Activate whynot npm credential lane
This commit is contained in:
@@ -7,9 +7,10 @@ This is the next-session handoff for `CCR-2026-0001` and the
|
||||
|
||||
- CCR: `CCR-2026-0001`
|
||||
- Decision: `e6381a56-6b04-4fd5-b2de-f3ef59cde888`
|
||||
- Status: applied; non-secret OpenBao apply checks passed 2026-06-28
|
||||
- Front door: `applied-pending-verify`, `resolvable=false`
|
||||
- Positive verification: passed 2026-06-28; negative verification pending
|
||||
- Status: active; non-secret OpenBao apply and verification checks passed
|
||||
- Front door: `ready`, `resolvable=true`
|
||||
- Positive verification: passed 2026-06-28
|
||||
- Negative verification: passed 2026-06-28
|
||||
- Catalog id: `whynot-design-npm-publish`
|
||||
- Tenant/org: `coulomb`
|
||||
- Workload/project: `whynot-design`
|
||||
@@ -30,8 +31,10 @@ On 2026-06-28, the attended positive OIDC login advanced from a missing
|
||||
`groups` claim to a bound-claim mismatch. That means the role now requests the
|
||||
`groups` scope correctly, but the authenticating identity is not a member of
|
||||
`whynot-design`. The `whynot-design` LLDAP group was created and verified.
|
||||
The intended publisher/verifier identity was later added, and positive
|
||||
verification passed.
|
||||
The intended publisher/verifier identity was later added, positive
|
||||
verification passed, then `platform-root` was temporarily removed for negative
|
||||
verification. The negative check passed with a groups bound-claim mismatch, and
|
||||
`platform-root` was restored to `whynot-design`.
|
||||
|
||||
## Safety Rules
|
||||
|
||||
@@ -40,8 +43,8 @@ verification passed.
|
||||
- Do not run verification with shell tracing enabled.
|
||||
- Record only non-secret evidence: path, field name, metadata keys, policy name,
|
||||
role name, actor, timestamp, and pass/fail result.
|
||||
- Do not mark the ops-warden catalog entry ready until positive and negative
|
||||
verification are complete.
|
||||
- Mark ops-warden catalog entries ready only after positive and negative
|
||||
verification are complete. For this lane, both checks have passed.
|
||||
|
||||
## OpenBao Secret Check
|
||||
|
||||
@@ -223,6 +226,11 @@ or store any token value.
|
||||
|
||||
Record only the denial result and non-secret audit timestamp/request metadata.
|
||||
|
||||
The negative verification passed on 2026-06-28. `platform-root` was temporarily
|
||||
removed from `whynot-design`; OpenBao rejected the OIDC login with a groups
|
||||
bound-claim mismatch, so no OpenBao client token was issued and the secret was
|
||||
not read. `platform-root` was then restored to `whynot-design`.
|
||||
|
||||
## Activation
|
||||
|
||||
Only after these are true:
|
||||
@@ -234,12 +242,12 @@ Only after these are true:
|
||||
- positive verification passed;
|
||||
- negative verification passed;
|
||||
|
||||
then `CCR-2026-0001` can move toward `active`, and ops-warden can mark
|
||||
`CCR-2026-0001` is now `active`, and ops-warden can mark
|
||||
`whynot-design-npm-publish` `ready`/`resolvable=true`.
|
||||
|
||||
Until then, keep the front door as:
|
||||
Current front door:
|
||||
|
||||
```text
|
||||
readiness = applied-pending-verify
|
||||
resolvable = false
|
||||
readiness = ready
|
||||
resolvable = true
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user