148 lines
6.1 KiB
YAML
148 lines
6.1 KiB
YAML
id: CCR-2026-0001
|
|
kind: credential-change-request
|
|
schema_version: 1
|
|
request_type: workload-kv-read
|
|
title: whynot-design npm publish token lane
|
|
status: applied
|
|
created: '2026-06-27'
|
|
updated: '2026-06-28'
|
|
requester:
|
|
agent: ops-warden
|
|
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
|
reason: Allow ops-warden to proxy caller-scoped access to whynot-design's npm publish
|
|
token.
|
|
review:
|
|
required: true
|
|
required_approvers:
|
|
- platform-operator
|
|
comments:
|
|
- at: '2026-06-27T21:40:22+00:00'
|
|
reviewer: bernd.worsch
|
|
decision: binding_confirmed
|
|
comment: 'Confirmed in chat: groups=whynot-design is the intended KeyCape/NetKingdom
|
|
binding for the whynot-design npm publish lane.'
|
|
- at: '2026-06-27T22:06:18+00:00'
|
|
reviewer: human
|
|
decision: approved
|
|
comment: 'State Hub decision 250669d0-8475-4527-9624-cd072249f9a9: APPROVE: scoped
|
|
path and confirmed binding are acceptable'
|
|
- at: '2026-06-27T22:54:20+00:00'
|
|
reviewer: bernd.worsch
|
|
decision: scope_corrected_requires_review
|
|
comment: Corrected tenant from whynot-design to coulomb per operator clarification.
|
|
The previous approval covered platform/workloads/whynot-design/whynot-design/npm-publish
|
|
and must not be reused for the corrected platform/workloads/coulomb/whynot-design/npm-publish
|
|
scope.
|
|
- at: '2026-06-27T23:23:19+00:00'
|
|
reviewer: human
|
|
decision: approved
|
|
comment: 'State Hub decision e6381a56-6b04-4fd5-b2de-f3ef59cde888: APPROVE: We
|
|
fixed the path using coulomb as the org/tenant.'
|
|
target:
|
|
domain: financials
|
|
tenant: coulomb
|
|
workload: whynot-design
|
|
environment: production
|
|
purpose: npm package publishing through ops-warden caller-scoped fetch/exec
|
|
openbao:
|
|
mount: platform
|
|
kv_path: platform/workloads/coulomb/whynot-design/npm-publish
|
|
fields:
|
|
- NPM_AUTH_TOKEN
|
|
policy_name: workload-kv-read-whynot-design-npm-publish
|
|
policy_file: openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl
|
|
auth:
|
|
method: oidc
|
|
mount: netkingdom
|
|
role: whynot-design-workload-kv-read
|
|
allowed_redirect_uris:
|
|
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
|
- http://localhost:8250/oidc/callback
|
|
- http://127.0.0.1:8250/oidc/callback
|
|
oidc_scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
user_claim: sub
|
|
groups_claim: groups
|
|
bound_claims:
|
|
groups:
|
|
- whynot-design
|
|
bound_claims_confirmed: true
|
|
policies:
|
|
- workload-kv-read-whynot-design-npm-publish
|
|
ttl: 15m
|
|
access_frontdoor:
|
|
type: ops-warden
|
|
catalog_id: whynot-design-npm-publish
|
|
selector: npm publish token
|
|
command: warden access whynot-design-npm-publish --exec -- npm publish
|
|
resolvable: false
|
|
readiness: applied-pending-verify
|
|
activation: pending-positive-and-negative-caller-verification
|
|
risk:
|
|
classification: high
|
|
notes:
|
|
- Grants read access to the credential used to publish npm packages.
|
|
- Uses a publish-specific catalog id; a future read-only npm token must use a separate
|
|
catalog id.
|
|
- The OIDC bound claim was confirmed in review; re-confirm if the claim changes.
|
|
- ops-warden must proxy the read as the caller and must not retain the token value.
|
|
verification:
|
|
positive:
|
|
- Approved whynot-design identity can fetch field NPM_AUTH_TOKEN through OpenBao
|
|
or ops-warden.
|
|
negative:
|
|
- Non-whynot identity cannot read the path or field.
|
|
activation_conditions:
|
|
- Policy applied with platform-admin/operator authority.
|
|
- OIDC role bound to confirmed whynot-design claim or approved service account.
|
|
- Secret value provisioned directly in OpenBao through approved operator custody.
|
|
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
|
evidence:
|
|
- at: '2026-06-28T10:37:42+00:00'
|
|
actor: codex
|
|
kind: non_secret_openbao_apply_check
|
|
result: passed
|
|
details:
|
|
- Policy read succeeded for workload-kv-read-whynot-design-npm-publish.
|
|
- OIDC role read showed the whynot-design bound claim, read policy, and callback URIs.
|
|
- Metadata read showed catalog-id whynot-design-npm-publish.
|
|
- Secret field presence check found NPM_AUTH_TOKEN without printing or recording the value.
|
|
- at: '2026-06-28T11:20:06+00:00'
|
|
actor: codex
|
|
kind: non_secret_oidc_role_correction
|
|
result: applied
|
|
details:
|
|
- Positive login reported missing groups claim because the role did not request the groups scope.
|
|
- Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups.
|
|
- Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks.
|
|
- at: '2026-06-28T14:01:47+00:00'
|
|
actor: codex
|
|
kind: non_secret_identity_group_check
|
|
result: applied
|
|
details:
|
|
- Positive login advanced from missing groups claim to bound claim mismatch; this confirms the groups scope is now requested.
|
|
- Live LLDAP group inventory did not contain whynot-design before this check.
|
|
- Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim.
|
|
- No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design.
|
|
lifecycle:
|
|
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
|
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation
|
|
evidence.
|
|
compromised: Immediately deactivate access front door, rotate npm token, record
|
|
blast-radius notes, and open incident follow-up tasks.
|
|
state_hub:
|
|
workplan_id: RAILIANCE-WP-0007
|
|
related_workplan_id: RAILIANCE-WP-0006
|
|
ops_warden_reply_message_id: b175c561-7858-43f5-a309-949b0dede1b4
|
|
ops_warden_batch_message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
|
superseded_decision_id: 250669d0-8475-4527-9624-cd072249f9a9
|
|
superseded_decision_resolved_at: '2026-06-27T22:04:32.956077Z'
|
|
superseded_decision_reason: tenant/workload scope corrected before secret provisioning
|
|
decision_id: e6381a56-6b04-4fd5-b2de-f3ef59cde888
|
|
decision_api_url: http://127.0.0.1:8000/decisions/e6381a56-6b04-4fd5-b2de-f3ef59cde888
|
|
decision_dashboard_url: http://127.0.0.1:3000/decisions
|
|
decision_resolved_at: '2026-06-27T23:16:21.905924Z'
|