---
vault_clearance: EUCLID
---

# BOUNTY BOARD — Project Astronomicon

**Reviewed by:** GitHub Copilot Agent

> **Current Tier: Vault** | **Orthodox Cultivator:** Standard Cloudflare Workers / Vercel Edge Functions | **Target: Consensus**
>
> The field asks: "Can a personal API be a sovereign nervous system?" Our answer: Key-first Panini tool OS with worldline integrity.
>
> **Runtime authority:** solved rows here are historical record; current route/tool truth lives in `u_os_dev/worker/README.md` and `u_os_dev/astronomicon_mcp/README.md`.
>
> **Scaled from LENG workflow (vault README §6).** Read board first; claim before work; on solve, move to SOLVED with id, date, Where, tier.
> **Tiers here:** IMPLEMENTED | DEMONSTRATED | OBSERVATION (or TODO → DONE). Use same rules as LENG: unique O/S/R ids, Where = script or doc path.
> **Hosted lab (u-os.dev):** current implementation lives in [README.md](README.md) (§ Function, form, potential), [u_os_dev/STATUS.md](u_os_dev/STATUS.md), and [u_os_dev/worker/README.md](u_os_dev/worker/README.md). **Open** rows below are the potential layer; solved rows remain historical record.
> **Vault-wide bounty map:** merged OPEN sections from all project `BOUNTY_BOARD.md` files live in [u_os_dev/VAULT_BOUNTY_DIGEST.md](u_os_dev/VAULT_BOUNTY_DIGEST.md) (regenerate with [u_os_dev/publish_vault_bounty_digest.py](u_os_dev/publish_vault_bounty_digest.py)). An optional D1 copy uses path `08_Project_Astronomicon/VAULT_BOUNTY_DIGEST.md` when you run with `--push` and an operator key (default is write-local only).
> Last updated: 2026-04-01 (MidnightEclipse S10 grandmaster edge mode; Project 23 conductor opened).

---

## SOLVED

| ID | Question | Answer | Solved | Where | Tier |
|----|----------|--------|--------|-------|------|
| S1 | Canonical pipeline folder and no vault bloat | Single folder 15-00; R user lib, Python cache venv; install only when deps missing | 2026-03-14 | Analysis 2026-03-13 15-00/run_portable.R, run_pipeline_portable.py, install_deps.R | IMPLEMENTED |
| S2 | Pipeline design and assumptions documented | Order and rationale (SoupX → scDblFinder → QC, CCA, …) and where assumptions live documented in 15-00 README | 2026-03-14 | Analysis 2026-03-13 15-00/README.md | IMPLEMENTED |
| S3 | Minimal site: one page + one write key | Initial minimal Worker proved the edge path; canonical deploy now runs from `u_os_dev/worker/src/index.js`, and the superseded single-file stub was archived after key-first unification. | 2026-03-18 | u_os_dev/worker/src/index.js, u_os_dev/_archive/worker_surface_cleanup_2026-04-04/UPLOAD_THIS_WORKER.js | IMPLEMENTED |
| S4 | u-os.dev phase stack upgraded to key-first tool OS | Domain now serves key-first capability routes (`/{KEY}/{TOOL}`), role-scoped tool manifest, and strict 401/403 semantics with allowed tool hints. | 2026-03-22 | u_os_dev/worker/src/index.js, u_os_dev/worker/README.md, u_os_dev/worker/wrangler.toml | IMPLEMENTED |
| S5 | Mailbox v1 + split-token lanes hardened | Mail inbox/outbox/ack routes enforce separated read/write tokens and deny invalid capability use with explicit diagnostics. | 2026-03-22 | u_os_dev/worker/src/index.js, u_os_dev/worker/README.md | IMPLEMENTED |
| S6 | Script tool lane + local mirror sync established | `script.write/read/list` added at edge, with local pull sync into vault mirror (`scripts`, `inbox`, shared doc). | 2026-03-22 | u_os_dev/worker/src/index.js, u_os_dev/sync_worker_to_local.py, u_os_dev/local_mirror/ | IMPLEMENTED |
| S7 | Event tool lane added as persistence primitive | Structured thread events (`event.log`, `event.read`) added to tools section for cross-window continuity. | 2026-03-22 | u_os_dev/worker/src/index.js, u_os_dev/worker/README.md | IMPLEMENTED |
| S8 | Astronomicon documentation grand unification | Canonical docs realigned (project entry, warp/deploy in README § Warp, u_os_dev index/status/plan/access), contradictions removed, tracking docs synced. | 2026-03-22 | README.md (§ Warp), u_os_dev/README.md, u_os_dev/STATUS.md, u_os_dev/_archive/u_os_dev_master_plan_fused_into_function_form_potential_2026-04-06/U_OS_DEV_MASTER_PLAN.md, u_os_dev/LAB_ACCESS.md, WORLDLINE.md; superseded splits `_archive/warp_docs_unified_into_readme_2026-03-24/` | IMPLEMENTED |
| S9 | MidnightEclipse Tier B auto runner | Python stdlib CLI: `POST /log` invalid Bearer must not 200; `GET /?format=md` must 200; optional `GET /{KEY}/ping`. Wired to SECURITY_GAUNTLET + RED_TEAM_PROTOCOL docs. | 2026-03-19 | u_os_dev/MidnightEclipse/ | IMPLEMENTED |
| S10 | MidnightEclipse grandmaster edge mode + composite conductor | Added `--grandmaster` edge sweep (storm + recovery sequences + safe burst + optional keyed daemon voice) and opened Project 23 as the cross-project conductor for edge + host + vault reality checks. | 2026-04-01 | u_os_dev/MidnightEclipse/; `../23_Project_StormIntoMidnight/` | IMPLEMENTED |

---

## OPEN

| ID | Bounty | Status | Assigned | Impact |
|----|--------|--------|----------|--------|
| O1 | Lock R package versions (renv or conda) | OPEN | — | Reproducibility across machines and time |
| O2 | Add CI (e.g. GitHub Actions) for stress tests | OPEN | — | Catch breakage on config/dep changes |
| O3 | WorldLine + bounty board in sync | OPEN | — | Log runs and method changes; optional OPEN items from session gaps |
| O4 | Add dedicated `/status` route and signed status payload | OPEN | — | Machine-checkable live posture endpoint (edge/home/gcp) |
| O5 | Add `doc.search` and cursor pagination for live read lanes (`mail.read`, `lab.list`, `data.list`) | OPEN | — | Low-token retrieval and scalable AI navigation |
| O6 | Add signed short-lived URL mode (alias + signature) | OPEN | — | Safer key-first ergonomics with reduced URL-leak risk |
| O7 | Add guarded `script.run` queue (enqueue/status/result) for local runner pickup | OPEN | — | Remote execution handoff without running Python in Worker |
| O8 | Add canonical schema endpoint (`/schema.json`) for strict machine contracts | OPEN | — | Stable integration contract for external agents |
| **O9** | **u-os.dev Phase 6: Astronomicon tool** — astronomicon.run or astronomicon.result (run pipeline or return precomputed result); rate-limited; return markdown/summary. | OPEN | — | First project-specific tool |
| O10 | Harden docs + security posture for broader collaborators (token rotation, WAF/rate policy, exposure tiers) | OPEN | — | Onboarding and anti-theft |
| O11 | Complete registry-style mechanism architecture for tools (remove remaining branch-style handlers) | OPEN | — | Full Pāṇini alignment with Daemon node DNA |
| **O13** | **First full coculture pipeline run** — Run R pipeline (SoupX → scDblFinder → QC → integrate → DE → CellChat) with sample_sheet_coculture.csv (raw + filtered); document run and log in WORLDLINE_CURRENT (tier IMPLEMENTED or DEMONSTRATED). | OPEN | — | Reproducible coculture baseline |
| **O14** | **Colab notebook for COLAB_RUN** — Add optional .ipynb in Analysis 15-00 that mounts Drive, installs R + deps, runs run_portable.R with sample_sheet_coculture.csv; link from COLAB_RUN.md. | OPEN | — | One-click Colab run |
| **O15** | **Deploy Worker from GitHub** — Connect repo to Cloudflare (dashboard “Connect to Git” or GitHub Actions with wrangler) so Worker deploys from repo; document in worker/README or u_os_dev. | OPEN | — | Single source of truth; deploy on push |
| **O16** | ~~Tier B security smoke + optional CI~~ | SOLVED (S9) | — | — |
| **O17** | **Bearer / URL exfiltration** — Tests pass but ops can still paste live URLs or log full `Authorization` headers. **Fix:** Document redaction in `worker/README.md` + `LAB_ACCESS.md`; grep CI for example tokens; prefer env-based curl snippets without real secrets. | OPEN | — | Security |
| **O18** | **Constellation Git token scope** — GitHub PAT or app token for the Worker may be broader than “single repo” if misconfigured. **Fix:** Fine-scoped fine-grained PAT or GitHub App installation with minimum repo + permission set; document in `RED_TEAM_PROTOCOL.md` / Constellation row; rotate on staff change. | OPEN | — | Security |
| **O19** | **D1 at-rest story** — Operator trust model for Cloudflare D1 backups/exports is implicit. **Fix:** Document who can export D1, whether exports are allowed, and whether sensitive columns should be encrypted before insert; align with vault root O6/O12. | OPEN | — | Security |
| **O20** | **Rate limit / WAF as code** — Abuse can burn quotas or spam worldline before human notices. **Fix:** WAF rules + rate limits in dashboard-as-code or wrangler bindings; alert on 401/403 spikes; tie to `SECURITY_GAUNTLET` evidence template. | OPEN | — | Ops/Security |
| **O21** | **FORM orthodox edge bar (§E proof)** — Document **Worker + D1** vs one **minimal alternative** (e.g. static + single serverless function elsewhere) on **latency + auth ergonomics** using **test keys only** (no production secret moves). Log p50/p95 + setup notes in `WORLDLINE.md`. Survey: [16_Project_Constellation/FORM_ORTHODOX_APEX_TOOLING.md](../16_Project_Constellation/FORM_ORTHODOX_APEX_TOOLING.md) Chapter 08. **Functional cluster:** same “product-shaped” bar as **O8** (`/schema.json` contract) + **O20** (WAF/rate limits as code). | OPEN | — | HIGH |

---

## RETRACTED / WONTFIX

| ID | What | Why |
|----|------|-----|
| (none yet) | | |

---

## Workflow (same as LENG)

1. **New item:** Add to OPEN with next O-id, status OPEN, Assigned —.
2. **Claim:** Set status IN PROGRESS, put name in Assigned, say where you’ll put scripts.
3. **Solve:** Move to SOLVED with S-id, date, one-line answer, **Where** (path), **Tier** (IMPLEMENTED / DEMONSTRATED / OBSERVATION).
4. **Retract:** Move to RETRACTED with short reason.
5. **Read before write:** Check board for existing O/S/R before adding or claiming.

Session log: **08_Project_Astronomicon/WORLDLINE.md**. When you solve a bounty, add or reference the breakthrough there so board and session stay aligned.