72 lines
2.6 KiB
YAML
72 lines
2.6 KiB
YAML
id: CCR-2026-0001
|
|
kind: credential-change-request
|
|
schema_version: 1
|
|
request_type: workload-kv-read
|
|
title: "whynot-design npm publish token lane"
|
|
status: proposed
|
|
created: "2026-06-27"
|
|
updated: "2026-06-27"
|
|
requester:
|
|
agent: ops-warden
|
|
message_id: "551031d1-335e-4db8-9535-820fea52d0a3"
|
|
reason: "Allow ops-warden to proxy caller-scoped access to whynot-design's npm publish token."
|
|
review:
|
|
required: true
|
|
required_approvers:
|
|
- platform-operator
|
|
comments: []
|
|
target:
|
|
domain: financials
|
|
tenant: whynot-design
|
|
workload: whynot-design
|
|
environment: production
|
|
purpose: "npm package publishing through ops-warden caller-scoped fetch/exec"
|
|
openbao:
|
|
mount: platform
|
|
kv_path: platform/workloads/whynot-design/whynot-design/npm-publish
|
|
fields:
|
|
- NPM_AUTH_TOKEN
|
|
policy_name: workload-kv-read-whynot-design-npm-publish
|
|
policy_file: openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl
|
|
auth:
|
|
method: oidc
|
|
mount: netkingdom
|
|
role: whynot-design-workload-kv-read
|
|
user_claim: sub
|
|
groups_claim: groups
|
|
bound_claims:
|
|
groups:
|
|
- whynot-design
|
|
bound_claims_confirmed: false
|
|
policies:
|
|
- workload-kv-read-whynot-design-npm-publish
|
|
ttl: 15m
|
|
access_frontdoor:
|
|
type: ops-warden
|
|
catalog_id: whynot-design-npm-token
|
|
selector: "npm auth token"
|
|
activation: "draft-until-ccr-verified"
|
|
risk:
|
|
classification: high
|
|
notes:
|
|
- "Grants read access to the credential used to publish npm packages."
|
|
- "The proposed OIDC bound claim must be confirmed before apply."
|
|
- "ops-warden must proxy the read as the caller and must not retain the token value."
|
|
verification:
|
|
positive:
|
|
- "Approved whynot-design identity can fetch field NPM_AUTH_TOKEN through OpenBao or ops-warden."
|
|
negative:
|
|
- "Non-whynot identity cannot read the path or field."
|
|
activation_conditions:
|
|
- "Policy applied with platform-admin/operator authority."
|
|
- "OIDC role bound to confirmed whynot-design claim or approved service account."
|
|
- "Secret value provisioned directly in OpenBao through approved operator custody."
|
|
- "Positive and negative verification recorded with non-secret audit ids or timestamps."
|
|
lifecycle:
|
|
deactivate: "Disable ops-warden catalog entry and remove or detach auth role policy."
|
|
rotate: "Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation evidence."
|
|
compromised: "Immediately deactivate access front door, rotate npm token, record blast-radius notes, and open incident follow-up tasks."
|
|
state_hub:
|
|
workplan_id: RAILIANCE-WP-0007
|
|
related_workplan_id: RAILIANCE-WP-0006
|
|
ops_warden_reply_message_id: "b175c561-7858-43f5-a309-949b0dede1b4"
|