id: CCR-2026-0001 kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: whynot-design npm publish token lane status: active created: '2026-06-27' updated: '2026-07-01' requester: agent: ops-warden message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076 reason: Allow ops-warden to proxy caller-scoped access to whynot-design's npm publish token. review: required: true required_approvers: - platform-operator comments: - at: '2026-06-27T21:40:22+00:00' reviewer: bernd.worsch decision: binding_confirmed comment: 'Confirmed in chat: groups=whynot-design is the intended KeyCape/NetKingdom binding for the whynot-design npm publish lane.' - at: '2026-06-27T22:06:18+00:00' reviewer: human decision: approved comment: 'State Hub decision 250669d0-8475-4527-9624-cd072249f9a9: APPROVE: scoped path and confirmed binding are acceptable' - at: '2026-06-27T22:54:20+00:00' reviewer: bernd.worsch decision: scope_corrected_requires_review comment: Corrected tenant from whynot-design to coulomb per operator clarification. The previous approval covered platform/workloads/whynot-design/whynot-design/npm-publish and must not be reused for the corrected platform/workloads/coulomb/whynot-design/npm-publish scope. - at: '2026-06-27T23:23:19+00:00' reviewer: human decision: approved comment: 'State Hub decision e6381a56-6b04-4fd5-b2de-f3ef59cde888: APPROVE: We fixed the path using coulomb as the org/tenant.' target: domain: financials tenant: coulomb workload: whynot-design environment: production purpose: npm package publishing through ops-warden caller-scoped fetch/exec openbao: mount: platform kv_path: platform/workloads/coulomb/whynot-design/npm-publish fields: - NPM_AUTH_TOKEN policy_name: workload-kv-read-whynot-design-npm-publish policy_file: openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl auth: method: oidc mount: netkingdom role: whynot-design-workload-kv-read allowed_redirect_uris: - https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback - http://localhost:8250/oidc/callback - http://127.0.0.1:8250/oidc/callback oidc_scopes: - openid - profile - email - groups user_claim: sub groups_claim: groups bound_claims: groups: - whynot-design bound_claims_confirmed: true policies: - workload-kv-read-whynot-design-npm-publish ttl: 15m access_frontdoor: type: ops-warden catalog_id: whynot-design-npm-publish selector: npm publish token command: warden access whynot-design-npm-publish --exec -- npm publish resolvable: true readiness: ready activation: verified-positive-and-negative-caller-verification risk: classification: high notes: - Grants read access to the credential used to publish npm packages. - Uses a publish-specific catalog id; a future read-only npm token must use a separate catalog id. - The OIDC bound claim was confirmed in review; re-confirm if the claim changes. - ops-warden must proxy the read as the caller and must not retain the token value. verification: positive: - Approved whynot-design identity can fetch field NPM_AUTH_TOKEN through OpenBao or ops-warden. negative: - Non-whynot identity cannot read the path or field. activation_conditions: - Policy applied with platform-admin/operator authority. - OIDC role bound to confirmed whynot-design claim or approved service account. - Secret value provisioned directly in OpenBao through approved operator custody. - Positive and negative verification recorded with non-secret audit ids or timestamps. evidence: - at: '2026-06-28T10:37:42+00:00' actor: codex kind: non_secret_openbao_apply_check result: passed details: - Policy read succeeded for workload-kv-read-whynot-design-npm-publish. - OIDC role read showed the whynot-design bound claim, read policy, and callback URIs. - Metadata read showed catalog-id whynot-design-npm-publish. - Secret field presence check found NPM_AUTH_TOKEN without printing or recording the value. - at: '2026-06-28T11:20:06+00:00' actor: codex kind: non_secret_oidc_role_correction result: applied details: - Positive login reported missing groups claim because the role did not request the groups scope. - Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups. - Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks. - at: '2026-06-28T14:01:47+00:00' actor: codex kind: non_secret_identity_group_check result: applied details: - Positive login advanced from missing groups claim to bound claim mismatch; this confirms the groups scope is now requested. - Live LLDAP group inventory did not contain whynot-design before this check. - Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim. - No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design. - at: '2026-06-28T15:22:29+00:00' actor: bernd.worsch kind: positive_fetch_verification result: passed details: - Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read succeeded with workload-kv-read-whynot-design-npm-publish policy. - NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish exited successfully with output redirected to /dev/null. - The secret value was not printed or recorded. - A short-lived OpenBao client token was printed by the CLI login output and was revoked by accessor immediately after the report. - Negative denial verification is still pending; keep the front door non-resolvable until it passes. - at: '2026-06-28T22:06:43+00:00' actor: bernd.worsch kind: negative_denial_verification result: passed details: - platform-root was temporarily removed from the whynot-design LLDAP group for the attended negative check. - OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read failed with a groups bound-claim mismatch. - No OpenBao client token was issued for the negative identity, and no NPM_AUTH_TOKEN value was printed or recorded. - at: '2026-06-28T22:08:50+00:00' actor: codex kind: identity_group_restore result: passed details: - Restored platform-root membership in the whynot-design LLDAP group after negative verification. - Verified whynot-design membership contains platform-root and no unexpected additional users. - Positive and negative verification gates are now complete; access_frontdoor is ready/resolvable. - at: '2026-07-01T21:27:20+00:00' actor: credential-change-prod-applier-smoke kind: delegated_metadata_apply result: passed details: - Delegated metadata applier ran as credential-change-prod-applier-smoke using local bao CLI ambient authority. - 'Policy metadata write: sys/policies/acl/workload-kv-read-whynot-design-npm-publish' - 'Auth role metadata write: auth/netkingdom/role/whynot-design-workload-kv-read' - No secret values were read, written, printed, or accepted in argv. lifecycle: deactivate: Disable ops-warden catalog entry and remove or detach auth role policy. rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation evidence. compromised: Immediately deactivate access front door, rotate npm token, record blast-radius notes, and open incident follow-up tasks. state_hub: workplan_id: RAILIANCE-WP-0007 related_workplan_id: RAILIANCE-WP-0006 ops_warden_reply_message_id: b175c561-7858-43f5-a309-949b0dede1b4 ops_warden_batch_message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076 superseded_decision_id: 250669d0-8475-4527-9624-cd072249f9a9 superseded_decision_resolved_at: '2026-06-27T22:04:32.956077Z' superseded_decision_reason: tenant/workload scope corrected before secret provisioning decision_id: e6381a56-6b04-4fd5-b2de-f3ef59cde888 decision_api_url: http://127.0.0.1:8000/decisions/e6381a56-6b04-4fd5-b2de-f3ef59cde888 decision_dashboard_url: http://127.0.0.1:3000/decisions decision_resolved_at: '2026-06-27T23:16:21.905924Z'