Correct whynot credential tenant path

docs/argocd-gitops.md

@@ -137,12 +137,16 @@ Default pattern:
    workload namespace.
 3. Reference that Kubernetes Secret from the Deployment, Job, or CronJob.
 
-Path convention:
+Path convention for workload credential custody:
 
 ```text
-platform/workloads/<namespace>/<service-account>/<secret-name>
+platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
 ```
 
+Kubernetes namespace and service-account bounds belong in the OpenBao auth role
+or External Secrets binding, not in the tenant segment unless the namespace is
+itself the approved workload identity.
+
 Use CSI-mounted files only for workloads that need file references, sharper
 mount boundaries, or refresh behavior that should not rewrite application
 manifests. Do not use the OpenBao injector in the current deployment.

docs/credential-change-approval.md

@@ -103,7 +103,7 @@ A reviewer should see a concise rendered proposal:
 Request: whynot-design npm publish token lane
 Type: workload-kv-read
 Mount/path/field:
-  platform/workloads/whynot-design/whynot-design/npm-publish
+  platform/workloads/coulomb/whynot-design/npm-publish
   NPM_AUTH_TOKEN
 Policy:
   workload-kv-read-whynot-design-npm-publish

docs/openbao.md

@@ -395,7 +395,7 @@ tenant contract):
 Path convention:
 
 ```text
-platform/workloads/<namespace>/<service-account>/<secret-name>
+platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
 platform/object-storage/<consumer>
 platform/databases/<consumer>
 platform/operators/<purpose>

docs/workload-kv-access-lanes.md

@@ -25,8 +25,10 @@ Ops-warden batch follow-up:
 | Item | Value |
 | --- | --- |
 | ops-warden catalog id | `whynot-design-npm-publish` |
+| Tenant/org | `coulomb` |
+| Workload/project | `whynot-design` |
 | KV mount | `platform` |
-| OpenBao CLI path | `platform/workloads/whynot-design/whynot-design/npm-publish` |
+| OpenBao CLI path | `platform/workloads/coulomb/whynot-design/npm-publish` |
 | Secret field | `NPM_AUTH_TOKEN` |
 | Front-door readiness | `template`, `resolvable=false` until CCR verification |
 | Read policy | `workload-kv-read-whynot-design-npm-publish` |
@@ -45,7 +47,7 @@ bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
 Expected OpenBao fetch shape:
 
 ```bash
-bao kv get -field=NPM_AUTH_TOKEN platform/workloads/whynot-design/whynot-design/npm-publish
+bao kv get -field=NPM_AUTH_TOKEN platform/workloads/coulomb/whynot-design/npm-publish
 ```
 
 Expected ops-warden exec shape after activation:
@@ -63,8 +65,8 @@ logging it.
 The source policy grants only:
 
 ```text
-read platform/data/workloads/whynot-design/whynot-design/npm-publish
-read platform/metadata/workloads/whynot-design/whynot-design/npm-publish
+read platform/data/workloads/coulomb/whynot-design/npm-publish
+read platform/metadata/workloads/coulomb/whynot-design/npm-publish
 ```
 
 It does not grant write, delete, patch, sudo, auth, sibling workload, or parent
@@ -121,7 +123,7 @@ and service account.
 An approved operator must create or confirm the secret with:
 
 ```text
-path:  platform/workloads/whynot-design/whynot-design/npm-publish
+path:  platform/workloads/coulomb/whynot-design/npm-publish
 field: NPM_AUTH_TOKEN
 ```
 
@@ -129,14 +131,14 @@ In the OpenBao UI, open the `platform` KV engine and create or edit the secret
 at:
 
 ```text
-workloads/whynot-design/whynot-design/npm-publish
+workloads/coulomb/whynot-design/npm-publish
 ```
 
 For policies and API checks, the same KV-v2 secret is addressed as:
 
 ```text
-platform/data/workloads/whynot-design/whynot-design/npm-publish
-platform/metadata/workloads/whynot-design/whynot-design/npm-publish
+platform/data/workloads/coulomb/whynot-design/npm-publish
+platform/metadata/workloads/coulomb/whynot-design/npm-publish
 ```
 
 The OpenBao UI path does not include the `data/` or `metadata/` segment. Those
@@ -169,7 +171,7 @@ Send ops-warden only these pointers:
 ```text
 catalog id: whynot-design-npm-publish
 mount: platform
-path: platform/workloads/whynot-design/whynot-design/npm-publish
+path: platform/workloads/coulomb/whynot-design/npm-publish
 field: NPM_AUTH_TOKEN
 oidc login: bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
 policy: workload-kv-read-whynot-design-npm-publish