Record whynot CCR apply blocker

This commit is contained in:
2026-06-28 00:24:23 +02:00
parent 248bc58b6a
commit f92d07d5a1

View File

@@ -264,6 +264,17 @@ so live apply and ops-warden activation are correctly blocked.
and `resolvable: false` until owner confirmation, approval, OpenBao apply,
secret provisioning, and verification are complete.
**2026-06-28:** Synced State Hub decision
`250669d0-8475-4527-9624-cd072249f9a9` into `CCR-2026-0001`; the lane is now
`approved` with confirmed binding and `apply_allowed: true`. A live OpenBao
policy apply using the available token helper reached the active OpenBao pod but
still failed with `403 permission denied` on
`sys/policies/acl/workload-kv-read-whynot-design-npm-publish`, so the front door
remains `readiness: template` and `resolvable: false`. Added guarded
`credential-change-operator-commands` output so a platform operator can run the
reviewed non-secret policy and auth-role commands without hand-writing them;
secret value provisioning and verification remain under approved custody.
## T08 - Add deactivation, rotation, and compromise flows
```task