Add credential lane readiness proposals
This commit is contained in:
parent
815b124ab1
commit
aee0dcefad
13 changed files with 425 additions and 25 deletions
|
|
@ -30,7 +30,7 @@ holding secret values itself.
|
|||
The immediate request is for `whynot-design` to retrieve its npm publish token.
|
||||
The path must be concrete, policy-scoped, and documented so the ops-warden
|
||||
catalog can replace the current unresolved template path with a live
|
||||
`whynot-design-npm-token` entry.
|
||||
`whynot-design-npm-publish` entry.
|
||||
|
||||
No task in this workplan may paste, commit, log, or send secret values through
|
||||
Git, State Hub, chat, prompts, or workplan text.
|
||||
|
|
@ -47,7 +47,7 @@ Ops-warden message `551031d1-335e-4db8-9535-820fea52d0a3` asks
|
|||
- the flex-auth policy reference, if pre-approval is required.
|
||||
|
||||
Once these pointers are live, ops-warden will add a dedicated
|
||||
`whynot-design-npm-token` access catalog entry and a playbook, then notify
|
||||
`whynot-design-npm-publish` access catalog entry and a playbook, then notify
|
||||
whynot-design.
|
||||
|
||||
## Proposed Contract
|
||||
|
|
@ -248,7 +248,7 @@ Acceptance:
|
|||
|
||||
- The State Hub reply to ops-warden includes only path, field, KV mount,
|
||||
OIDC role, policy name/path, optional flex-auth ref, and runbook location.
|
||||
- Ops-warden confirms the `whynot-design-npm-token` catalog entry no longer
|
||||
- Ops-warden confirms the `whynot-design-npm-publish` catalog entry no longer
|
||||
contains unresolved placeholders.
|
||||
- `warden access "npm auth token" --fetch` or the agreed exact selector resolves
|
||||
to the whynot-design lane and proxies the read as the caller.
|
||||
|
|
@ -281,10 +281,11 @@ Acceptance:
|
|||
- If batching is deferred, notify ops-warden that this workplan will deliver
|
||||
whynot-design first and leave the sibling entries for separate planning.
|
||||
|
||||
**2026-06-27:** Deferred sibling lanes (`issue-core-ingestion-api-key` and
|
||||
`openrouter-llm-connect`) so the whynot-design npm token request can be serviced
|
||||
first. They should get concrete tasks or a follow-up workplan after this access
|
||||
lane pattern is validated.
|
||||
**2026-06-27:** Initially deferred sibling lanes (`issue-core-ingestion-api-key`
|
||||
and `openrouter-llm-connect`) so the whynot-design npm token request could be
|
||||
serviced first. The later ops-warden batch follow-up is now represented as
|
||||
proposed CCRs in `RAILIANCE-WP-0007`, still unapproved and unresolvable until
|
||||
human review and verification.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
|
|
@ -294,5 +295,5 @@ lane pattern is validated.
|
|||
ops-warden without ops-warden storing the value.
|
||||
- Unauthorized reads are denied.
|
||||
- ops-warden has enough non-secret pointers to activate
|
||||
`whynot-design-npm-token`.
|
||||
`whynot-design-npm-publish`.
|
||||
- No secret values appear in Git, State Hub, chat, prompts, logs, or workplans.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue