# Least-privilege read policy for the whynot-design npm publish token. # # This policy intentionally grants only read access to the single KV-v2 secret # path used by ops-warden's caller-scoped access lane. It does not grant list # access to sibling workloads or mutation capabilities. path "platform/data/workloads/coulomb/whynot-design/npm-publish" { capabilities = ["read"] } path "platform/metadata/workloads/coulomb/whynot-design/npm-publish" { capabilities = ["read"] }