Prepare whynot npm token handoff

workplans/RAILIANCE-WP-0007-credential-change-approval-workflow.md

@@ -275,6 +275,17 @@ remains `readiness: template` and `resolvable: false`. Added guarded
 reviewed non-secret policy and auth-role commands without hand-writing them;
 secret value provisioning and verification remain under approved custody.
 
+**2026-06-28:** After correcting the tenant/org to `coulomb`, the corrected
+approval was synced from State Hub decision
+`e6381a56-6b04-4fd5-b2de-f3ef59cde888`; `CCR-2026-0001` is approved and
+`apply_allowed: true` for
+`platform/workloads/coulomb/whynot-design/npm-publish`. The operator reported
+secret provisioning likely completed, but Codex metadata-only verification still
+received `403 permission denied`. Prepared
+`docs/whynot-design-npm-publish-handoff.md` as the next-session checklist for
+policy, auth-role, metadata verification, positive verification, negative
+verification, and activation without printing the token.
+
 ## T08 - Add deactivation, rotation, and compromise flows
 
 ```task