railiance-platform/credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml

105 lines
4.1 KiB
YAML

id: CCR-2026-0001
kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: whynot-design npm publish token lane
status: proposed
created: '2026-06-27'
updated: '2026-06-28'
requester:
agent: ops-warden
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
reason: Allow ops-warden to proxy caller-scoped access to whynot-design's npm publish
token.
review:
required: true
required_approvers:
- platform-operator
comments:
- at: '2026-06-27T21:40:22+00:00'
reviewer: bernd.worsch
decision: binding_confirmed
comment: 'Confirmed in chat: groups=whynot-design is the intended KeyCape/NetKingdom
binding for the whynot-design npm publish lane.'
- at: '2026-06-27T22:06:18+00:00'
reviewer: human
decision: approved
comment: 'State Hub decision 250669d0-8475-4527-9624-cd072249f9a9: APPROVE: scoped
path and confirmed binding are acceptable'
- at: '2026-06-27T22:54:20+00:00'
reviewer: bernd.worsch
decision: scope_corrected_requires_review
comment: Corrected tenant from whynot-design to coulomb per operator clarification.
The previous approval covered platform/workloads/whynot-design/whynot-design/npm-publish
and must not be reused for the corrected platform/workloads/coulomb/whynot-design/npm-publish
scope.
target:
domain: financials
tenant: coulomb
workload: whynot-design
environment: production
purpose: npm package publishing through ops-warden caller-scoped fetch/exec
openbao:
mount: platform
kv_path: platform/workloads/coulomb/whynot-design/npm-publish
fields:
- NPM_AUTH_TOKEN
policy_name: workload-kv-read-whynot-design-npm-publish
policy_file: openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl
auth:
method: oidc
mount: netkingdom
role: whynot-design-workload-kv-read
user_claim: sub
groups_claim: groups
bound_claims:
groups:
- whynot-design
bound_claims_confirmed: true
policies:
- workload-kv-read-whynot-design-npm-publish
ttl: 15m
access_frontdoor:
type: ops-warden
catalog_id: whynot-design-npm-publish
selector: npm publish token
command: warden access whynot-design-npm-publish --exec -- npm publish
resolvable: false
readiness: template
activation: draft-until-ccr-verified
risk:
classification: high
notes:
- Grants read access to the credential used to publish npm packages.
- Uses a publish-specific catalog id; a future read-only npm token must use a separate
catalog id.
- The OIDC bound claim was confirmed in review; re-confirm if the claim changes.
- ops-warden must proxy the read as the caller and must not retain the token value.
verification:
positive:
- Approved whynot-design identity can fetch field NPM_AUTH_TOKEN through OpenBao
or ops-warden.
negative:
- Non-whynot identity cannot read the path or field.
activation_conditions:
- Policy applied with platform-admin/operator authority.
- OIDC role bound to confirmed whynot-design claim or approved service account.
- Secret value provisioned directly in OpenBao through approved operator custody.
- Positive and negative verification recorded with non-secret audit ids or timestamps.
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation
evidence.
compromised: Immediately deactivate access front door, rotate npm token, record
blast-radius notes, and open incident follow-up tasks.
state_hub:
workplan_id: RAILIANCE-WP-0007
related_workplan_id: RAILIANCE-WP-0006
ops_warden_reply_message_id: b175c561-7858-43f5-a309-949b0dede1b4
ops_warden_batch_message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
superseded_decision_id: 250669d0-8475-4527-9624-cd072249f9a9
superseded_decision_resolved_at: '2026-06-27T22:04:32.956077Z'
superseded_decision_reason: tenant/workload scope corrected before secret provisioning
decision_id: e6381a56-6b04-4fd5-b2de-f3ef59cde888
decision_api_url: http://127.0.0.1:8000/decisions/e6381a56-6b04-4fd5-b2de-f3ef59cde888
decision_dashboard_url: http://127.0.0.1:3000/decisions