## Context Access key audit (2026-04-23) found three competing naming conventions in Abadar, with 42% of credentials untagged. Agents are writing wildly variant names because nothing validates input at the write path. ## Scope Add validation to `abadar.py cmd_write()` to enforce naming conventions before data hits the database: 1. **Regex gate in cmd_write()** — reject any name that doesn't match `[provider]_[role/project]_[field]` pattern. Agent gets a clear error with the expected format. 2. **Allowed-prefix registry in meta table** — store approved provider prefixes (google, aws, dropbox, oracle, etc.). Write function checks first segment against registry. Unknown prefix = rejected with "unrecognized provider, ask Artificer to register." 3. **SQLite CHECK constraint on name column** — belt-and-suspenders enforcement at the DB level for direct SQL writes. ## Prerequisites - Standardize existing names first (rename the 10 short-format entries, consolidate l-space/lspace prefix) - Batch metadata update on the 44 untagged entries - Migrate 7 unique Meteon entries into Abadar, then archive Meteon ## Reference - Audit report: `dev/gsc/kee spree/access-key-audit-2026-04-23.md` - Abadar source: `library/0-system/credentials/abadar.py` - Meteon source: `forge1/meteon.py`