id: CCR-2026-0001 kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: "whynot-design npm publish token lane" status: proposed created: "2026-06-27" updated: "2026-06-27" requester: agent: ops-warden message_id: "551031d1-335e-4db8-9535-820fea52d0a3" reason: "Allow ops-warden to proxy caller-scoped access to whynot-design's npm publish token." review: required: true required_approvers: - platform-operator comments: [] target: domain: financials tenant: whynot-design workload: whynot-design environment: production purpose: "npm package publishing through ops-warden caller-scoped fetch/exec" openbao: mount: platform kv_path: platform/workloads/whynot-design/whynot-design/npm-publish fields: - NPM_AUTH_TOKEN policy_name: workload-kv-read-whynot-design-npm-publish policy_file: openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl auth: method: oidc mount: netkingdom role: whynot-design-workload-kv-read user_claim: sub groups_claim: groups bound_claims: groups: - whynot-design bound_claims_confirmed: false policies: - workload-kv-read-whynot-design-npm-publish ttl: 15m access_frontdoor: type: ops-warden catalog_id: whynot-design-npm-token selector: "npm auth token" activation: "draft-until-ccr-verified" risk: classification: high notes: - "Grants read access to the credential used to publish npm packages." - "The proposed OIDC bound claim must be confirmed before apply." - "ops-warden must proxy the read as the caller and must not retain the token value." verification: positive: - "Approved whynot-design identity can fetch field NPM_AUTH_TOKEN through OpenBao or ops-warden." negative: - "Non-whynot identity cannot read the path or field." activation_conditions: - "Policy applied with platform-admin/operator authority." - "OIDC role bound to confirmed whynot-design claim or approved service account." - "Secret value provisioned directly in OpenBao through approved operator custody." - "Positive and negative verification recorded with non-secret audit ids or timestamps." lifecycle: deactivate: "Disable ops-warden catalog entry and remove or detach auth role policy." rotate: "Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation evidence." compromised: "Immediately deactivate access front door, rotate npm token, record blast-radius notes, and open incident follow-up tasks." state_hub: workplan_id: RAILIANCE-WP-0007 related_workplan_id: RAILIANCE-WP-0006 ops_warden_reply_message_id: "b175c561-7858-43f5-a309-949b0dede1b4"