Add credential-change delegated applier flow
This commit is contained in:
@@ -30,7 +30,7 @@ Ops-warden batch follow-up:
|
||||
| KV mount | `platform` |
|
||||
| OpenBao CLI path | `platform/workloads/coulomb/whynot-design/npm-publish` |
|
||||
| Secret field | `NPM_AUTH_TOKEN` |
|
||||
| Front-door readiness | `applied-pending-verify`, `resolvable=false` until caller verification |
|
||||
| Front-door readiness | `active`, `resolvable=true` in ops-warden |
|
||||
| Read policy | `workload-kv-read-whynot-design-npm-publish` |
|
||||
| Policy file | `openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl` |
|
||||
| OIDC auth mount | `netkingdom` |
|
||||
@@ -57,6 +57,13 @@ Expected ops-warden exec shape after activation:
|
||||
warden access whynot-design-npm-publish --exec -- npm publish
|
||||
```
|
||||
|
||||
Ops-warden confirmed activation in State Hub message
|
||||
`f76d3a9e-a98f-4081-885d-b79d94312699`: selector
|
||||
`whynot-design-npm-publish` is active, resolvable, and wired to this
|
||||
caller-scoped lane. The sibling lanes `issue-core-ingestion-api-key` and
|
||||
`openrouter-llm-connect` remain draft and are tracked separately by
|
||||
`RAILIANCE-WP-0009` and `RAILIANCE-WP-0010`.
|
||||
|
||||
The fetch command returns the secret value to the authenticated caller. Run it
|
||||
only in an attended shell or through a process that consumes the value without
|
||||
logging it.
|
||||
|
||||
Reference in New Issue
Block a user