coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Activate whynot npm credential lane

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-29 00:13:09 +02:00
parent e88c7829f3
commit 8f617fcbf4
5 changed files with 67 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
workplans/RAILIANCE-WP-0006-workload-kv-access-lanes.md
View File

@@ -233,7 +233,7 @@ chat, or workplans.
```task
id: RAILIANCE-WP-0006-T05
status: progress
status: done
priority: high
state_hub_task_id: "dc1f470b-e78a-48a9-9957-965aed47861f"
```
@@ -259,6 +259,11 @@ metadata, and field presence. Remaining verification is the attended
whynot-design OIDC positive check and a non-whynot denial check, both without
printing the token.
**2026-06-29:** Positive and negative caller verification passed without
printing the token value. The negative check failed OIDC login with the expected
groups bound-claim mismatch. `platform-root` was restored to the
`whynot-design` group after the temporary negative-test removal.
## T06 - Coordinate ops-warden catalog activation
```task
@@ -291,6 +296,11 @@ the check with explicit `--path` and `--field`, but the dedicated
`whynot-design-npm-publish` route is not yet present in the ops-warden routing
catalog. Keep activation pending until caller verification and catalog update.
**2026-06-29:** `CCR-2026-0001` is now active with
`access_frontdoor.readiness=ready` and `resolvable=true`. ops-warden still needs
to confirm that its dedicated `whynot-design-npm-publish` catalog selector
resolves through the caller-scoped lane.
## T07 - Decide whether to batch sibling workload-KV requests
```task

6
workplans/RAILIANCE-WP-0007-credential-change-approval-workflow.md
View File

@@ -296,6 +296,12 @@ OpenBao read policy and OIDC role, confirmed metadata `catalog-id`, and confirme
now records non-secret evidence for that apply check. Positive whynot-design and
negative non-whynot caller verification still gate `active`/`ready`.
**2026-06-29:** The whynot-design pilot completed OpenBao verification. Positive
fetch succeeded with output suppressed, negative login failed with the expected
groups bound-claim mismatch, `platform-root` membership was restored afterward,
and `CCR-2026-0001` is now active/ready/resolvable. ops-warden catalog
confirmation remains the external closeout step.
## T08 - Add deactivation, rotation, and compromise flows
```task