Add credential lane readiness proposals

docs/credential-change-approval.md

@@ -50,6 +50,8 @@ The CCR must be non-secret. It may contain:
 - proposed auth bindings and bound claims;
 - delivery surface such as ops-warden, External Secrets, CSI, or direct caller
   fetch;
+- machine-readable front-door readiness, including `readiness` and
+  `resolvable`;
 - risk classification and approval requirements;
 - generated apply plan;
 - verification plan;
@@ -109,7 +111,9 @@ Auth binding:
   netkingdom OIDC role whynot-design-workload-kv-read
   bound claim: groups includes whynot-design
 Access front door:
-  ops-warden whynot-design-npm-token
+  ops-warden whynot-design-npm-publish
+  readiness: template
+  resolvable: false
 Risk:
   grants read access to npm publish credential
 Checks:
@@ -143,6 +147,8 @@ The first implemented CLI slice is:
 make credential-change-validate
 make credential-change-render CREDENTIAL_CHANGE=CCR-2026-0001
 make credential-change-plan CREDENTIAL_CHANGE=CCR-2026-0001
+make credential-change-status CREDENTIAL_CHANGE=CCR-2026-0001
+make credential-change-status-json CREDENTIAL_CHANGE=CCR-2026-0001
 scripts/credential-change.py approve CCR-2026-0001 --reviewer <name> --comment "..."
 scripts/credential-change.py deny CCR-2026-0001 --reviewer <name> --comment "..."
 scripts/credential-change.py needs-changes CCR-2026-0001 --reviewer <name> --comment "..."
@@ -193,7 +199,8 @@ For draft requests, ops-warden may create a draft catalog entry that points to
 the CCR, but it should not activate the entry until the CCR is verified.
 
 For `warden access --fetch` / `--exec`, the catalog should include the CCR id
-and refuse active use when the CCR state is not `active`.
+and refuse active use when the CCR state is not `active`, `readiness` is not
+`ready`, or `resolvable` is not `true`.
 
 ## Interactive Runbook Role
 

docs/workload-kv-access-lanes.md

@@ -16,15 +16,19 @@ The first lane is for ops-warden `warden access --fetch` / `--exec`.
 
 ## whynot-design npm Publish Token
 
-Ops-warden request:
+Ops-warden original request:
 `551031d1-335e-4db8-9535-820fea52d0a3`
 
+Ops-warden batch follow-up:
+`fe5b1696-8956-4bd5-9d6f-dbde1901a076`
+
 | Item | Value |
 | --- | --- |
-| ops-warden catalog id | `whynot-design-npm-token` |
+| ops-warden catalog id | `whynot-design-npm-publish` |
 | KV mount | `platform` |
 | OpenBao CLI path | `platform/workloads/whynot-design/whynot-design/npm-publish` |
 | Secret field | `NPM_AUTH_TOKEN` |
+| Front-door readiness | `template`, `resolvable=false` until CCR verification |
 | Read policy | `workload-kv-read-whynot-design-npm-publish` |
 | Policy file | `openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl` |
 | OIDC auth mount | `netkingdom` |
@@ -38,12 +42,18 @@ Expected caller login shape:
 bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
 ```
 
-Expected fetch shape:
+Expected OpenBao fetch shape:
 
 ```bash
 bao kv get -field=NPM_AUTH_TOKEN platform/workloads/whynot-design/whynot-design/npm-publish
 ```
 
+Expected ops-warden exec shape after activation:
+
+```bash
+warden access whynot-design-npm-publish --exec -- npm publish
+```
+
 The fetch command returns the secret value to the authenticated caller. Run it
 only in an attended shell or through a process that consumes the value without
 logging it.
@@ -139,7 +149,7 @@ Negative verification:
 Send ops-warden only these pointers:
 
 ```text
-catalog id: whynot-design-npm-token
+catalog id: whynot-design-npm-publish
 mount: platform
 path: platform/workloads/whynot-design/whynot-design/npm-publish
 field: NPM_AUTH_TOKEN
@@ -151,4 +161,5 @@ runbook: docs/workload-kv-access-lanes.md
 ```
 
 Until live provisioning and verification are complete, ops-warden should keep
-the catalog entry in `draft` or equivalent non-active state.
+the catalog entry in `template`/`draft` or equivalent non-active state with
+`resolvable=false`.