ORA

Observation

ORA-2026-0050: orbit-mcp-runtime SA misnomer and cross-domain ownership

ID
ORA-2026-0050
Date
2026-04-25
Status
observed
Maturity
M1
Source
docs/entries/observations/ORA-2026-0050_orbit-mcp-runtime-sa-misnomer-and-cross-domain-ownership.md

credentialsservice-accountnaming

ORA-2026-0050: orbit-mcp-runtime SA misnomer and cross-domain ownership

Observation

GCP service account orbit-mcp-runtime@orbitmcp.iam.gserviceaccount.com lives in GCP project orbitmcp (Orbit-domain), but its actual function is impersonating HCB Google Workspace users (primary: admin@heartwoodcustombuilders.com) for Gmail operations consumed by the Camber financial pipeline.

This is a hermetic-separation violation at three levels:

1. Naming (ORA-2026-0002 violation)

The SA is named orbit-mcp-runtime. Per ORA-2026-0002, shared business connectors use hcb- names. This SA should be hcb-gmail-runtime (or similar hcb- name) since it serves HCB Google Workspace, not the Orbit coordination substrate.

2. GCP project ownership (three-domain violation)

The SA lives in GCP project orbitmcp. Orbit is the AI intelligence domain — it should not own service accounts that impersonate HCB business users. The SA should live in a dedicated hcbmcp project (or HCB-owned project) to maintain domain separation.

3. Billing

The SA is likely billed to the camberzero.com GCP account while the work it performs is HCB-scoped. Costs may be hitting the wrong entity.

Scope

This is an OBSERVATION, not a migration plan. Per Chad's directive: "stage the observation, not the full migration."

The migration to correct this would involve:

  • Creating a new GCP project for HCB service accounts
  • Creating hcb-gmail-runtime SA in that project
  • Transferring domain-wide delegation from the old SA to the new one
  • Updating all MCP surfaces that reference the SA
  • Running parity check across all fleet machines

None of that is in scope for this entry. This entry exists so the violation is documented and discoverable when a migration is prioritized.

Cross-references

  • ORA-2026-0002: hcb-* named-account MCP pattern
  • doctrine_three_domain_separation.md: heartwood=client, camber=process, orbit=AI
  • Current SA roster (per ORA-2026-0002): hcb-gmail-admin, hcb-gmail-zack, hcb-gcal-admin, hcb-gcal-zack