismatch.
|
||||
- No OpenBao client token was issued for the negative identity, and no NPM_AUTH_TOKEN value was printed or recorded.
|
||||
- at: '2026-06-28T22:08:50+00:00'
|
||||
actor: codex
|
||||
kind: identity_group_restore
|
||||
result: passed
|
||||
details:
|
||||
- Restored platform-root membership in the whynot-design LLDAP group after negative verification.
|
||||
- Verified whynot-design membership contains platform-root and no unexpected additional users.
|
||||
- Positive and negative verification gates are now complete; access_frontdoor is ready/resolvable.
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation
|
||||
|
||||
Reference in New Issue
Block a user