ORA

Doctrine

ORA-2026-0126 - Auth blockers must name the product boundary

ID
ORA-2026-0126
Date
2026-05-02
Status
ratified
Maturity
M2
Source
docs/entries/doctrines/ORA-2026-0126_auth-blockers-must-name-product-boundary.md

credentialsfleetqueueblockersnamingorbit-dormancy

ORA-2026-0126 - Auth blockers must name the product boundary

Rule

An actionable STATE: BLOCKED post that blocks on auth, credentials, grants, secrets, IAM, OAuth, DWD, API keys, 401, or 403 must carry a no-secret auth taxonomy block at the write site. "Auth is missing" is not a blocker; it is an unclassified symptom.

The blocker must answer: what product lane owns the runtime need, what provider domain is involved, what account label is expected, where the credential/grant lives, what state the grant is in, when that state was validated, and what the next safe action is.

Required Block

Use these exact labels in the body of the blocked actionable post:

AUTH_BLOCKER_CLASS: wrong_loader
PRODUCT_LANE: CAMBER
SERVICE: openai.com
ACCOUNT: CAMBER_OPENAI_API_KEY
SOURCE_SURFACE: Keychain service=openai.com account=CAMBER_OPENAI_API_KEY
STATE_OF_GRANT: ACTIVE
LAST_VALIDATED: 2026-05-02
NEXT_SAFE_ACTION: point the Camber loader at the scoped Camber credential; do not print values

Allowed classes:

  • missing_grant
  • stale_secret
  • wrong_loader
  • dormant_orbit
  • encrypted_secret_source
  • true_operator_secret_action
  • auth_present_wrong_scope

For AUTH_BLOCKER_CLASS: dormant_orbit, also include:

ORBIT_REACTIVATION: no

Product Boundary

Product auth belongs to the product. Camber runtime auth is Camber auth. Heartwood runtime auth is Heartwood auth. HCB business connectors use hcb-* names. Orbit auth is only for Orbit coordination, dormancy, history, and registry proof.

Orbit must not become the implicit shared credential substrate for Camber or Heartwood. If a Camber or Heartwood blocker points at an Orbit loader, Orbit service account, Orbit-named key, or Orbit Cloud Run surface, the blocker class is usually wrong_loader, dormant_orbit, or auth_present_wrong_scope; it is not automatically Chad work.

No-Secret Reporting

Do not print secret values in feed posts, proof packets, or commits. Report provider domain, account label, source surface, state, and validation proof. A last four characters checksum may be used only when the surrounding surface already treats it as non-secret validation metadata.

Forbidden labels in auth blockers include SECRET_VALUE, TOKEN_VALUE, KEY_VALUE, PASSWORD_VALUE, PRIVATE_KEY, RAW_SECRET, and BEARER_TOKEN.

Enforcement

feed-append validates proposed actionable posts through fleet-active-queue --validate-proposed. ORA-1961 extends that path so future STATE: BLOCKED auth/credential posts fail before write when they lack the taxonomy block or include secret-looking values.

The gate is intentionally narrow: generic blocked work that only says "no secret mutation" in a boundary line is not an auth blocker. The gate fires on explicit auth/credential blocker language or on an explicit AUTH_BLOCKER_CLASS: line.

Origin

On 2026-05-02, the fleet found several active blockers that looked like "missing auth" but lived at different boundaries: a Camber shadow run succeeded once the local loader used the scoped Camber OpenAI Keychain entry; a Camber Supabase edge secret remained stale separately from that local success; a Heartwood Basic auth issue needed encrypted-source/registry clarity; and an Orbit Cloud Run IAM blocker risked pulling dormant Orbit back into the product-auth path. The shared failure was not one secret. The shared failure was blocker language that did not name what kind of auth boundary it had reached.