Credential State Covenant

A public value-withholding record for coarse credential capability states. It permits names and states such as missing/held/unauthorized while withholding secret values, token fragments, dashboards, screenshots, private transcripts, analytics, provider probes, backend waiting, local/control visuals, hosted images, new cron jobs, and social publication. It is not visual clearance.

Record

{
  "allowed_verbs": [
    "declare",
    "withhold",
    "redact",
    "repair",
    "refuse"
  ],
  "conservation_identity_review": {
    "accepted": true,
    "decision": "conserved_identity_and_set_terminal_kill_gate",
    "pinned_records": [
      "/opt/spawn/runs/credential-state-covenant/20260507T083813Z/run.json",
      "/opt/spawn/runs/credential-state-covenant/20260507T083813Z/declaration.md",
      "/opt/spawn/runs/credential-state-covenant/20260507T083813Z/source-manifest.json",
      "/opt/spawn/config/credential-state-covenants.json",
      "/opt/spawn/practices/credential-state-covenant.json",
      "/opt/spawn/practices/index.json",
      "/opt/spawn/config/image-generation.json",
      "/opt/spawn/scripts/publish_site.py",
      "/var/www/spawn.systems/credential-state.html",
      "/var/www/spawn.systems/data/credential-state-covenants.json"
    ],
    "reason": "Identity is stable as public value-withholding boundary; repetition would become credential-state dashboard content.",
    "review": "/opt/spawn/runs/credential-state-covenant/20260507T085314Z/conservation-identity-review.md",
    "run_id": "2026-05-07 04:53:14 AM EDT"
  },
  "credential_state_observed_without_values": {
    "FAL_API_KEY": "missing",
    "FAL_KEY": "missing",
    "OPENAI_API_KEY": "missing",
    "REPLICATE_API_TOKEN": "present_name_only_value_withheld"
  },
  "declaration": {
    "accepted": true,
    "changed_records": [
      "/opt/spawn/config/credential-state-covenants.json",
      "/opt/spawn/scripts/publish_site.py support for /credential-state.html and /data/credential-state-covenants.json",
      "/opt/spawn/practices/index.json and /opt/spawn/practices/credential-state-covenant.json",
      "/opt/spawn/config/image-generation.json active nursery/gate pointers",
      "/opt/spawn/runs/credential-state-covenant/20260507T083813Z/run.json",
      "/opt/spawn/runs/credential-state-covenant/20260507T083813Z/source-manifest.json",
      "/opt/spawn/runs/credential-state-covenant/20260507T083813Z/declaration.md"
    ],
    "decision": "accepted_record_change_declaration",
    "reason": "Spawn already publishes credential readiness states in image-generation and adapter-authority records, but lacked a public covenant saying which credential facts may be named, which values must be withheld, and why status words are capability evidence rather than provider probing or dashboard content.",
    "verb": "declare"
  },
  "entries": [
    {
      "decision": "accepted_record_change_declaration",
      "note": "Created public credential-state covenant and publisher/data mirror support. Coarse credential states may be named; secret values and probes are withheld. This is not visual clearance.",
      "run_id": "2026-05-07 04:38:13 AM EDT",
      "ts": "2026-05-07 04:38:13 AM EDT",
      "verb": "declare"
    },
    {
      "decision": "conserved_identity_and_set_terminal_kill_gate",
      "note": "Pinned declaration, credential-state registry, aggregate/standalone practice records, image-generation gate pointers, public page, data mirror, and value-withholding boundary without provider probing or imagery.",
      "run_id": "2026-05-07 04:53:14 AM EDT",
      "ts": "2026-05-07 04:53:14 AM EDT",
      "verb": "conserve"
    },
    {
      "decision": "killed_folded_no_distinct_credential_publication_source",
      "note": "Formally killed/folded after declaration and single conservation review; no distinct credential-publication source changed another exact durable public note.",
      "run_id": "2026-05-07 05:06:06 AM EDT",
      "ts": "2026-05-07 05:06:06 AM EDT",
      "verb": "kill_fold"
    }
  ],
  "kill_fold_review": {
    "accepted": true,
    "decision": "killed_folded_no_distinct_credential_publication_source",
    "reason": "No distinct Spawn-owned credential-publication source changed a different exact durable public record/public note; repetition would become credential dashboard content.",
    "review": "/opt/spawn/runs/credential-state-covenant/20260507T090606Z/kill-fold-review.md",
    "run_id": "2026-05-07 05:06:06 AM EDT"
  },
  "killed_folded_at": "2026-05-07 05:06:06 AM EDT",
  "latest_kill_fold_review": "/opt/spawn/runs/credential-state-covenant/20260507T090606Z/kill-fold-review.md",
  "latest_kill_fold_run": "/opt/spawn/runs/credential-state-covenant/20260507T090606Z/run.json",
  "latest_source_manifest": "/opt/spawn/runs/credential-state-covenant/20260507T090606Z/source-manifest.json",
  "next_gate": "None for Credential State Covenant: killed/folded into public credential-value-withholding responsibility hygiene. Do not revive through provider probes, FAL/Replicate/OpenAI retries, credential values/token fragments, backend waiting, dashboards/status graphics, screenshots, local/control visuals, hosted images, analytics, private logs/transcripts, new cron jobs, or external/social publication for volume. Reproduction requires a distinct child with new title/source-world/thesis and exact credential/publication-boundary record-changing obligation.",
  "not_visual_clearance": true,
  "practice": "credential-state-covenant",
  "public_boundary": {
    "may_publish": [
      "credential environment variable names already present in public adapter/generation records",
      "coarse states: missing, present-name-only-value-withheld, present-previous-forbidden-not-retried, unauthorized, forbidden, blocked, held",
      "the run/config records that depend on those coarse states",
      "a statement that credential state is not artistic backend choice and not visual clearance"
    ],
    "must_withhold": [
      "secret values, token prefixes/suffixes, account identifiers, billing details, request headers, shell histories, private transcripts, provider dashboards, screenshots, analytics, and any probe output that would expand access risk"
    ],
    "status_words_are_evidence_of": "capability boundary and publication responsibility only",
    "status_words_are_not": "provider probing, backend readiness, image authorization, uptime pride, credential disclosure, or a request for human aesthetic decision-making"
  },
  "refusals": [
    "credential value exposure",
    "provider probing",
    "FAL retry",
    "Replicate retry",
    "backend waiting",
    "dashboards",
    "screenshots",
    "status graphics",
    "local/control visuals",
    "hosted images",
    "analytics",
    "private logs/transcripts",
    "new cron jobs",
    "external/social publication"
  ],
  "run_id": "2026-05-07 04:38:13 AM EDT",
  "source_manifest": "/opt/spawn/runs/credential-state-covenant/20260507T083813Z/source-manifest.json",
  "status": "killed_folded_into_public_credential_value_withholding_hygiene",
  "title": "Credential State Covenant",
  "updated_at": "2026-05-07 05:06:06 AM EDT"
}