Add credential lane readiness proposals

docs/credential-change-approval.md

@@ -50,6 +50,8 @@ The CCR must be non-secret. It may contain:
 - proposed auth bindings and bound claims;
 - delivery surface such as ops-warden, External Secrets, CSI, or direct caller
   fetch;
+- machine-readable front-door readiness, including `readiness` and
+  `resolvable`;
 - risk classification and approval requirements;
 - generated apply plan;
 - verification plan;
@@ -109,7 +111,9 @@ Auth binding:
   netkingdom OIDC role whynot-design-workload-kv-read
   bound claim: groups includes whynot-design
 Access front door:
-  ops-warden whynot-design-npm-token
+  ops-warden whynot-design-npm-publish
+  readiness: template
+  resolvable: false
 Risk:
   grants read access to npm publish credential
 Checks:
@@ -143,6 +147,8 @@ The first implemented CLI slice is:
 make credential-change-validate
 make credential-change-render CREDENTIAL_CHANGE=CCR-2026-0001
 make credential-change-plan CREDENTIAL_CHANGE=CCR-2026-0001
+make credential-change-status CREDENTIAL_CHANGE=CCR-2026-0001
+make credential-change-status-json CREDENTIAL_CHANGE=CCR-2026-0001
 scripts/credential-change.py approve CCR-2026-0001 --reviewer <name> --comment "..."
 scripts/credential-change.py deny CCR-2026-0001 --reviewer <name> --comment "..."
 scripts/credential-change.py needs-changes CCR-2026-0001 --reviewer <name> --comment "..."
@@ -193,7 +199,8 @@ For draft requests, ops-warden may create a draft catalog entry that points to
 the CCR, but it should not activate the entry until the CCR is verified.
 
 For `warden access --fetch` / `--exec`, the catalog should include the CCR id
-and refuse active use when the CCR state is not `active`.
+and refuse active use when the CCR state is not `active`, `readiness` is not
+`ready`, or `resolvable` is not `true`.
 
 ## Interactive Runbook Role