Record whynot CCR apply blocker

workplans/RAILIANCE-WP-0007-credential-change-approval-workflow.md

@@ -264,6 +264,17 @@ so live apply and ops-warden activation are correctly blocked.
 and `resolvable: false` until owner confirmation, approval, OpenBao apply,
 secret provisioning, and verification are complete.
 
+**2026-06-28:** Synced State Hub decision
+`250669d0-8475-4527-9624-cd072249f9a9` into `CCR-2026-0001`; the lane is now
+`approved` with confirmed binding and `apply_allowed: true`. A live OpenBao
+policy apply using the available token helper reached the active OpenBao pod but
+still failed with `403 permission denied` on
+`sys/policies/acl/workload-kv-read-whynot-design-npm-publish`, so the front door
+remains `readiness: template` and `resolvable: false`. Added guarded
+`credential-change-operator-commands` output so a platform operator can run the
+reviewed non-secret policy and auth-role commands without hand-writing them;
+secret value provisioning and verification remain under approved custody.
+
 ## T08 - Add deactivation, rotation, and compromise flows
 
 ```task