From a27a114491ff48d7e7350ec21d375ee41b8f4333 Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Sun, 28 Jun 2026 00:13:37 +0200
Subject: [PATCH] Approve whynot credential CCR

---
 .../CCR-2026-0001-whynot-design-npm-publish.yaml       |  8 +++++++-
 tests/test_credential_change.py                        | 10 +++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml b/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml
index 707be57..b1b476a 100644
--- a/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml
+++ b/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml
@@ -3,7 +3,7 @@ kind: credential-change-request
 schema_version: 1
 request_type: workload-kv-read
 title: whynot-design npm publish token lane
-status: proposed
+status: approved
 created: '2026-06-27'
 updated: '2026-06-27'
 requester:
@@ -21,6 +21,11 @@ review:
     decision: binding_confirmed
     comment: 'Confirmed in chat: groups=whynot-design is the intended KeyCape/NetKingdom
       binding for the whynot-design npm publish lane.'
+  - at: '2026-06-27T22:06:18+00:00'
+    reviewer: human
+    decision: approved
+    comment: 'State Hub decision 250669d0-8475-4527-9624-cd072249f9a9: APPROVE: scoped
+      path and confirmed binding are acceptable'
 target:
   domain: financials
   tenant: whynot-design
@@ -88,3 +93,4 @@ state_hub:
   decision_id: 250669d0-8475-4527-9624-cd072249f9a9
   decision_api_url: http://127.0.0.1:8000/decisions/250669d0-8475-4527-9624-cd072249f9a9
   decision_dashboard_url: http://127.0.0.1:3000/decisions
+  decision_resolved_at: '2026-06-27T22:04:32.956077Z'
diff --git a/tests/test_credential_change.py b/tests/test_credential_change.py
index b4e0197..75a4209 100644
--- a/tests/test_credential_change.py
+++ b/tests/test_credential_change.py
@@ -58,16 +58,20 @@ class CredentialChangeTests(unittest.TestCase):
     def test_status_payload_marks_template_not_resolvable(self) -> None:
         ccr, _errors, warnings = credential_change.validate_ccr(self.sample)
         payload = credential_change.status_payload(ccr, warnings)
-        self.assertFalse(payload["apply_allowed"])
+        self.assertTrue(payload["apply_allowed"])
         self.assertFalse(payload["frontdoor_resolvable"])
         self.assertEqual(payload["access_frontdoor"]["readiness"], "template")
         self.assertEqual(payload["access_frontdoor"]["catalog_id"], "whynot-design-npm-publish")
-        self.assertEqual(payload["apply_blockers"], ["apply requires status approved, got proposed"])
+        self.assertEqual(payload["apply_blockers"], [])
         self.assertEqual(payload["warnings"], [])
         self.assertEqual(
             payload["state_hub"]["decision_id"],
             "250669d0-8475-4527-9624-cd072249f9a9",
         )
+        self.assertIn(
+            "front door requires CCR status active, got approved",
+            payload["frontdoor_blockers"],
+        )
         self.assertIn("front door is marked resolvable=false", payload["frontdoor_blockers"])
 
     def test_state_hub_rationale_prefix_maps_to_ccr_status(self) -> None:
@@ -120,7 +124,7 @@ class CredentialChangeTests(unittest.TestCase):
 
     def test_apply_plan_refuses_unapproved_ccr(self) -> None:
         with self.assertRaises(SystemExit):
-            credential_change.command_apply_plan(type("Args", (), {"ref": str(self.sample)})())
+            credential_change.command_apply_plan(type("Args", (), {"ref": str(self.issue_core)})())
 
     def test_approve_records_comment_but_unconfirmed_claim_still_blocks_apply(self) -> None:
         with tempfile.TemporaryDirectory() as tmp: