fix(contract+ogar): mirror OGAR #110 auth domain + bump workspace Cargo.lock → restore q2 build parity

OGAR PR #110 (2026-06-23, AuthStore class family) added 4 entries to
`ogar_vocab::class_ids::ALL` (auth_store 0x0B01, auth_zitadel 0x0B02,
auth_zanzibar 0x0B03, auth_ory_keto 0x0B04) and a `ConceptDomain::Auth`
variant. The `lance-graph-contract::ogar_codebook` wire-compatible mirror
was not updated when #110 landed — a 4-entry drift sat in main from
2026-06-23 until exposed by q2 #42's pin bump.

The q2 Railway build (against the bumped `302c284` OGAR pin + latest
lance-graph main) fired `lance_graph_ogar::parity::COUNT_FUSE`:
`mirror::CODEBOOK.len() (39) != ogar_vocab::class_ids::ALL.len() (43)`.

Three coordinated fixes:

1. lance-graph-contract: extend `ogar_codebook::CODEBOOK` with the 4
   auth_* entries; add `ConceptDomain::Auth` variant; add `0x0B → Auth`
   to `canonical_concept_domain`; refresh the module-doc count from
   "two domains" → "four domains" (stale since the Health 0x09XX
   promotion).

2. lance-graph-ogar: `parity::domains_agree`'s `matches!()` had explicit
   `(O::X, C::X)` arms — needed an `(O::Auth, C::Auth)` arm. Without it,
   the runtime `assert_codebook_parity()` panics with
   "domain disagreement for auth_store (0x0b01)".

3. workspace Cargo.lock: bump pinned ogar-vocab / ogar-class-view /
   ogar-ontology / ogar-adapter-surrealql from `08a9c979` → `302c284`
   (current OGAR main, PR #110 merge). 4 references in this lock.
   Safe SHA swap verified: Cargo.toml deps byte-identical between commits.

   (The `crates/lance-graph-ogar/Cargo.lock` own-root lock is gitignored
    and needs the same bump locally; the workspace lock + ogar-vocab
    branch="main" git dep means consumer locks float to the latest commit
    on main — q2 already pins `302c284` which has the parity-compatible
    surface.)

Tests:
  - lance-graph-contract: 9 doctests pass (compile-time fuse passes)
  - lance-graph-ogar lib: 53/53 pass, including
    `parity::tests::mirror_is_a_faithful_copy_of_ogar_codebook`
  - `cargo build -p lance-graph-ogar`: clean

EPIPHANIES.md updated per Mandatory Board-Hygiene Rule with
E-OGAR-AUTH-MIRROR-DRIFT — names the standing reminder that the mirror
must be updated in the SAME commit as any OGAR-side ALL-list extension.

Source-of-finding:
  - q2 Railway build error post-bump (the cross-pin coordination canary)
  - OGAR PR #110 (introduced the drift; merged 2026-06-23)
  - lance-graph #592 (introduced the mirror pattern; the parity guard)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: claude

.claude/board/EPIPHANIES.md

@@ -1,3 +1,78 @@
+## 2026-06-23 — E-OGAR-AUTH-MIRROR-DRIFT — `ogar_codebook` mirror was 4 entries behind OGAR main (the 4 `auth_*` from OGAR #110); also exposed `domains_agree` was missing the `Auth` arm; q2 #42's pin bump surfaced both (q2 #42 → q2 build fail → drift fix)
+
+**Status:** FINDING (build-fail-driven; closes the drift OGAR PR #110 introduced
+and lance-graph never mirrored).
+
+OGAR PR #110 (2026-06-23, `9034170 feat(vocab): mint the 0x0B AuthStore class
+family`) added 4 new entries to `ogar_vocab::class_ids::ALL`:
+`auth_store 0x0B01`, `auth_zitadel 0x0B02`, `auth_zanzibar 0x0B03`,
+`auth_ory_keto 0x0B04`. These also created the `ConceptDomain::Auth` variant
+in OGAR.
+
+`lance-graph-contract::ogar_codebook::CODEBOOK` is the **wire-compatible
+mirror** of OGAR's codebook (per PR #592 the APP-prefix layer joined it). The
+mirror was NOT updated when #110 landed — a 4-entry drift sat in main from
+2026-06-23 until exposed.
+
+**The build that exposed it.** q2 #42 bumped q2's stale OGAR pin (`b6a12a6` →
+`302c284`); after the bump q2's Railway docker build ran `cargo build` against:
+  - lance-graph HEAD (latest main) — mirror had 39 entries (pre-#110)
+  - OGAR `302c284` — `class_ids::ALL` had 43 entries (post-#110)
+  → `lance_graph_ogar::parity::COUNT_FUSE` const-eval-panic.
+
+The local lance-graph build had been masking the drift because lance-graph's own
+Cargo.lock pinned ogar-vocab to `08a9c979` (pre-#110, 39 entries). So
+`mirror == ALL == 39` locally; only the q2-side build (which bumped to
+`302c284`) saw the mismatch.
+
+**Two complementary fixes in this PR:**
+
+1. **Mirror parity** — extend `lance-graph-contract::ogar_codebook::CODEBOOK`
+   with the 4 `auth_*` entries; add `ConceptDomain::Auth` variant; add `0x0B
+   → Auth` to `canonical_concept_domain`; update the module-doc count claim
+   from "two domains" to "four domains".
+2. **`domains_agree` match arm** — `lance_graph_ogar::parity::domains_agree`
+   used a `matches!()` macro with explicit `(O::X, C::X)` arms for each
+   variant; the new `Auth` variant on both sides falls into the default-false
+   bucket. Added `(O::Auth, C::Auth)` arm.
+3. **Cargo.lock OGAR pin** — bumped from `08a9c979` → `302c284` in both the
+   workspace lock and `crates/lance-graph-ogar/Cargo.lock` (own root). 8
+   refs total (4+4). Safe SHA swap verified — Cargo.toml deps for the four
+   OGAR crates (`ogar-vocab`, `ogar-class-view`, `ogar-ontology`,
+   `ogar-adapter-surrealql`) are byte-identical between the two commits.
+
+**Consequences:**
+
+- `lance_graph_ogar::parity::COUNT_FUSE` (compile-time) and
+  `parity::assert_codebook_parity` (runtime) both now agree across both pins.
+- `OdooPort`/`SmbPort`/`WoaPort` from OGAR PR #94 / OGAR PR #588 are also
+  visible at the new pin — see q2 #42 + this PR for the cross-pin
+  coordination. q2's Railway build now passes; the wider consumer surface is
+  also restored.
+
+**Mirror parity should fire IMMEDIATELY on the next OGAR domain mint.** This
+finding is the standing reminder that the lance-graph mirror must be updated
+in the SAME commit as any OGAR-side ALL-list extension. Discovering it
+four-PRs-after-OGAR-landed is the avoidable pattern; the COUNT_FUSE is the
+guardrail when it fires LOCALLY (matching pins). The q2-side build was the
+guardrail that fired this time, two days late.
+
+**Action shipped:**
+- `crates/lance-graph-contract/src/ogar_codebook.rs`: `ConceptDomain::Auth`
+  + `canonical_concept_domain(0x0B) → Auth` + 4 CODEBOOK entries + doc
+  update ("four domains").
+- `crates/lance-graph-ogar/src/lib.rs::domains_agree`: `(O::Auth, C::Auth)`
+  arm.
+- `Cargo.lock` + `crates/lance-graph-ogar/Cargo.lock`: ogar-vocab pin
+  `08a9c979` → `302c284` (8 refs total).
+
+Tests: 9 contract doctests pass; 53/53 lance-graph-ogar lib tests pass
+including `parity::tests::mirror_is_a_faithful_copy_of_ogar_codebook`.
+
+**Source-of-finding:**
+[q2 build error](https://github.com/AdaWorldAPI/q2) (Railway docker run,
+post-q2-#42-bump). Related: OGAR #110, lance-graph #592.
+
 ## 2026-06-21 — E-EQUIVALENCE-IS-THE-CRUX — template-equivalence is the load-bearing verifier of the whole loop; it MUST fail closed, and it rides on transparent Lance versioning (surrealdb #50)
 
 **Status:** FINDING (cross-session feedback, 2026-06-21). Reframing that

Cargo.lock

@@ -54,6 +54,9 @@ pub enum ConceptDomain {
     Ocr,
     /// `0x09XX` — Health (clinical / patient / care; FMA anatomy lives here).
     Health,
+    /// `0x0BXX` — Auth (provider-agnostic IAM; the AuthStore class family).
+    /// Mirrors OGAR `ConceptDomain::Auth` (added in OGAR PR #110).
+    Auth,
     /// Any high-byte slot not yet assigned a domain (`0x03XX`–`0x06XX`, `0x0AXX`+).
     Unassigned,
 }
@@ -71,6 +74,7 @@ pub fn canonical_concept_domain(id: u16) -> ConceptDomain {
         0x07 => ConceptDomain::Osint,
         0x08 => ConceptDomain::Ocr,
         0x09 => ConceptDomain::Health,
+        0x0B => ConceptDomain::Auth,
         _ => ConceptDomain::Unassigned,
     }
 }
@@ -244,11 +248,13 @@ pub const fn classid_concept(classid: u32) -> u16 {
 
 /// The curated `(canonical_concept, u16)` codebook — wire-compatible mirror of
 /// OGAR `ogar_vocab::CODEBOOK`. Ids are stable forever (once shipped, never
-/// re-assigned); domain-encoded `0xDDCC`. Carries the two domains the contract
-/// graph surfaces realize today (project-mgmt `0x01XX`, commerce/ERP `0x02XX`);
-/// OSINT (`0x07XX`) and Health/anatomy (`0x09XX`) are represented by their
-/// [`NodeGuid`](crate::NodeGuid) classid roots, not yet by promoted concept slots here. Drift is
-/// guarded by [`tests::codebook_ids_match_ogar_vocab`].
+/// re-assigned); domain-encoded `0xDDCC`. Carries the four domains the contract
+/// graph surfaces realize today (project-mgmt `0x01XX`, commerce/ERP `0x02XX`,
+/// health `0x09XX`, auth `0x0BXX`); OSINT (`0x07XX`) and OCR (`0x08XX`) are
+/// represented by their [`NodeGuid`](crate::NodeGuid) classid roots, not yet
+/// by promoted concept slots here. Drift is guarded by
+/// [`tests::codebook_ids_match_ogar_vocab`] and the **compile-time**
+/// `lance_graph_ogar::parity::COUNT_FUSE`.
 pub const CODEBOOK: &[(&str, u16)] = &[
     // ── 0x01XX — project-mgmt domain (OpenProject ↔ Redmine) ──
     ("project", 0x0101),
@@ -292,6 +298,16 @@ pub const CODEBOOK: &[(&str, u16)] = &[
     ("treatment", 0x0905),
     ("visit", 0x0906),
     ("vital_sign", 0x0907),
+    // ── 0x0BXX — Auth domain (the AuthStore class family, OGAR keystone §7) ──
+    // Mirrored from OGAR PR #110 (`9034170 feat(vocab): mint the 0x0B AuthStore
+    // class family`). Provider-agnostic IAM: `auth_store` is the base; the
+    // three provider profiles are `is-a` AuthStore + a `claim_grammar`
+    // attribute. Reserved at the codebook layer — enforcement (authorize()
+    // semantics) stays gated on `PROBE-OGAR-RBAC-AUTHORIZE` upstream.
+    ("auth_store", 0x0B01),
+    ("auth_zitadel", 0x0B02),
+    ("auth_zanzibar", 0x0B03),
+    ("auth_ory_keto", 0x0B04),
 ];
 
 /// Resolve a **canonical-concept** string to its stable `u16` codebook id via

crates/lance-graph-contract/src/ogar_codebook.rs

@@ -134,6 +134,7 @@ pub mod parity {
                 | (O::Osint, C::Osint)
                 | (O::Ocr, C::Ocr)
                 | (O::Health, C::Health)
+                | (O::Auth, C::Auth)
                 | (O::Unassigned, C::Unassigned)
         )
     }