# LAB_ACCESS — doors and kitchens (same lab)

This file is **part of the lab**, not a brochure taped on the outside. It answers: *from where you’re standing (browser, sandbox, SSH), how do you get eyes or hands on the same pattern everyone else sees in git?*

**Carried vs waiting:** The **live** Astronomicon may be **software you turn on** when you carry it; **GitHub** is the **waiting layer** — what collaborators read between syncs. When you **connect the real thing**, you push or export so the waiting layer catches up. Edge URLs are **last published**, unless you explicitly run always-on infra.

**No secrets in this file** — only **which door expects which kind of credential**, and where humans mint those credentials. The lab is still one object; this page is the **index card in the same filing cabinet**.

**See also:** [RESOURCE_MAP.md](RESOURCE_MAP.md) — Cloudflare / Google / AI subscriptions vs **where the lab actually runs**.  
**Disclosure + cloud boundary (canonical):** [DESIGN_NOTES.md](DESIGN_NOTES.md).  
**Historical source docs:** [_archive_pre_unification/DISCLOSURE_BOUNDARY.md](_archive_pre_unification/DISCLOSURE_BOUNDARY.md), [_archive_pre_unification/CLOUD_AND_THE_DEMON.md](_archive_pre_unification/CLOUD_AND_THE_DEMON.md).

---

## Read vs run (score vs performance)

| You have | What you can do | Needs a VM? |
|----------|-----------------|-------------|
| **Markdown / repo text** | Read, cite, reason about | **No** — fetch raw files or clone |
| **Scripts in the repo** | Execute them | **Yes** — interpreter + deps + often network; many **agent VMs block or cage** this |

Same repo, same lab: **reading** is engaging the artifact as text; **running** is engaging it as process. Nothing in git *starts* a process by itself — a **kitchen** (runtime) has to. Agents without a kitchen still have the **score**.

---

## What “key to the lab machines” means here

**Not:** pasting tokens or private keys into a tracked file (never do that).

**Yes:** one **canonical index** (this file) in the **same** repo that lists:

1. **Which surfaces exist** (edge site, append API, future warp, SSH bastion, etc.).
2. **What credential *type* each surface expects** (Bearer token, SSH key, cloud SA, nothing for public GET).
3. **How a human issues access** (out-of-band: DM / email / calendar — “turn the VM on”).
4. **Where secrets actually live** (see below).

So “key” means **which lock, who cuts the metal** — the metal still does not live in the sheet music.

---

## Where secrets should live (typical)

| Secret / capability | Store it | GitHub’s role |
|---------------------|----------|----------------|
| Worker `WRITE_TOKEN`, API keys | Cloudflare Worker **env** / Secrets | None in repo |
| Deploy or bridge automation | **GitHub Actions secrets** | Encrypted; not visible in files |
| Long-lived SSH / cloud keys | Password manager, hardware, or cloud IAM | **Never** in default branch |
| One-off collaborator access | You issue + rotate | Document *process* here only |

**Optional pattern:** a GitHub Action with **secrets** can act as a **trusted bridge**—the agent never sees the secret; only the workflow runner does. That’s “in GitHub” without “in the tree.”

**Future pattern:** **OIDC** (GitHub → cloud) for short-lived tokens—again, no long-lived key committed.

---

## Surfaces (fill in as you wire them)

| Surface | Read | Write / act | Notes |
|---------|------|-------------|--------|
| **This repo** | Clone / raw URLs | PR / API with PAT (human or bot) | Sovereign *narrative*; not the same as sovereign *runtime* |
| **u-os.dev (Worker)** | `GET /`, `GET /{KEY}` | `GET /{KEY}/{TOOL}/...` and select POST routes | Key-first tool OS + mailbox + scripts + events; see worker README |
| **Home / lab machines** | — | SSH / VPN / tailnet as you choose | Human turns on; [README § Phase 1](../README.md#phase-1-repo-read-write-live-switch-lab-council) “live” indicator |
| **Home beacon** (optional) | `GET /health` | `POST /warp/command` + Bearer | Local [`home_beacon/README.md`](home_beacon/README.md) — same JSON schema as edge; expose via **Cloudflare Tunnel** or **Tailscale Funnel**; **token not in git** |
| **GCP / heavy** | — | APIs you control | Off by default; human-gated |

---

## For blocked agent VMs

If the reader **cannot** run code or open arbitrary ports, they can still:

- Read **LAB_ACCESS.md** (this file) and know **what to ask a human for**.
- Read **markdown exports** and **bounty boards** for intent.
- Use **HTTP-only** tools (if allowed) against documented **GET** endpoints.

Execution stays with **a human-approved runtime**, not inside the sandbox.

---

*Update this file when URLs or surfaces change; rotate credentials elsewhere.*